README
¶
Go prefetch parser.
This project is a parser for Microsoft prefetch files.
Documentation
¶
Index ¶
- Variables
- func LZXpressHuffmanDecompress(input []byte, output_size int) ([]byte, error)
- func LZXpressHuffmanDecompressChunk(in_idx int, input []byte, out_idx int, output []byte, chunk_size int) (int, int, error)
- func LZXpressHuffmanDecompressWithFallback(input []byte, output_size int) ([]byte, error)
- func ParseString(reader io.ReaderAt, offset int64, length int64) string
- func ParseTerminatedString(reader io.ReaderAt, offset int64) string
- func ParseTerminatedUTF16String(reader io.ReaderAt, offset int64) string
- func ParseUTF16String(reader io.ReaderAt, offset int64, length int64) string
- func ParseUint32(reader io.ReaderAt, offset int64) uint32
- func ParseUint64(reader io.ReaderAt, offset int64) uint64
- func PrefixCodeTreeAddLeaf(treeNodes []PREFIX_CODE_NODE, leafIndex uint32, mask uint32, bits uint32) uint32
- func PrefixCodeTreeDecodeSymbol(bstr *BitStream, root *PREFIX_CODE_NODE) (uint32, error)
- func Printf(fmt_str string, args ...interface{})
- func UTF16BytesToUTF8(b []byte, o binary.ByteOrder) string
- type BitStream
- type Enumeration
- type FileInformationVista
- func (self *FileInformationVista) DebugString() string
- func (self *FileInformationVista) FileMetricsOffset() uint32
- func (self *FileInformationVista) FilenameOffset() uint32
- func (self *FileInformationVista) FilenameSize() uint32
- func (self *FileInformationVista) Filenames() []string
- func (self *FileInformationVista) LastRunTime() *WinFileTime
- func (self *FileInformationVista) NumberOfFileMetrics() uint32
- func (self *FileInformationVista) NumberOfTraceChains() uint32
- func (self *FileInformationVista) NumberOfVolumes() uint32
- func (self *FileInformationVista) RunCount() uint32
- func (self *FileInformationVista) Size() int
- func (self *FileInformationVista) TraceChainsArrayOffset() uint32
- func (self *FileInformationVista) VolumesInformationOffset() uint32
- func (self *FileInformationVista) VolumesInformationSize() uint32
- type FileInformationWin10
- func (self *FileInformationWin10) DebugString() string
- func (self *FileInformationWin10) FileMetricsOffset() uint32
- func (self *FileInformationWin10) FilenameOffset() uint32
- func (self *FileInformationWin10) FilenameSize() uint32
- func (self *FileInformationWin10) Filenames() []string
- func (self *FileInformationWin10) LastRunTimes() []*WinFileTime
- func (self *FileInformationWin10) NumberOfFileMetrics() uint32
- func (self *FileInformationWin10) NumberOfTraceChains() uint32
- func (self *FileInformationWin10) NumberOfVolumes() uint32
- func (self *FileInformationWin10) RunCount1() uint32
- func (self *FileInformationWin10) RunCount2() uint32
- func (self *FileInformationWin10) Size() int
- func (self *FileInformationWin10) TraceChainsArrayOffset() uint32
- func (self *FileInformationWin10) VolumesInformationOffset() uint32
- func (self *FileInformationWin10) VolumesInformationSize() uint32
- type FileInformationXP
- func (self *FileInformationXP) DebugString() string
- func (self *FileInformationXP) FileMetricsOffset() uint32
- func (self *FileInformationXP) FilenameOffset() uint32
- func (self *FileInformationXP) FilenameSize() uint32
- func (self *FileInformationXP) Filenames() []string
- func (self *FileInformationXP) LastRunTime() *WinFileTime
- func (self *FileInformationXP) NumberOfFileMetrics() uint32
- func (self *FileInformationXP) NumberOfTraceChains() uint32
- func (self *FileInformationXP) NumberOfVolumes() uint32
- func (self *FileInformationXP) RunCount() uint32
- func (self *FileInformationXP) Size() int
- func (self *FileInformationXP) TraceChainsArrayOffset() uint32
- func (self *FileInformationXP) VolumesInformationOffset() uint32
- func (self *FileInformationXP) VolumesInformationSize() uint32
- type FileMetricsEntryV17
- type FileMetricsEntryV30
- type MAMHeader
- type PREFIX_CODE_NODE
- type PREFIX_CODE_SYMBOL
- type PrefetchInfo
- type PrefetchProfile
- func (self *PrefetchProfile) FileInformationVista(reader io.ReaderAt, offset int64) *FileInformationVista
- func (self *PrefetchProfile) FileInformationWin10(reader io.ReaderAt, offset int64) *FileInformationWin10
- func (self *PrefetchProfile) FileInformationXP(reader io.ReaderAt, offset int64) *FileInformationXP
- func (self *PrefetchProfile) FileMetricsEntryV17(reader io.ReaderAt, offset int64) *FileMetricsEntryV17
- func (self *PrefetchProfile) FileMetricsEntryV30(reader io.ReaderAt, offset int64) *FileMetricsEntryV30
- func (self *PrefetchProfile) MAMHeader(reader io.ReaderAt, offset int64) *MAMHeader
- func (self *PrefetchProfile) SCCAHeader(reader io.ReaderAt, offset int64) *SCCAHeader
- func (self *PrefetchProfile) WinFileTime(reader io.ReaderAt, offset int64) *WinFileTime
- type SCCAHeader
- type WinFileTime
Constants ¶
This section is empty.
