dissect.target.plugins.os.windows.prefetch#
Module Contents#
Classes#
Base class for plugins. |
Attributes#
- dissect.target.plugins.os.windows.prefetch.PrefetchRecord#
- dissect.target.plugins.os.windows.prefetch.GroupedPrefetchRecord#
- dissect.target.plugins.os.windows.prefetch.c_prefetch = Multiline-String#
Show Value
""" struct PREFETCH_HEADER_DETECT { char signature[4]; uint32 size; }; struct PREFETCH_HEADER { uint32 version; char signature[4]; uint32 unknown; uint32 size; char name[60]; uint32 hash; uint32 flag; }; struct FILE_INFORMATION_26 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown[2]; uint64 last_run_time; uint64 last_run_remains[7]; uint64 unknown[2]; uint32 run_count; uint32 unknown; uint32 unknown; char unknown[88]; }; struct FILE_INFORMATION_17 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 last_run_time; uint32 unknown; uint32 run_count; uint32 unknown; }; struct FILE_INFORMATION_23 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown[2]; uint64 last_run_time; uint64 last_run_remains[2]; uint32 run_count; uint32 unknown; uint32 unknown; char unknown[80]; }; struct VOLUME_INFORMATION_17 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; uint32 unknown; }; struct VOLUME_INFORMATION_30 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; char unknown[4]; char unknown[24]; char unknown[4]; char unknown[24]; char unknown[4]; }; struct TRACE_CHAIN_ARRAY_ENTRY_17 { uint32 next_array_entry_index; uint32 total_block_load_count; uint32 unknown; uint32 unknown; uint32 unknown; }; struct FILE_METRICS_ARRAY_ENTRY_17 { uint32 start_time; uint32 duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; }; struct FILE_METRICS_ARRAY_ENTRY_23 { uint32 start_time; uint32 duration; uint32 average_duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; uint64 ntfs_reference; }; """
- dissect.target.plugins.os.windows.prefetch.prefetch#
- dissect.target.plugins.os.windows.prefetch.prefetch_version_structs#
- class dissect.target.plugins.os.windows.prefetch.Prefetch(fh)#
- property latest_timestamp#
Get the latest execution timestamp inside the prefetch file.
- property previous_timestamps#
Get the previous timestamps from the prefetch file.
- identify()#
- parse()#
- parse_metrics(metric_array_struct)#
- read_filename(off, size)#
- class dissect.target.plugins.os.windows.prefetch.PrefetchPlugin(target)#
Bases:
dissect.target.plugin.PluginBase class for plugins.
Plugins can optionally be namespaced by specifying the
__namespace__class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specifiedtestas namespace and a function calledexample, you must call your plugin withtest.example:A
Pluginclass has the following private class attributes:__namespace____record_descriptors__
With the following three being assigned in
register():__plugin____functions____exports__
Additionally, the methods and attributes of
Pluginreceive more private attributes by using decorators.The
export()decorator adds the following private attributes__exported____output__: Set with theexport()decorator.__record__: Set with theexport()decorator.
The
internal()decorator andInternalPluginset the__internal__attribute. Finally.args()decorator sets the__args__attribute.- Parameters:
target – The
Targetobject to load the plugin for.
- check_compatible()#
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- prefetch(grouped=False)#
Return the content of all prefetch files.
Prefetch is a memory management feature in Windows. It contains information (for example run count and timestamp) about executable applications that have been executed recently or are frequently executed.
References
- Yields PrefetchRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (uri): The filename. prefetch (uri): The prefetch entry. linkedfile (uri): The linked file entry. runcount (int): The run count.
with –grouped:
- Yields PrefetchRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (uri): The filename. prefetch (uri): The prefetch entry. linkedfiles (uri[]): A list of linked files runcount (int): The run count. previousruns (datetime[]): Previous run non zero timestamps