Skip to content

Commit 4524810

Browse files
joachimmetzjoachimmetz
committed
Worked on Windows Defender scan DetectionHistory file
1 parent 35272ac commit 4524810

File tree

3 files changed

+331
-144
lines changed

3 files changed

+331
-144
lines changed

documentation/Windows Defender scan DetectionHistory file format.asciidoc

Lines changed: 66 additions & 131 deletions
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,7 @@ Seen: 5
130130
| 4 | | Category +
131131
See section: <<category,Category>>
132132
| 5 | | [yellow-background]*Unknown* +
133-
Seen: 49 (last value index 10), 63 (last value index 12), 110 (last value index 13)
133+
Seen: 49, 63, 110
134134
| 6 | | [yellow-background]*Unknown (Severity?)* +
135135
Seen: 4
136136
| 7 | | [yellow-background]*Unknown* +
@@ -157,13 +157,13 @@ Seen: 1
157157
| Value index | Value | Description
158158
| 0 | "Magic.Version:1.2" | Known values set separator
159159
| 1 | | Resource type +
160-
Seen: "file", "regkey", "regkeyvalue", "startup", "uninstall"
160+
Seen: "containerfile", "file", "process", "regkey", "regkeyvalue", "runkey", "service", "startup", "taskscheduler", "uninstall", "webfile"
161161
| 2 | | Resource location +
162162
Seen: file path, Windows Registry key path
163163
| 3 | | [yellow-background]*Unknown* +
164164
Seen: 0, 0x10000001
165-
| 4 | | Thread data size
166-
| 5 | | Thread data
165+
| 4 | | Threat tracking data size
166+
| 5 | | Threat tracking data
167167
3+| _Optional values_
168168
| 6 | | [yellow-background]*Unknown date and time*
169169
| 7 | | [yellow-background]*Unknown* +
@@ -311,134 +311,69 @@ RemediationTime
311311
| 4 | | NRI
312312
|===
313313

