public string FindPhysicalPath(string filepath, ref PrefetchInfoClass pf)
{
int pos = FindLastDash(Path.GetFileName(filepath));
if (pos > 0){
string[] szName = Path.GetFileName(filepath).Split('-');
pf.NameWithoutHash = szName[0];
int hoho = pf.FilesAccessed.Count();
for (int g = 0; g<pf.FilesAccessed.Length; g++){
if (pf.FilesAccessed[g].IndexOf(pf.NameWithoutHash) > 0)
{
return pf.FilesAccessed[g];
}
}
}
return "";
}
private void parsepf(string[] j)
{
ClearScreen();
tabControl1.TabPages[0].Text = "File Accessed";
tabControl1.TabPages[1].Text = "Volume Information";
Stopwatch stopwatch = new Stopwatch();
stopwatch.Start();
DataTable dtPrefetchInfo = new DataTable("pfinfo");
DataTable dtPrefetchSubInfo = new DataTable("pfinfosub");
DataTable dtPrefetchVolInfo = new DataTable("pvolfosub");
dtPrefetchInfo.Columns.Add("FileName", typeof(string));
dtPrefetchInfo.Columns.Add("Boot Process Name", typeof(string));
dtPrefetchInfo.Columns.Add("Hash Value", typeof(string));
dtPrefetchInfo.Columns.Add("Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("2nd Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("3rd Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("4th Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("5th Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("6th Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("7th Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("8th Last Run Time (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("Run Count", typeof(int));
dtPrefetchInfo.Columns.Add("Volume Serial", typeof(string));
dtPrefetchInfo.Columns.Add("Volume Created Date (UTC)", typeof(DateTime));
dtPrefetchInfo.Columns.Add("MD5 Hash", typeof(string));
dtPrefetchSubInfo.Columns.Add("FileName", typeof(string));
dtPrefetchSubInfo.Columns.Add("Path", typeof(string));
dtPrefetchVolInfo.Columns.Add("FileName", typeof(string));
dtPrefetchVolInfo.Columns.Add("Path", typeof(string));
PrefetchProcessingClass pfProcessing = new PrefetchProcessingClass();
PrefetchInfoClass pf = new PrefetchInfoClass();
bool isVista = false, isWin8 = false;
foreach (string filepath in j)
{
if (pfProcessing.IsPrefetchFile(filepath))
{
try
{
if (pfProcessing.CheckHeader(filepath, ref isVista, ref isWin8))
{
pf.IsVista = isVista;
pf.IsWin8 = isWin8;
pf.FilePath = filepath;
pfProcessing.ParsePfFile(filepath, ref pf);
string mD5HashFromFile = GetMD5HashFromFile(pf.FilePath);
DateTime? myTime = null;
if (!isWin8)
{
dtPrefetchInfo.Rows.Add(new object[]{
Path.GetFileName(pf.FilePath),
pf.NameWithoutHash,
pf.PathHash,
pf.LastRun,
myTime,
myTime,
myTime,
myTime,
myTime,
myTime,
myTime,
pf.NumTimesExecuted,
pf.VolumeInfo[0].Serial,
pf.VolumeInfo[0].CreatedDate,
mD5HashFromFile
});
}
else
{
dtPrefetchInfo.Rows.Add(new object[]{
Path.GetFileName(pf.FilePath),
pf.NameWithoutHash,
pf.PathHash,
pf.LastRun,
pf.LastRun2,
pf.LastRun3,
pf.LastRun4,
pf.LastRun5,
pf.LastRun6,
pf.LastRun7,
pf.LastRun8,
pf.NumTimesExecuted,
pf.VolumeInfo[0].Serial,
pf.VolumeInfo[0].CreatedDate,
mD5HashFromFile
});
}
int iVolInfoCount = pf.VolumeInfo.Count();
for (int k = 0; k < iVolInfoCount; k++)
{
if (pf.VolumeInfo[k] != null)
{
int iFolderCount = pf.VolumeInfo[k].FolderPaths.Count();
for (int m = 0; m < iFolderCount; m++)
{
dtPrefetchVolInfo.Rows.Add(new object[]
{
Path.GetFileName(pf.FilePath),
pf.VolumeInfo[k].FolderPaths[m]
});
}
}
}
int iFileInfoCount = pf.FilesAccessed.Count();
for (int f = 0; f < iFileInfoCount; f++)
{
dtPrefetchSubInfo.Rows.Add(new object[]
{
Path.GetFileName(pf.FilePath),
