Here is my version of a low level file copier (commandline) with source included; http://mft2csv.googl...py_v1.0.0.5.zip
On a second thought, I will make it available here too.
Edit: It now is.
Posted 29 May 2013 - 08:40 PM
Here is my version of a low level file copier (commandline) with source included; http://mft2csv.googl...py_v1.0.0.5.zip
On a second thought, I will make it available here too.
Edit: It now is.
Posted 30 November 2015 - 02:02 PM
Revamping this thread because seemingly both erwan.l's and joakims' tools, included the updated versions on github:
seemingly do not work with a subset of "in use" files (namely pagefile.sys and hiberfil.sys, possibly on new stupid Windows OS's also the stupid swapfile.sys ).
Some reference:
http://www.forensicf...wtopic/t=13653/
and some previous discussion in an unrelated thread (just to keep everything as together as possible), starting from here:
http://reboot.pro/to...mpreg/?p=196561
Wonko
Posted 30 November 2015 - 05:10 PM
You can always copy the file, regardless whether it is in use or not, but of course their hashes may not match. Moving is a different story, you generally can't move any file if it's in use.
The best copy softwares for Windows are UltraCopier/SuperCopier. I used to use TeraCopy but it crashes too much.
Posted 30 November 2015 - 05:28 PM
You can always copy the file, regardless whether it is in use or not, but of course their hashes may not match. Moving is a different story, you generally can't move any file if it's in use.
The best copy softwares for Windows are UltraCopier/SuperCopier. I used to use TeraCopy but it crashes too much.
Well, I would already be happy to have the extents for the file. (then with direct disk access I would have no issues, at least up to XP)
Did you actually tried using Ultracopier or Supercopier to specifically copy pagefile.sys?
Or, even better, did you ever try to copy (not move) the file pagefile.sys (not another file, in use, locked or whatever, specifically pagefile.sys)?
And if you did, did you copy it successfully (even if the hashes did not match, was a file of the right size created on the target)?
And if you had succesfully copied it, which tool did you use?
And is this tool 1. Command Line, 2. Open Source ?
Wonko
Posted 30 November 2015 - 05:41 PM
@ Wonko: You make no sense. Why *THE FUCKING HELL* would I want to copy my own page file on my running Windows system?! There is no data in it that I care about, and of course it will be locked/in use. I can understand a hacker want to inspect it, maybe to retrieve passwords/encryption keys etc, which is which I always run without a page file if RAM is plentiful, and keep all my volumes encrypted. An attacker could only gain access via some kind of snooping that doesn't involve wires, a keylogger, perhaps direct PC access (to extract contents of RAM etc).
Posted 30 November 2015 - 06:20 PM
@ Wonko: You make no sense. Why *THE FUCKING HELL* would I want to copy my own page file on my running Windows system?! There is no data in it that I care about, and of course it will be locked/in use. I can understand a hacker want to inspect it, maybe to retrieve passwords/encryption keys etc, which is which I always run without a page file if RAM is plentiful, and keep all my volumes encrypted. An attacker could only gain access via some kind of snooping that doesn't involve wires, a keylogger, perhaps direct PC access (to extract contents of RAM etc).
incorrect information about something that you have no idea, nor experience about, and that you cannot even imagine a reason for, without actually reading what I had just posted and the (given) references.You can always copy the file, regardless whether it is in use or not, but of course their hashes may not match.
Posted 30 November 2015 - 06:30 PM
Actually.......I had already read the entire topic before posting. I can understand why someone would want to copy locked files, but I have no interest in my pagefile's contents. You asked if I had tried to copy it, I provided a rebuttal. Maybe you can conjure up a logical reason for me to bother wasting my time doing such a thing? Benefits?
Posted 30 November 2015 - 06:31 PM
Hi Wonko,
To me, no conventional way will manage to read the file.
You need to "attack" the system using unconvential ways.
Currently looking at injecting code into "system" process : from there I should be able to retrieve either a pagefile handle which I can then use to retrieve the file extents or even dump the extents straight from the process itself.
