{"id":1445,"date":"2012-10-29T13:33:53","date_gmt":"2012-10-29T13:33:53","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1445"},"modified":"2012-10-29T13:39:46","modified_gmt":"2012-10-29T13:39:46","slug":"prefetch-file-names-and-unc-paths","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/10\/29\/prefetch-file-names-and-unc-paths\/","title":{"rendered":"Prefetch file names and UNC paths"},"content":{"rendered":"<p>In one of the older <a title=\"Prefetch Hash Calculator + a hash lookup table xp\/vista\/w7\/w2k3\/w2k8\" href=\"https:\/\/www.hexacorn.com\/blog\/2012\/06\/13\/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8\/\">posts<\/a>, I talked about how the Prefetch file names are created. Today I was looking at program execution from network shares i.e. originating from the UNC paths and realized that I have not included these in the original article.<\/p>\n<h4><strong>VM Shares<\/strong><\/h4>\n<p>To test what happens, I launched WinXP under windbg and put a breakpoint on the hashing function and then executed a test file from a shared VM folder &#8211; the screenshot shows the mapping between the drive and the UNC path where the executable is placed:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1447\" title=\"prefetch_unc_2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_2-300x127.png\" alt=\"\" width=\"300\" height=\"127\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_2-300x127.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_2.png 725w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Once executed, the windbg popped up and I could trace the full path to a file in a Memory window<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1446\" title=\"prefetch_unc_1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_1-300x98.png\" alt=\"\" width=\"300\" height=\"98\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_1-300x98.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_1-598x197.png 598w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_1.png 600w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>As it seems, nothing really surprising:<\/p>\n<ul>\n<li>z:\\test.exe is executed<\/li>\n<li>it is mapped to its UNC path \\\\vmware-host\\Shared Folders\\X\\test.exe<\/li>\n<li>which is then prepended with a device name responsible for HGFS file system (used internally by VM) to form a final string used in a hash calculation<\/li>\n<li><strong>\\DEVICE\\HGFS\\VMWARE-HOST\\SHARED FOLDERS\\X\\TEST.EXE<\/strong><\/li>\n<\/ul>\n<h4><strong>Real share<br \/>\n<\/strong><\/h4>\n<p>Now, that was the case with a &#8216;fake&#8217; share created by the VM software.<\/p>\n<p>What about a real share?<\/p>\n<p>Following the same procedure:<\/p>\n<ul>\n<li>I mapped a host \\\\H\\C$ drive as N: inside the guest system with &#8216;net use&#8217;<\/li>\n<li>and then executed N:\\test.exe<\/li>\n<\/ul>\n<p>The result shown below is not very surprising either as now the path refers to LANMANREDIRECTOR:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1448\" title=\"prefetch_unc_3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_3-300x95.png\" alt=\"\" width=\"300\" height=\"95\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_3-300x95.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_3-598x191.png 598w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_3.png 601w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<ul>\n<li><strong>\\DEVICE\\LANMANREDIRECTOR\\H\\C$\\TEST.EXE<\/strong><\/li>\n<\/ul>\n<h4><strong>Substed paths<br \/>\n<\/strong><\/h4>\n<p>And in case you are curious what happens to drives created with subst&#8230;<\/p>\n<p>For drives mapped locally using &#8216;subst drive: path&#8217; e.g.<\/p>\n<pre style=\"padding-left: 30px;\">subst g: .<\/pre>\n<p>there is no difference as the device will refer to HARDDISKVOLUME<em>###<\/em> (where <em>###<\/em> is hard drive&#8217;s number) &#8211; I don&#8217;t include screenshot here as I hope this example doesn&#8217;t need one.<\/p>\n<p>However, using subst in a slightly different way i.e. referring to target path via localhost&#8217;s IP: e.g.<\/p>\n<pre style=\"padding-left: 30px;\">subst g: \\\\127.0.0.1\\c$<\/pre>\n<p>will make the Prefetch file name to be created using the following path:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1450\" title=\"prefetch_unc_4\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_4-300x85.png\" alt=\"\" width=\"300\" height=\"85\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_4-300x85.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_4.png 598w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<ul>\n<li><strong>\\DEVICE\\LANMANREDIRECTOR\\127.0.0.1\\C$\\TEST.EXE<\/strong><\/li>\n<\/ul>\n<p>As you can see, each of the test files created a different hash<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_5.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1451\" title=\"prefetch_unc_5\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_5-300x131.png\" alt=\"\" width=\"300\" height=\"131\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_5-300x131.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/prefetch_unc_5.png 565w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>In other words, there is plenty of ways to abuse the file naming creation of the prefetch file and it&#8217;s quite hard to write an universal hash calculator to cover all these cases &#8211; it really depends on the environment and there are lots of tricks to confuse the system + I bet there are a few more that wait to be uncovered.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In one of the older posts, I talked about how the Prefetch file names are created. Today I was looking at program execution from network shares i.e. originating from the UNC paths and realized that I have not included these &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/10\/29\/prefetch-file-names-and-unc-paths\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1445"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1445"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1445\/revisions"}],"predecessor-version":[{"id":1455,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1445\/revisions\/1455"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}