pf.FilesAccessed[f]
});
}
dataGridView.DataSource = dtPrefetchInfo;
dataGridView.Visible = true;
dataGridView.Enabled = true;
dataGridpfFile.DataSource = dtPrefetchSubInfo;
dataGridpfFile.Visible = true;
dataGridpfFile.Enabled = true;
dataGridpfVolume.DataSource = dtPrefetchVolInfo;
dataGridpfVolume.Visible = true;
dataGridpfVolume.Enabled = true;
exportToToolStripMenuItem.Visible = true;
xMLToolStripMenuItem.Visible = true;
cSVToolStripMenuItem.Visible = true;
dataGridView.Columns["Last Run Time (UTC)"].DefaultCellStyle.Format = "dd/MM/yyyy HH:mm:ss";
dataGridView.Columns["Volume Created Date (UTC)"].DefaultCellStyle.Format = "dd/MM/yyyy HH:mm:ss";
if (!isWin8)
{
dataGridView.Columns["2nd Last Run Time (UTC)"].Visible = false;
dataGridView.Columns["3rd Last Run Time (UTC)"].Visible = false;
dataGridView.Columns["4th Last Run Time (UTC)"].Visible = false;
dataGridView.Columns["5th Last Run Time (UTC)"].Visible = false;
dataGridView.Columns["6th Last Run Time (UTC)"].Visible = false;
dataGridView.Columns["7th Last Run Time (UTC)"].Visible = false;
dataGridView.Columns["8th Last Run Time (UTC)"].Visible = false;
}
stopwatch.Stop();
// TSSLabel.Text = iNum + " files parsed.";
string str = stopwatch.Elapsed.TotalSeconds.ToString();
TSSLabel2.Text = "Take taken: " + str + " seconds.";
}
}
finally
{
}
}
}
}
public void ReadPaths(string filepath, int iOffset, int size, ref PrefetchInfoClass pf)
{
int sizeread = 0;
List<string> szFileAccessed = new List<string>();
List<string> szActualFileAccessed = new List<string>();
byte[] buffer = new byte[260];
string szTemp = "";
Stream s = new FileStream(filepath, FileMode.Open, FileAccess.ReadWrite, FileShare.Read);
while (new FileInfo(filepath).Length != 0 && sizeread<size){
s.Seek(iOffset, SeekOrigin.Begin);
s.Read(buffer, 0, 260);
sizeread += buffer.Length;
szTemp += Encoding.Unicode.GetString(buffer).TrimEnd('\0');
iOffset += 260;
}
szFileAccessed = szTemp.Split(new char[] {'\0'}, StringSplitOptions.RemoveEmptyEntries).ToList();
int i = szFileAccessed.Count;
for(int j=0; j<i-1; j++){
if (szFileAccessed[j].Length>27)
{
szActualFileAccessed.Add(szFileAccessed[j]);
}
}
pf.FilesAccessed = szActualFileAccessed.ToArray();
s.Close();
}
public void ParsePfFile(string filepath, ref PrefetchInfoClass pf)
{
byte[] array = new byte[4];
byte[] timearray = new byte[8];
BinaryReader binaryReader = new BinaryReader(File.Open(filepath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite));
binaryReader.BaseStream.Position = 0x4C;
binaryReader.Read(array, 0, 4);
pf.PathHash = bytestostring_littleendian(array);
binaryReader.BaseStream.Position = 0x64;
binaryReader.Read(array, 0, 4);
int pathoffsets = BitConverter.ToInt32(array, 0);
binaryReader.BaseStream.Position = 0x68;
binaryReader.Read(array, 0, 4);
int size = BitConverter.ToInt32(array, 0);
binaryReader.BaseStream.Position = 0x6C;
binaryReader.Read(array, 0, 4);
int volInfoOffset = BitConverter.ToInt32(array, 0);
if( pf.IsWin8 ){
binaryReader.BaseStream.Position = 0xD0;
}else if (pf.IsVista){
binaryReader.BaseStream.Position = 0x98;
}else{
binaryReader.BaseStream.Position = 0x90;
}
binaryReader.Read(array, 0, 4);
int iNumExecuted = BitConverter.ToInt32(array, 0);
pf.NumTimesExecuted = iNumExecuted;
if (pf.IsVista || pf.IsWin8){
binaryReader.BaseStream.Position = 0x80;
}else{
binaryReader.BaseStream.Position = 0x78;
}
binaryReader.Read(timearray, 0, 8);
DateTime dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun = dateTime;
if (pf.IsWin8){
// Now checking for for the last 8 timestamps!