Variables ¶
View Source
var (
Prefetch_debug = false
)
Functions ¶
func LZXpressHuffmanDecompressWithFallback ¶
Non windows systems fall back to build in decompression.
func ParseUTF16String ¶
func PrefixCodeTreeAddLeaf ¶
func PrefixCodeTreeAddLeaf( treeNodes []PREFIX_CODE_NODE, leafIndex uint32, mask uint32, bits uint32) uint32
inout PREFIX_CODE_NODE treeNodes[1024]: A 1024 element
PREFIX_CODE_NODE array that contains the Huffman prefix code tree's nodes.
in ULONG leafIndex: The index in treeNodes of the node to link into the tree.
in ULONG mask: The symbol's prefix code.
in ULONG bits: The number of bits in the symbol's prefix code.
Return Value ¶
Returns the index in treeNodes of the next node to be processed.
func PrefixCodeTreeDecodeSymbol ¶
func PrefixCodeTreeDecodeSymbol(bstr *BitStream, root *PREFIX_CODE_NODE) ( uint32, error)
Types ¶
type BitStream ¶
type BitStream struct {
// contains filtered or unexported fields
}
func NewBitStream ¶
type Enumeration ¶
func (Enumeration) DebugString ¶
func (self Enumeration) DebugString() string
type FileInformationVista ¶
type FileInformationVista struct {
Reader io.ReaderAt
Offset int64
Profile *PrefetchProfile
}
func NewFileInformationVista ¶
func NewFileInformationVista(reader io.ReaderAt) *FileInformationVista
func (*FileInformationVista) DebugString ¶
func (self *FileInformationVista) DebugString() string
func (*FileInformationVista) FileMetricsOffset ¶
func (self *FileInformationVista) FileMetricsOffset() uint32
func (*FileInformationVista) FilenameOffset ¶
func (self *FileInformationVista) FilenameOffset() uint32
func (*FileInformationVista) FilenameSize ¶
func (self *FileInformationVista) FilenameSize() uint32
func (*FileInformationVista) Filenames ¶
func (self *FileInformationVista) Filenames() []string
func (*FileInformationVista) LastRunTime ¶
func (self *FileInformationVista) LastRunTime() *WinFileTime
func (*FileInformationVista) NumberOfFileMetrics ¶
func (self *FileInformationVista) NumberOfFileMetrics() uint32
func (*FileInformationVista) NumberOfTraceChains ¶
func (self *FileInformationVista) NumberOfTraceChains() uint32
func (*FileInformationVista) NumberOfVolumes ¶
func (self *FileInformationVista) NumberOfVolumes() uint32
func (*FileInformationVista) RunCount ¶
func (self *FileInformationVista) RunCount() uint32
func (*FileInformationVista) Size ¶
func (self *FileInformationVista) Size() int
func (*FileInformationVista) TraceChainsArrayOffset ¶
func (self *FileInformationVista) TraceChainsArrayOffset() uint32
func (*FileInformationVista) VolumesInformationOffset ¶
func (self *FileInformationVista) VolumesInformationOffset() uint32
func (*FileInformationVista) VolumesInformationSize ¶
func (self *FileInformationVista) VolumesInformationSize() uint32
type FileInformationWin10 ¶
type FileInformationWin10 struct {
Reader io.ReaderAt
Offset int64
Profile *PrefetchProfile
}
func NewFileInformationWin10 ¶
func NewFileInformationWin10(reader io.ReaderAt) *FileInformationWin10
func (*FileInformationWin10) DebugString ¶
func (self *FileInformationWin10) DebugString() string
func (*FileInformationWin10) FileMetricsOffset ¶
func (self *FileInformationWin10) FileMetricsOffset() uint32
func (*FileInformationWin10) FilenameOffset ¶
