Jump to content











Photo
- - - - -

Extents

file copy in use

  • Please log in to reply
10 replies to this topic

#1 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1901 posts
  • Location:Nantes - France
  •  
    France

Posted 26 May 2013 - 02:31 PM

Posted Image

File Name: Extents
File Submitter: erwan.l
File Submitted: 26 May 2013
File Updated: 04 Dec 2015
File Category: Tools

This is a simple GUI to FSCTL_GET_RETRIEVAL_POINTERS .

The idea is to read all clusters belonging to file, then map these clusters on the logical drive where this file is located, and from there re assemble all clusters and save them to a new destination file.

Thanks to this method, one can save/copy a file which is in use since we "raw" read clusters from a logical drive.

This has been tested with success on \boot\bcd and \windows\system32\config\sam .
Files which you cannot copy in a normal mode.

zip file contains source file next to the binary.

Regards,
Erwan

Click here to download this file
  • Nuno Brito and joakim like this

#2 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1901 posts
  • Location:Nantes - France
  •  
    France

Posted 04 December 2015 - 08:20 PM

Added source file to the zip file as it may help others.



#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 907 posts
  • Location:Bergen
  •  
    Norway

Posted 05 December 2015 - 12:15 PM

This is cool even though it does have some limitations (explorer must reach the file in order to get at it).

 

Should it be possible to get at the *.sys files at root of volume? I am getting an invalid handle (25) error.



#4 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1901 posts
  • Location:Nantes - France
  •  
    France

Posted 05 December 2015 - 12:45 PM

For now, the *.sys files (pagefile, hiberfil, etc) are not supported.

 

I am currently working on it but adopting a different approach than yours (I believe you directly parse the MFT).

I am thinking of using the thread injection technique.

 

Handle error 25 is new to me : means "error seek - The drive cannot locate a specific area or track on the disk".

Usually on pagefile.sys I get error 2 (file not found) or error 5 (access denied).



#5 joakim

joakim

    Silver Member

  • Team Reboot
  • 907 posts
  • Location:Bergen
  •  
    Norway

Posted 05 December 2015 - 01:17 PM

Sorry for the slight confusion. The correct error message on the *.sys files are "invalid handle, 32". I guess sharing is prohibited..

 

Out of curiosity, what exactly is this thread injection technique?



#6 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1901 posts
  • Location:Nantes - France
  •  
    France

Posted 06 December 2015 - 10:34 AM

Here below the technique :

-I open a process handle to a system process

-I allocate memory in the remote process

-I write memory (my code) in the remote process

-I create a thread in the remote process executing the code written in the remote process memory

 

For now i successfully load and execute code in a system remote process (like lsass.exe or winlogon.exe)

My test code so far is simple : it writes the current process id (from the remote process) in a text file.

 

Some questions I still need to answer :

-will any system process be able to get a handle to pagefile.sys (allowing me to get its extents)

-or do you i need to find the specific process handling pagefile.sys



#7 joakim

joakim

    Silver Member

  • Team Reboot
  • 907 posts
  • Location:Bergen
  •  
    Norway

Posted 06 December 2015 - 11:08 AM

My impression is that it's the system process with pid 4, the Windows kernel, that holds this lock. That also means you will need a kernel mode driver for the job. I was fiddling with this a couple of  years ago, and it's not easy. I could surely inject code and make it run, but in the end you can't just inject a user mode process into kernel mode. I would instead suggest to go for the low level filesystem reading, or else I fair you will be facing months of bsod's driving you nuts :) This is my impression, not necessarily a fact. I may be wrong.



#8 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1901 posts
  • Location:Nantes - France
  •  
    France

Posted 06 December 2015 - 12:23 PM

I have had to deal with dozens of BSOD's these days indeed :)

Trial and errors...

 

My injection code is stable now (from xp to win10) which at least is some achievement for me as I will be able to reuse it elsewhere.

 

But indeed I believe you are right : I can inject code in any process, any except system - pid 4.

Which makes sense since I am in userland ...

Thus I may give it try to run it from a service : purely for fun :)

 

About low level filesystem reading, you have done a great job already with rawcopy so I dont think i'll reuse that road.

 

If you have a few mns to spare today, you can have a look at the attached demo.

This is a x32 demo code using 3 different injection techniques on remote x32 processes (choosing the exe ename or exe pid).

It will load a dll (and execute code) named hook.dll located in c:\.

The source code of hook.dll is in the zip file.

You can replace it with any dll of your choice.

Attached Files

  • Attached File  demo.zip   239.69KB   159 downloads


#9 joakim

joakim

    Silver Member

  • Team Reboot
  • 907 posts
  • Location:Bergen
  •  
    Norway

Posted 06 December 2015 - 01:12 PM

I tried the demo and it works fine.

 

Doing all this from a service will make no difference. At best you will be able to elevate yourself to "nt authority system" or session 0. This is still only usermode, though the highest privilege you can get in userland. Entering kernel mode in ring 0 from ring 3, is quite a distance, and is blocked unless you load up a kernel mode driver. The driver needs to be signed unless you booted into TestMode. Then you may have to rewrite parts of your codeinjection code as those functions only exist in userland like ntdll.dll and kernel32.dll. The kernel mode ones are are ZwXXXXX and exported in kernel (ntdll.dll provides these as NtXXXXX in userland). Then the next challenge is PatchGuard which is a security mechanism within the kernel that will detect if any code has been modifed within the address space of kernel. That's a tough nut to crack.



#10 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1901 posts
  • Location:Nantes - France
  •  
    France

Posted 06 December 2015 - 02:40 PM

Yep dead end it is.

I have tried a CreateFile('c:\pagefile.sys', GENERIC_READ ,file_share_read or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0) from all possible system processes (lsass, winlogon, csrss, etc) and I get an invalid handle in all cases.

 

Oh well, it was fun anyway to refresh my injection procedures and I am sure it will be of some use for some other purposes.

 

Too bad as I was "only" looking for a handle to pagefile.sys which I could duplicate and pass back to my get_extents routine.



#11 joakim

joakim

    Silver Member

  • Team Reboot
  • 907 posts
  • Location:Bergen
  •  
    Norway

Posted 06 December 2015 - 03:39 PM

You could verify the handle in process explorer. Click the system process with pid 4 and scroll through the handles in the lower pane.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users