Very aggressive approach thus
Regards,
Erwan
Posted 30 November 2015 - 06:32 PM
Actually.......I had already read the entire topic before posting. I can understand why someone would want to copy locked files, but I have no interest in my pagefile's contents. You asked if I had tried to copy it, I provided a rebuttal. Maybe you can conjure up a logical reason for me to bother wasting my time doing such a thing? Benefits?
Hey, this forum is about fun and about being curious.
Does it always need to be a "why"?
Many of the tools I have delivered over here started with pure fun and curiosity.
If it happens to be useful for someone by the end of the day, even better
Posted 30 November 2015 - 06:37 PM
@ erwan.l: We have a limited time in life before death,so YES, absolutely, I definitely need a good, logical reason to do something before expending my time.
Posted 30 November 2015 - 06:41 PM
@ erwan.l: We have a limited time in life before death,so YES, absolutely, I definitely need a good, logical reason to do something before expending my time.
Then dont
But dont spoil the fun for others
Posted 30 November 2015 - 06:49 PM
Really ? , and then you ignored what you had read and posted first thing that crossed your mind?Actually.......I had already read the entire topic before posting.
I don't see it as particularly aggressive, I am pretty much convinced that your original approach is/was too much "along the MS guidelines" to have any probability of success, but i thought that the nice thingy by joakim was "beyond" that.Hi Wonko,
To me, no conventional way will manage to read the file.
You need to "attack" the system using unconvential ways.
Posted 30 November 2015 - 06:55 PM
I did not look at Joakim's code but I am pretty convinced we use the same "classic" approach.
I could be wrong thus and if Joakim might actually be reading the MFT directly (rather than getting a handle the target file) then indeed he has more chances to succeed.
My approach currently is to stick to windows api but "impersonate" the system process to do the job from there.
By agressive, I mean that this approach is more likely to give one a nice BSOD
Posted 30 November 2015 - 06:55 PM
@ erwan.l: If this forum is about fun and curiosity, then that can also sometimes be a valid "why".
I'm not ruining anyone's fun. If someone's fun is ruined by my statements, then it is because they allowed it to be so. I have found that life is in large part an individual's perception of things, rather than what has actually happened, and how we react to situations. I'm perfectly happy being flawed, closed-minded, assholish 'ol me. I don't care what others think of me and have no real regard or understanding of their opinions beliefs,etc. I absolutely won't allow anyone to affect my peace of mind with their statements/actions.
To clarify, I can understand why someone would want to copy a locked file, but not the pagefile in particular. Is it special in this regard (for the purposes of this thread)? What about hiberfil.sys or other special system files?
Posted 30 November 2015 - 07:37 PM
To clarify, I can understand why someone would want to copy a locked file, but not the pagefile in particular. Is it special in this regard (for the purposes of this thread)? What about hiberfil.sys or other special system files?
Good, and to further clarify, this is EXACTLY why I doubted you had read the thread, here:
http://reboot.pro/to...sible/?p=196573
Revamping this thread because seemingly both erwan.l's and joakims' tools, included the updated versions on github:
https://github.com/jschicht
seemingly do not work with a subset of "in use" files (namely pagefile.sys and hiberfil.sys, possibly on new stupid Windows OS's also the stupid swapfile.sys ).
Some reference:
http://www.forensicf...wtopic/t=13653/
and so
Posted 02 December 2015 - 06:10 PM
Fix a bug in RawCopy that should let it copy pagefile's etc too. Find latest version on GitHub; https://github.com/jschicht/RawCopy
Posted 05 December 2015 - 01:27 PM
Fix a bug in RawCopy that should let it copy pagefile's etc too. Find latest version on GitHub; https://github.com/jschicht/RawCopy
Just to confirm that it works fine on XP SP2/3:
C:\dummy2>rawcopy C:\pagefile.sys D:\2xOS RawCopy v1.0.0.11 Error: NtOpenFile returned: 0xC0000043 Record number: 5 found at disk offset: 3221230592 -> 0x00000000C0001400 Record number: 86667 found at disk offset: 241425136640 -> 0x00000038360F3C00 Writing: pagefile.sys Job took 11.93 seconds
Nice work!
Wonko
0 members, 0 guests, 0 anonymous users