func (self *FileInformationWin10) FilenameOffset() uint32
func (*FileInformationWin10) FilenameSize ¶
func (self *FileInformationWin10) FilenameSize() uint32
func (*FileInformationWin10) Filenames ¶
func (self *FileInformationWin10) Filenames() []string
func (*FileInformationWin10) LastRunTimes ¶
func (self *FileInformationWin10) LastRunTimes() []*WinFileTime
func (*FileInformationWin10) NumberOfFileMetrics ¶
func (self *FileInformationWin10) NumberOfFileMetrics() uint32
func (*FileInformationWin10) NumberOfTraceChains ¶
func (self *FileInformationWin10) NumberOfTraceChains() uint32
func (*FileInformationWin10) NumberOfVolumes ¶
func (self *FileInformationWin10) NumberOfVolumes() uint32
func (*FileInformationWin10) RunCount1 ¶
func (self *FileInformationWin10) RunCount1() uint32
func (*FileInformationWin10) RunCount2 ¶
func (self *FileInformationWin10) RunCount2() uint32
func (*FileInformationWin10) Size ¶
func (self *FileInformationWin10) Size() int
func (*FileInformationWin10) TraceChainsArrayOffset ¶
func (self *FileInformationWin10) TraceChainsArrayOffset() uint32
func (*FileInformationWin10) VolumesInformationOffset ¶
func (self *FileInformationWin10) VolumesInformationOffset() uint32
func (*FileInformationWin10) VolumesInformationSize ¶
func (self *FileInformationWin10) VolumesInformationSize() uint32
type FileInformationXP ¶
type FileInformationXP struct {
Reader io.ReaderAt
Offset int64
Profile *PrefetchProfile
}
func NewFileInformationXP ¶
func NewFileInformationXP(reader io.ReaderAt) *FileInformationXP
func (*FileInformationXP) DebugString ¶
func (self *FileInformationXP) DebugString() string
func (*FileInformationXP) FileMetricsOffset ¶
func (self *FileInformationXP) FileMetricsOffset() uint32
func (*FileInformationXP) FilenameOffset ¶
func (self *FileInformationXP) FilenameOffset() uint32
func (*FileInformationXP) FilenameSize ¶
func (self *FileInformationXP) FilenameSize() uint32
func (*FileInformationXP) Filenames ¶
func (self *FileInformationXP) Filenames() []string
func (*FileInformationXP) LastRunTime ¶
func (self *FileInformationXP) LastRunTime() *WinFileTime
func (*FileInformationXP) NumberOfFileMetrics ¶
func (self *FileInformationXP) NumberOfFileMetrics() uint32
func (*FileInformationXP) NumberOfTraceChains ¶
func (self *FileInformationXP) NumberOfTraceChains() uint32
func (*FileInformationXP) NumberOfVolumes ¶
func (self *FileInformationXP) NumberOfVolumes() uint32
func (*FileInformationXP) RunCount ¶
func (self *FileInformationXP) RunCount() uint32
func (*FileInformationXP) Size ¶
func (self *FileInformationXP) Size() int
func (*FileInformationXP) TraceChainsArrayOffset ¶
func (self *FileInformationXP) TraceChainsArrayOffset() uint32
func (*FileInformationXP) VolumesInformationOffset ¶
func (self *FileInformationXP) VolumesInformationOffset() uint32
func (*FileInformationXP) VolumesInformationSize ¶
func (self *FileInformationXP) VolumesInformationSize() uint32
type FileMetricsEntryV17 ¶
type FileMetricsEntryV17 struct {
Reader io.ReaderAt
Offset int64
Profile *PrefetchProfile
}
func NewFileMetricsEntryV17 ¶
func NewFileMetricsEntryV17(reader io.ReaderAt) *FileMetricsEntryV17
func (*FileMetricsEntryV17) DebugString ¶
func (self *FileMetricsEntryV17) DebugString() string