314-
=== Threat data
314+
=== Threat tracking data
315315

316-
....
317-
* Format version: 1 ?
318-
* Header size ?
319-
* Data size?
320-
* Total data size?
321-
* Unknown
322-
0x00000000 01 00 00 00 14 00 00 00 f9 04 00 00 0d 05 00 00 ................
323-
0x00000010 00 00 00 00 ........*...T.h.
324-
325-
* Data size?
326-
0x00000010 f9 04 00 00 ........*...T.h.
327-
328-
Name size and string:
329-
0x00000010 2a 00 00 00 54 00 68 00 ........*...T.h.
330-
0x00000020 72 00 65 00 61 00 74 00 54 00 72 00 61 00 63 00 r.e.a.t.T.r.a.c.
331-
0x00000030 6b 00 69 00 6e 00 67 00 53 00 68 00 61 00 32 00 k.i.n.g.S.h.a.2.
332-
0x00000040 35 00 36 00 00 00 5.6...........1.
333-
334-
Value type?
335-
0x00000040 06 00 00 00 5.6...........1.
336-
337-
Value size and string:
338-
0x00000040 82 00 00 00 31 00 5.6...........1.
339-
0x00000050 33 00 31 00 66 00 39 00 35 00 63 00 35 00 31 00 3.1.f.9.5.c.5.1.
340-
0x00000060 63 00 63 00 38 00 31 00 39 00 34 00 36 00 35 00 c.c.8.1.9.4.6.5.
341-
0x00000070 66 00 61 00 31 00 37 00 39 00 37 00 66 00 36 00 f.a.1.7.9.7.f.6.
342-
0x00000080 63 00 63 00 61 00 63 00 66 00 39 00 64 00 34 00 c.c.a.c.f.9.d.4.
343-
0x00000090 39 00 34 00 61 00 61 00 61 00 66 00 66 00 34 00 9.4.a.a.a.f.f.4.
344-
0x000000a0 36 00 66 00 61 00 33 00 65 00 61 00 63 00 37 00 6.f.a.3.e.a.c.7.
345-
0x000000b0 33 00 61 00 65 00 36 00 33 00 66 00 66 00 62 00 3.a.e.6.3.f.f.b.
346-
0x000000c0 64 00 66 00 64 00 38 00 32 00 36 00 37 00 00 00 d.f.d.8.2.6.7...
347-
348-
Name size and string:
349-
0x000000d0 2a 00 00 00 54 00 68 00 72 00 65 00 61 00 74 00 *...T.h.r.e.a.t.
350-
0x000000e0 54 00 72 00 61 00 63 00 6b 00 69 00 6e 00 67 00 T.r.a.c.k.i.n.g.
351-
0x000000f0 53 00 69 00 67 00 53 00 65 00 71 00 00 00 S.i.g.S.e.q.....
352-
353-
Value type (64-bit integer?)
354-
0x000000f0 04 00 S.i.g.S.e.q.....
355-
0x00000100 00 00 ....-.U..."...T.
356-
357-
Value data:
358-
0x00000100 b0 dd 2d dc 55 05 00 00 ....-.U..."...T.
359-
360-
Name size and string:
361-
0x00000100 22 00 00 00 54 00 ....-.U..."...T.
362-
0x00000110 68 00 72 00 65 00 61 00 74 00 54 00 72 00 61 00 h.r.e.a.t.T.r.a.
363-
0x00000120 63 00 6b 00 69 00 6e 00 67 00 49 00 64 00 00 00 c.k.i.n.g.I.d...
364-
365-
0x00000130 06 00 00 00 4a 00 00 00 36 00 41 00 44 00 36 00 ....J...6.A.D.6.
366-
0x00000140 31 00 36 00 42 00 37 00 2d 00 45 00 32 00 41 00 1.6.B.7.-.E.2.A.
367-
0x00000150 41 00 2d 00 34 00 33 00 38 00 37 00 2d 00 41 00 A.-.4.3.8.7.-.A.
368-
0x00000160 32 00 35 00 30 00 2d 00 37 00 38 00 33 00 38 00 2.5.0.-.7.8.3.8.
369-
0x00000170 46 00 34 00 44 00 31 00 42 00 31 00 39 00 41 00 F.4.D.1.B.1.9.A.
370-
0x00000180 00 00 ..0...T.h.r.e.a.
371-
372-
0x00000180 30 00 00 00 54 00 68 00 72 00 65 00 61 00 ..0...T.h.r.e.a.
373-
0x00000190 74 00 54 00 72 00 61 00 63 00 6b 00 69 00 6e 00 t.T.r.a.c.k.i.n.
374-
0x000001a0 67 00 53 00 74 00 61 00 72 00 74 00 54 00 69 00 g.S.t.a.r.t.T.i.
375-
0x000001b0 6d 00 65 00 00 00 m.e.........[..
376-
377-
0x000001b0 04 00 00 00 e5 1b 5b 1f a7 20 m.e.........[..
378-
0x000001c0 d8 01 ..2...T.h.r.e.a.
379-
380-
0x000001c0 32 00 00 00 54 00 68 00 72 00 65 00 61 00 ..2...T.h.r.e.a.