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun2 = dateTime;
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun3 = dateTime;
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun4 = dateTime;
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun5 = dateTime;
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun6 = dateTime;
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun7 = dateTime;
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
pf.LastRun8 = dateTime;
}
binaryReader.BaseStream.Position = pathoffsets;
ReadPaths(filepath, pathoffsets, size, ref pf);
binaryReader.BaseStream.Position = volInfoOffset;
binaryReader.Read(array, 0, 4);
int iLen = BitConverter.ToInt32(array, 0);
long endpos = volInfoOffset + iLen;
int iBug = 0;
int iPosition = volInfoOffset + 4;
while (iLen > 0 && endpos > iPosition){
// Jump backwards 4 bytes
iPosition -= 0x4;
binaryReader.BaseStream.Position -= 0x4;
PrefetchVolInfoClass vi = new PrefetchVolInfoClass();
binaryReader.Read(array, 0, 4);
int iVolTemp = BitConverter.ToInt32(array, 0);
vi.VolumePathOffset = iVolTemp;
binaryReader.Read(array, 0, 4);
iVolTemp = BitConverter.ToInt32(array, 0);
vi.VolumePathLength = iVolTemp;
binaryReader.Read(timearray, 0, 8);
dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0));
vi.CreatedDate = dateTime;
binaryReader.Read(array, 0, 4);
string szSerial = bytestostring_littleendian(array);
vi.Serial = szSerial;
binaryReader.Read(array, 0, 4);
iVolTemp = BitConverter.ToInt32(array, 0);
vi.Blob1Offset = iVolTemp;
binaryReader.Read(array, 0, 4);
iVolTemp = BitConverter.ToInt32(array, 0);
vi.Blob1Length = iVolTemp;
binaryReader.Read(array, 0, 4);
iVolTemp = BitConverter.ToInt32(array, 0);
vi.FolderPathOffset = iVolTemp;
binaryReader.Read(array, 0, 4);
iVolTemp = BitConverter.ToInt32(array, 0);
vi.NumFolderPaths = iVolTemp;
binaryReader.Read(array, 0, 4);
iVolTemp = BitConverter.ToInt32(array, 0);
vi.Unknown = iVolTemp;
pf.VolumeInfo[iBug] = vi;
if (pf.IsVista || pf.IsWin8){
binaryReader.BaseStream.Position += 64;
}
binaryReader.Read(array, 0, 4);
iLen = BitConverter.ToInt32(array, 0);
if (++iBug >= 16){
//break while, may happen for invalid file!!
break;
}
iPosition = (int)binaryReader.BaseStream.Position;
}
binaryReader.Close();
int gg = pf.VolumeInfo.Length;
for(int j=0; j<pf.VolumeInfo.Count(); j++){
if(pf.VolumeInfo[j]!=null)
pf.VolumeInfo[j].ParseInfo(volInfoOffset, filepath);
}
pf.PhysicalPath = FindPhysicalPath(filepath, ref pf);
if (pf.PhysicalPath!=null){
if (pf.Equals("NTOSBOOT-B00DFAAD.pf"))
{
pf.CalcHash = 0xB00DFAAD;
}
else
{
pf.CalcHash = (pf.IsVista || pf.IsWin8) ? GenerateVistaHash(pf.PhysicalPath) : GenerateXpHash(pf.PhysicalPath);
}
}
binaryReader.Close();
}