func (*FileMetricsEntryV17) FilenameLength ¶
func (self *FileMetricsEntryV17) FilenameLength() uint32
func (*FileMetricsEntryV17) FilenameOffset ¶
func (self *FileMetricsEntryV17) FilenameOffset() uint32
func (*FileMetricsEntryV17) Size ¶
func (self *FileMetricsEntryV17) Size() int
type FileMetricsEntryV30 ¶
type FileMetricsEntryV30 struct {
Reader io.ReaderAt
Offset int64
Profile *PrefetchProfile
}
func NewFileMetricsEntryV30 ¶
func NewFileMetricsEntryV30(reader io.ReaderAt) *FileMetricsEntryV30
func (*FileMetricsEntryV30) DebugString ¶
func (self *FileMetricsEntryV30) DebugString() string
func (*FileMetricsEntryV30) FilenameLength ¶
func (self *FileMetricsEntryV30) FilenameLength() uint32
func (*FileMetricsEntryV30) FilenameOffset ¶
func (self *FileMetricsEntryV30) FilenameOffset() uint32
func (*FileMetricsEntryV30) MFTFileReference ¶
func (self *FileMetricsEntryV30) MFTFileReference() uint64
func (*FileMetricsEntryV30) Size ¶
func (self *FileMetricsEntryV30) Size() int
type MAMHeader ¶
type MAMHeader struct {
Reader io.ReaderAt
Offset int64
Profile *PrefetchProfile
}
func NewMAMHeader ¶
func (*MAMHeader) DebugString ¶
func (*MAMHeader) UncompressedSize ¶
type PREFIX_CODE_NODE ¶
type PREFIX_CODE_NODE struct {
// contains filtered or unexported fields
}
func PrefixCodeTreeRebuild ¶
func PrefixCodeTreeRebuild(input []byte) *PREFIX_CODE_NODE
func (PREFIX_CODE_NODE) String ¶
func (self PREFIX_CODE_NODE) String() string
type PREFIX_CODE_SYMBOL ¶
type PREFIX_CODE_SYMBOL struct {
// contains filtered or unexported fields
}
func (PREFIX_CODE_SYMBOL) String ¶
func (self PREFIX_CODE_SYMBOL) String() string
type PrefetchInfo ¶
type PrefetchInfo struct {
Executable string `json:"Executable"`
FileSize uint32 `json:"FileSize"`
Hash string `json:"Hash"`
Version string `json:"Version"`
LastRunTimes []time.Time `json:"LastRunTimes"`
FilesAccessed []string `json:"FilesAccessed"`
RunCount uint32 `json:"RunCount"`
}
func LoadPrefetch ¶
func LoadPrefetch(reader io.ReaderAt) (*PrefetchInfo, error)
type PrefetchProfile ¶
type PrefetchProfile struct {
Off_FileInformationVista_FileMetricsOffset int64
Off_FileInformationVista_FilenameOffset int64
Off_FileInformationVista_FilenameSize int64
Off_FileInformationVista_LastRunTime int64
Off_FileInformationVista_NumberOfFileMetrics int64
Off_FileInformationVista_NumberOfTraceChains int64
Off_FileInformationVista_NumberOfVolumes int64
Off_FileInformationVista_RunCount int64
Off_FileInformationVista_TraceChainsArrayOffset int64
Off_FileInformationVista_VolumesInformationOffset int64
Off_FileInformationVista_VolumesInformationSize int64
Off_FileInformationWin10_FileMetricsOffset int64
Off_FileInformationWin10_FilenameOffset int64
Off_FileInformationWin10_FilenameSize int64
Off_FileInformationWin10_LastRunTimes int64
Off_FileInformationWin10_NumberOfFileMetrics int64
Off_FileInformationWin10_NumberOfTraceChains int64
Off_FileInformationWin10_NumberOfVolumes int64
Off_FileInformationWin10_RunCount1 int64
Off_FileInformationWin10_RunCount2 int64
Off_FileInformationWin10_TraceChainsArrayOffset int64
Off_FileInformationWin10_VolumesInformationOffset int64
Off_FileInformationWin10_VolumesInformationSize int64
Off_FileInformationXP_FileMetricsOffset int64