381-
0x000001d0 74 00 54 00 72 00 61 00 63 00 6b 00 69 00 6e 00 t.T.r.a.c.k.i.n.
382-
0x000001e0 67 00 54 00 68 00 72 00 65 00 61 00 74 00 4e 00 g.T.h.r.e.a.t.N.
383-
0x000001f0 61 00 6d 00 65 00 00 00 a.m.e.......4...
384-
385-
0x000001f0 06 00 00 00 34 00 00 00 a.m.e.......4...
386-
0x00000200 56 00 69 00 72 00 75 00 73 00 3a 00 44 00 4f 00 V.i.r.u.s.:.D.O.
387-
0x00000210 53 00 2f 00 45 00 49 00 43 00 41 00 52 00 5f 00 S./.E.I.C.A.R._.
388-
0x00000220 54 00 65 00 73 00 74 00 5f 00 46 00 69 00 6c 00 T.e.s.t._.F.i.l.
389-
0x00000230 65 00 00 00 e...&...T.h.r.e.
390-
391-
0x00000230 26 00 00 00 54 00 68 00 72 00 65 00 e...&...T.h.r.e.
392-
0x00000240 61 00 74 00 54 00 72 00 61 00 63 00 6b 00 69 00 a.t.T.r.a.c.k.i.
393-
0x00000250 6e 00 67 00 53 00 68 00 61 00 31 00 00 00 n.g.S.h.a.1.....
394-
395-
0x00000250 06 00 n.g.S.h.a.1.....
396-
0x00000260 00 00 52 00 00 00 63 00 66 00 38 00 62 00 64 00 ..R...c.f.8.b.d.
397-
0x00000270 39 00 64 00 66 00 64 00 64 00 66 00 66 00 30 00 9.d.f.d.d.f.f.0.
398-
0x00000280 30 00 37 00 66 00 37 00 35 00 61 00 64 00 66 00 0.7.f.7.5.a.d.f.
399-
0x00000290 34 00 63 00 32 00 62 00 65 00 34 00 38 00 30 00 4.c.2.b.e.4.8.0.
400-
0x000002a0 30 00 35 00 63 00 65 00 61 00 33 00 31 00 37 00 0.5.c.e.a.3.1.7.
401-
0x000002b0 63 00 36 00 32 00 00 00 c.6.2...*...T.h.
402-
403-
0x000002b0 2a 00 00 00 54 00 68 00 c.6.2...*...T.h.
404-
0x000002c0 72 00 65 00 61 00 74 00 54 00 72 00 61 00 63 00 r.e.a.t.T.r.a.c.
405-
0x000002d0 6b 00 69 00 6e 00 67 00 53 00 69 00 67 00 53 00 k.i.n.g.S.i.g.S.
406-
0x000002e0 68 00 61 00 00 00 06 00 00 00 52 00 00 00 37 00 h.a.......R...7.
407-
0x000002f0 32 00 61 00 61 00 66 00 39 00 62 00 61 00 62 00 2.a.a.f.9.b.a.b.
408-
0x00000300 39 00 34 00 38 00 32 00 36 00 64 00 39 00 63 00 9.4.8.2.6.d.9.c.
409-
0x00000310 36 00 37 00 65 00 63 00 33 00 38 00 63 00 39 00 6.7.e.c.3.8.c.9.
410-
0x00000320 30 00 64 00 65 00 37 00 64 00 62 00 38 00 32 00 0.d.e.7.d.b.8.2.
411-
0x00000330 34 00 36 00 66 00 62 00 31 00 35 00 37 00 00 00 4.6.f.b.1.5.7...
412-
0x00000340 26 00 00 00 54 00 68 00 72 00 65 00 61 00 74 00 &...T.h.r.e.a.t.
413-
0x00000350 54 00 72 00 61 00 63 00 6b 00 69 00 6e 00 67 00 T.r.a.c.k.i.n.g.
414-
0x00000360 53 00 69 00 7a 00 65 00 00 00 04 00 00 00 45 00 S.i.z.e.......E.
415-
0x00000370 00 00 00 00 00 00 24 00 00 00 54 00 68 00 72 00 ......$...T.h.r.
416-
0x00000380 65 00 61 00 74 00 54 00 72 00 61 00 63 00 6b 00 e.a.t.T.r.a.c.k.
417-
0x00000390 69 00 6e 00 67 00 4d 00 44 00 35 00 00 00 06 00 i.n.g.M.D.5.....
418-
0x000003a0 00 00 42 00 00 00 36 00 39 00 36 00 33 00 30 00 ..B...6.9.6.3.0.
419-
0x000003b0 65 00 34 00 35 00 37 00 34 00 65 00 63 00 36 00 e.4.5.7.4.e.c.6.
420-
0x000003c0 37 00 39 00 38 00 32 00 33 00 39 00 62 00 30 00 7.9.8.2.3.9.b.0.
421-
0x000003d0 39 00 31 00 63 00 64 00 61 00 34 00 33 00 64 00 9.1.c.d.a.4.3.d.
422-
0x000003e0 63 00 61 00 30 00 00 00 30 00 00 00 54 00 68 00 c.a.0...0...T.h.
423-
0x000003f0 72 00 65 00 61 00 74 00 54 00 72 00 61 00 63 00 r.e.a.t.T.r.a.c.
424-
0x00000400 6b 00 69 00 6e 00 67 00 53 00 63 00 61 00 6e 00 k.i.n.g.S.c.a.n.
425-
