-
Notifications
You must be signed in to change notification settings - Fork 537
/
Copy pathPFTemplate.bt
121 lines (103 loc) · 2.38 KB
/
PFTemplate.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
//---------------------------------------------------------------------------
/*
010 Editor Template for Prefetch (PF) file format
2013/12/21 v0.0.2
http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2012/06/22: start development with 010 Editor v4.0.1
2012/06/30: added LittleEndian
2013/12/21: added sections A, B, C and D
Todo:
Change code SectionD for multiple volumes
Test with different Windows versions
*/
//---------------------------------------------------------------------------
typedef union
{
wstring Wstring;
WORD Characters[30];
} USTRING30;
wstring USTRING30ToWstring(USTRING30 &arg)
{
return arg.Wstring;
}
typedef struct
{
DWORD Version;
DWORD Magic;
DWORD Unknown1;
DWORD FileSize;
USTRING30 ExecutableName <read=USTRING30ToWstring>;
DWORD Hash <format=hex>;
DWORD Unknown2;
DWORD SectionAOffset <format=hex>;
DWORD SectionANumberOfEntries;
DWORD SectionBOffset <format=hex>;
DWORD SectionBNumberOfEntries;
DWORD SectionCOffset <format=hex>;
DWORD SectionCLength;
DWORD SectionDOffset <format=hex>;
DWORD SectionDNumberOfEntries;
DWORD SectionDLength;
FILETIME LatestExecution;
DWORD Unknown3[4];
DWORD ExecutionCounter;
DWORD Unknown4;
} PFHEAD;
typedef struct
{
wstring File;
} FILE <read=ReadWstring>;
wstring ReadWstring(FILE &File)
{
return File.File;
}
typedef struct
{
BYTE array[header.Version == 17 ? 20 : 32];
} ENTRYA;
typedef struct
{
local int iIter;
for (iIter = 0; iIter < header.SectionANumberOfEntries; iIter++)
ENTRYA EntryA;
} SECTIONA;
typedef struct
{
BYTE array[12];
} ENTRYB;
typedef struct
{
local int iIter;
for (iIter = 0; iIter < header.SectionBNumberOfEntries; iIter++)
ENTRYB EntryB;
} SECTIONB;
typedef struct
{
while (FTell() - header.SectionCOffset < header.SectionCLength)
FILE File;
} SECTIONC;
typedef struct
{
local int64 iHere = FTell();
DWORD OffsetVolumeString;
DWORD LengthVolumeString;
FILETIME VolumeCreationTime;
DWORD VolumeSerialNumber <format=hex>;
FSeek(iHere + OffsetVolumeString);
wstring VolumeString;
} SECTIOND;
// Main
LittleEndian();
PFHEAD header;
FSeek(header.SectionAOffset);
SECTIONA SectionA;
FSeek(header.SectionBOffset);
SECTIONB SectionB;
FSeek(header.SectionCOffset);
SECTIONC SectionC;
FSeek(header.SectionDOffset);
SECTIOND SectionD;