Off_FileInformationXP_FilenameOffset int64
Off_FileInformationXP_FilenameSize int64
Off_FileInformationXP_LastRunTime int64
Off_FileInformationXP_NumberOfFileMetrics int64
Off_FileInformationXP_NumberOfTraceChains int64
Off_FileInformationXP_NumberOfVolumes int64
Off_FileInformationXP_RunCount int64
Off_FileInformationXP_TraceChainsArrayOffset int64
Off_FileInformationXP_VolumesInformationOffset int64
Off_FileInformationXP_VolumesInformationSize int64
Off_FileMetricsEntryV17_FilenameLength int64
Off_FileMetricsEntryV17_FilenameOffset int64
Off_FileMetricsEntryV30_FilenameLength int64
Off_FileMetricsEntryV30_FilenameOffset int64
Off_FileMetricsEntryV30_MFTFileReference int64
Off_MAMHeader_Signature int64
Off_MAMHeader_UncompressedSize int64
Off_SCCAHeader_Executable int64
Off_SCCAHeader_FileSize int64
Off_SCCAHeader_Hash int64
Off_SCCAHeader_Signature int64
Off_SCCAHeader_Version int64
}
func NewPrefetchProfile ¶
func NewPrefetchProfile() *PrefetchProfile
func (*PrefetchProfile) FileInformationVista ¶
func (self *PrefetchProfile) FileInformationVista(reader io.ReaderAt, offset int64) *FileInformationVista
func (*PrefetchProfile) FileInformationWin10 ¶
func (self *PrefetchProfile) FileInformationWin10(reader io.ReaderAt, offset int64) *FileInformationWin10
func (*PrefetchProfile) FileInformationXP ¶
func (self *PrefetchProfile) FileInformationXP(reader io.ReaderAt, offset int64) *FileInformationXP
func (*PrefetchProfile) FileMetricsEntryV17 ¶
func (self *PrefetchProfile) FileMetricsEntryV17(reader io.ReaderAt, offset int64) *FileMetricsEntryV17
func (*PrefetchProfile) FileMetricsEntryV30 ¶
func (self *PrefetchProfile) FileMetricsEntryV30(reader io.ReaderAt, offset int64) *FileMetricsEntryV30
func (*PrefetchProfile) MAMHeader ¶
func (self *PrefetchProfile) MAMHeader(reader io.ReaderAt, offset int64) *MAMHeader
func (*PrefetchProfile) SCCAHeader ¶
func (self *PrefetchProfile) SCCAHeader(reader io.ReaderAt, offset int64) *SCCAHeader
func (*PrefetchProfile) WinFileTime ¶
func (self *PrefetchProfile) WinFileTime(reader io.ReaderAt, offset int64) *WinFileTime
type SCCAHeader ¶
type SCCAHeader struct {
Reader io.ReaderAt
Offset int64
Profile *PrefetchProfile
}
func NewSCCAHeader ¶
func NewSCCAHeader(reader io.ReaderAt) *SCCAHeader
func (*SCCAHeader) DebugString ¶
func (self *SCCAHeader) DebugString() string
func (*SCCAHeader) Executable ¶
func (self *SCCAHeader) Executable() string
func (*SCCAHeader) FileSize ¶
func (self *SCCAHeader) FileSize() uint32
func (*SCCAHeader) Hash ¶
func (self *SCCAHeader) Hash() uint32
func (*SCCAHeader) Signature ¶
func (self *SCCAHeader) Signature() string
func (*SCCAHeader) Size ¶
func (self *SCCAHeader) Size() int
func (*SCCAHeader) Version ¶
func (self *SCCAHeader) Version() *Enumeration
type WinFileTime ¶
A WinFileTime object is a timestamp in windows filetime format.
func ParseArray_WinFileTime ¶
func ParseArray_WinFileTime(profile *PrefetchProfile, reader io.ReaderAt, offset int64, count int) []*WinFileTime
func (*WinFileTime) DebugString ¶
func (self *WinFileTime) DebugString() string
func (*WinFileTime) GoString ¶
func (self *WinFileTime) GoString() string
func (*WinFileTime) Size ¶
func (self *WinFileTime) Size() int
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.