A small util to brute-force prefetch hashes

Overview

Prefetch Hash Cracker

screenshot

Motivation

During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created.

Using the tool

The following fields must be provided:

  • Executable name
    Including the extension. It will be embedded in the prefetch filename, unless this happens.

  • Prefetch hash
    8 hexadecimal digits at the end of the prefetch filename, right before the .pf extension.

  • Hash function

  • Bodyfile

  • Mount point

Hash function

There are 3 known prefetch hash functions:

  • SCCA XP
    Used in Windows XP

  • SCCA Vista
    Used in Windows Vista and Windows 10

  • SCCA 2008
    Used in Windows 7, Windows 8 and Windows 8.1

Bodyfile

A bodyfile of the volume the executable was executed from.

The bodyfile format is not very restrictive, so there are a lot of variations of it - some of which are not supported. Body files created with fls and MFTECmd should work fine.

Mount point

The mount point of the bodyfile, as underlined below:

0|C:/Users/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...

How does it work?

The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there's a possible full path for which the result matches the provided hash, that path is outputted.

Limitations

The following cases are not supported:

  • Hosting applications, such as svchost.exe and mmc.exe
  • Applications executed with the /prefetch:# flag
  • Applications executed from a UNC (network) path

The 29-character limit

If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:

This is a very long file nameSo this part will be truncated.exe

From the C:\Temp directory on a Windows 10 machine, will result in the creation of this prefetch file:

THIS IS A VERY LONG FILE NAME-D0B882CC.pf

In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.

License

MIT

You might also like...
Smarter brute-force password searching for PKZIP encrypted files

Zip Blitz Motivation This program was created for a very specfic problem I had. I had a large encrypted zip file that I lost/forgot the password for.

Rust-based password mutator for brute force attacks

PWFuzz-RS A Rust-based password mutator for brute force attacks Disclaimer This tool works, but was mainly an experiment. Please do not expect frequen

A Rust-based tool for serial brute force attack

UART Hacking A universal asynchronous receiver transmitter (UART) is a computer hardware standard for asynchronous serial communication in which data

A rust program to bruteforce ZIP, PDF and some popular hashes.

Veldora A program to bruteforce zips, pdfs and some popular hashes. This is basically a rust version of bruttle, but a lot faster. Installation: git c

CLI tool written in Rust which can be used to generate hashes

rustgenhash rustgenhash is a tool to generate hashes on the commandline from stdio. It can be used to generate single or multiple hashes for usage in

CLI tool to find duplicate files based on their hashes.

Dupper Dupper is a CLI tool that helps you identify duplicate files based on their hashes (using the Seahash hashing algorithm). Installation You can

Tony Hawk's Underground 2: Remix Cheat Cracker - Performs dictionary attack on cheat code hashes for THU2R

Tony Hawk's Underground 2 Cheat Cracker A simple utility for cracking cheat codes for Tony Hawk's Underground 2, written in Rust. Background This proj

A mnemonic brute forcing tool for nano and banano.

brute a mnemonic brute forcing tool for nano and banano. What is brute? It is a mnemonic brute forcing tool which can be used to recover an account fr

A Bitcoin wallet collider that brute forces random wallet addresses written in Rust.

Plutus-Rustus Bitcoin Brute Forcer A Bitcoin wallet collider that brute forces random wallet addresses written in Rust. This is a straight port of Plu

PM-Tools - a simple Rust util to easily create server directories

PM-Tools PM-Tools is a simple Rust util to easily create server directories or plugins without the hassle of unzipping or creating directories Progres

Rust Util Collection, a simple and friendly error-chain

RUC Rust Util Collection, a simple and friendly error-chain, with many useful utils as an addition. The painful experience of using error-chain gave b

Rust Util Collection, a simple and friendly error-chain, with many useful utils as an addition.

RUC Rust Util Collection, a simple and friendly error-chain, with many useful utils as an addition. The painful experience of using error-chain gave b

A port of `java.util.*SummaryStatistics` as a Redis Module

RedisNumbersStats RedisNumbersStats is a Redis module that implements a Redis version of the Java Util *SummaryStatistics classes, such as DoubleSumma

A cli util to apply themes to hyprland

Hyprtheme works with themes installed at ~/.config/hypr/themes additional themes can be installed from hyprland-community/theme-repo theme.toml this f

A mostly drop-in replacement for mercantile written w/ rust, plus several other util(e)ities.

utiles utiles = utils + tiles A mostly drop-in replacement for mercantile written w/ rust, plus several other util(e)ities. Installation pip install u

Graceful shutdown util for Rust projects using the Tokio Async runtime.

Shutdown management for graceful shutdown of tokio applications. Guard creating and usage is lock-free and the crate only locks when: the shutdown sig

Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.

jscythe abuses the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if t

Bullet Force launcher and MITM-based hax

BulletForceHaxV2 This repository holds a launcher and MITM-based cheat for Bullet Force. It allows you both a convenient way to launch the game withou

Bullet Force launcher and MITM-based hax

BulletForceHaxV2 This repository holds a launcher and MITM-based cheat for Bullet Force. It allows you both a convenient way to launch the game withou

Releases(v0.2.0)
Owner
Harel Segev
DFIR Analyst
Harel Segev
Small and simple stateful applications, designed to facilitate the monitoring of unwanted behaviors of the same.

Violet Violet é um pequeno e simples monitorador de aplicação, voltado para receber eventos de erro e estado. Instalação simples: Dependencias: Docker

Lucas Mendes Campos 3 Jun 4, 2022
Small project that try to bend to world.

Small project that try to bend to world. May not be fully working, but should provide an improvable starting point. How to The only important file is

null 1 Nov 13, 2021
A small in-house bot of the TTC Discord Server

Welcome to The Terminal cafe Support Bot Repository Hello, hope you are having a nice day. This is the official repository for The Terminal Cafe Suppo

null 5 Jul 4, 2022
A small monitoring process that checks if kstars is active, if not it sends a request to notify a user via telegram that it crashed

Astro monitor A small monitoring process that checks if kstars is active, if not it sends a request to notify a user via telegram that it crashed Inst

Mattia Procopio 2 Jan 10, 2022
Click-once - A small tiny little binary to fix undesired mouse double clicks in Windows, written in Rust.

click-once A small tiny little binary to fix malfunctioning mouse double clicks in Windows, written in Rust. Minimal executable with little to no over

null 23 Dec 29, 2022
Amethyst is a systems language aimed at being simple, small, portable, and safe.

amethyst Amethyst is a systems language aimed at being simple, small, portable, and safe. What is this language? From the r/ProgLangs discord server:

Amethyst Language 34 Dec 18, 2022
Rusty Reflective DLL Injection - A small reflective loader in Rust 4KB in size

Reflective Loader in Rust (4KB in size) A small reflective loader PoC in Rust. I remade this from my old project (https://github.com/memN0ps/arsenal-r

null 97 Apr 8, 2023
Small Rust program for sending messages to Telegram channels.

tg-send: a small Rust program for sending Telegram messages Send messages to a group/channel via the Bot API from the command line; it's super simple

null 2 Jul 10, 2023
Shows my Spotify status on a small screen. Powered by ESP-IDF & built with 🧡 in Rust! 🦀

ESP Display A small embedded project that shows what I'm listening to on Spotify by using my Spotify service. Example Notable Features ESP32-S3 board

Isaiah Gamble 3 Apr 10, 2024
Code to brute-force Wordle solutions

Wordle solver The idea of this is to find the optimal solution to Wordle puzzles. The current implementation, for each guess, works out the worst case

Simon Frankau 1 Jan 9, 2022