0x00000410 46 00 6c 00 61 00 67 00 73 00 00 00 03 00 00 00 F.l.a.g.s.......
426-
0x00000420 11 00 00 00 2e 00 00 00 54 00 68 00 72 00 65 00 ........T.h.r.e.
427-
0x00000430 61 00 74 00 54 00 72 00 61 00 63 00 6b 00 69 00 a.t.T.r.a.c.k.i.
428-
0x00000440 6e 00 67 00 49 00 73 00 45 00 73 00 75 00 53 00 n.g.I.s.E.s.u.S.
429-
0x00000450 69 00 67 00 00 00 05 00 00 00 00 2e 00 00 00 54 i.g............T
430-
0x00000460 00 68 00 72 00 65 00 61 00 74 00 54 00 72 00 61 .h.r.e.a.t.T.r.a
431-
0x00000470 00 63 00 6b 00 69 00 6e 00 67 00 54 00 68 00 72 .c.k.i.n.g.T.h.r
432-
0x00000480 00 65 00 61 00 74 00 49 00 64 00 00 00 03 00 00 .e.a.t.I.d......
433-
0x00000490 00 1b 8a 00 80 32 00 00 00 54 00 68 00 72 00 65 .....2...T.h.r.e
434-
0x000004a0 00 61 00 74 00 54 00 72 00 61 00 63 00 6b 00 69 .a.t.T.r.a.c.k.i
435-
0x000004b0 00 6e 00 67 00 53 00 63 00 61 00 6e 00 53 00 6f .n.g.S.c.a.n.S.o
436-
0x000004c0 00 75 00 72 00 63 00 65 00 00 00 03 00 00 00 00 .u.r.c.e........
437-
0x000004d0 00 00 00 2e 00 00 00 54 00 68 00 72 00 65 00 61 .......T.h.r.e.a
438-
0x000004e0 00 74 00 54 00 72 00 61 00 63 00 6b 00 69 00 6e .t.T.r.a.c.k.i.n
439-
0x000004f0 00 67 00 53 00 63 00 61 00 6e 00 54 00 79 00 70 .g.S.c.a.n.T.y.p
440-
0x00000500 00 65 00 00 00 03 00 00 00 00 00 00 00 .e...........
441-
....
316+
The threat tracking data consists of:
317+
318+
* optional header
319+
* values data size
320+
* values
321+
322+
==== Threat tracking header
323+
324+
[cols="1,1,1,5",options="header"]
325+
|===
326+
| Offset | Size | Value | Description
327+
| 0 | 4 | 1 | [yellow-background]*Unknown (format version?)*
328+
| 4 | 4 | | [yellow-background]*Unknown (header size?)*
329+
| 8 | 4 | | [yellow-background]*Unknown (values data size?)*
330+
| 12 | 4 | | [yellow-background]*Unknown (total data size?)*
331+
| 16 | 4 | | [yellow-background]*Unknown (empty values)*
332+
|===
333+
334+
==== Threat tracking values data size
335+
336+
[cols="1,1,1,5",options="header"]
337+
|===
338+
| Offset | Size | Value | Description
339+
| 0 | 4 | | Values data size
340+
|===
341+
342+
==== Threat tracking value
343+
344+
===== Threat tracking value - 32-bit integer
345+
346+
[cols="1,1,1,5",options="header"]
347+
|===
348+
| Offset | Size | Value | Description
349+
| 0 | 4 | | Key string size
350+
| 4 | ... | | Key string
351+
| ... | 4 | 0x00000003 | Value type
352+
| ... | 4 | | Value integer
353+
|===
354+
355+
===== Threat tracking value - 64-bit integer
356+
357+
[cols="1,1,1,5",options="header"]
358+
|===
359+
| Offset | Size | Value | Description
360+
| 0 | 4 | | Key string size
361+
| 4 | ... | | Key string
362+
| ... | 4 | 0x00000004 | Value type
363+
| ... | 8 | | Value integer
364+
|===
365+
366+
===== Threat tracking value - string
367+
368+
[cols="1,1,1,5",options="header"]
369+
|===
370+
| Offset | Size | Value | Description
371+
| 0 | 4 | | Key string size
372+
| 4 | ... | | Key string
373+
| ... | 4 | 0x00000006 | Value type
374+
| ... | 4 | | Value string size
375+
| ... | ... | | Value string
376+
|===
442377

443378
:numbered!:
444379
[appendix]

0 commit comments

Comments
 (0)