Jump to content











Photo
- - - - -

Extents

file copy in use

  • Please log in to reply
58 replies to this topic

#1 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 26 May 2013 - 02:31 PM

Posted Image

File Name: Extents
File Submitter: erwan.l
File Submitted: 26 May 2013
File Updated: 24 Mar 2019
File Category: Tools

This is a simple GUI to FSCTL_GET_RETRIEVAL_POINTERS .

The idea is to read all clusters belonging to file, then map these clusters on the logical drive where this file is located, and from there re assemble all clusters and save them to a new destination file.

Thanks to this method, one can save/copy a file which is in use since we "raw" read clusters from a logical drive.

This has been tested with success on \boot\bcd and \windows\system32\config\sam .
Files which you cannot copy in a normal mode.

zip file contains source file next to the binary.

Regards,
Erwan

Click here to download this file
  • Nuno Brito and joakim like this

#2 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 04 December 2015 - 08:20 PM

Added source file to the zip file as it may help others.



#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 05 December 2015 - 12:15 PM

This is cool even though it does have some limitations (explorer must reach the file in order to get at it).

 

Should it be possible to get at the *.sys files at root of volume? I am getting an invalid handle (25) error.



#4 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 05 December 2015 - 12:45 PM

For now, the *.sys files (pagefile, hiberfil, etc) are not supported.

 

I am currently working on it but adopting a different approach than yours (I believe you directly parse the MFT).

I am thinking of using the thread injection technique.

 

Handle error 25 is new to me : means "error seek - The drive cannot locate a specific area or track on the disk".

Usually on pagefile.sys I get error 2 (file not found) or error 5 (access denied).



#5 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 05 December 2015 - 01:17 PM

Sorry for the slight confusion. The correct error message on the *.sys files are "invalid handle, 32". I guess sharing is prohibited..

 

Out of curiosity, what exactly is this thread injection technique?



#6 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 06 December 2015 - 10:34 AM

Here below the technique :

-I open a process handle to a system process

-I allocate memory in the remote process

-I write memory (my code) in the remote process

-I create a thread in the remote process executing the code written in the remote process memory

 

For now i successfully load and execute code in a system remote process (like lsass.exe or winlogon.exe)

My test code so far is simple : it writes the current process id (from the remote process) in a text file.

 

Some questions I still need to answer :

-will any system process be able to get a handle to pagefile.sys (allowing me to get its extents)

-or do you i need to find the specific process handling pagefile.sys



#7 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 06 December 2015 - 11:08 AM

My impression is that it's the system process with pid 4, the Windows kernel, that holds this lock. That also means you will need a kernel mode driver for the job. I was fiddling with this a couple of  years ago, and it's not easy. I could surely inject code and make it run, but in the end you can't just inject a user mode process into kernel mode. I would instead suggest to go for the low level filesystem reading, or else I fair you will be facing months of bsod's driving you nuts :) This is my impression, not necessarily a fact. I may be wrong.



#8 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 06 December 2015 - 12:23 PM

I have had to deal with dozens of BSOD's these days indeed :)

Trial and errors...

 

My injection code is stable now (from xp to win10) which at least is some achievement for me as I will be able to reuse it elsewhere.

 

But indeed I believe you are right : I can inject code in any process, any except system - pid 4.

Which makes sense since I am in userland ...

Thus I may give it try to run it from a service : purely for fun :)

 

About low level filesystem reading, you have done a great job already with rawcopy so I dont think i'll reuse that road.

 

If you have a few mns to spare today, you can have a look at the attached demo.

This is a x32 demo code using 3 different injection techniques on remote x32 processes (choosing the exe ename or exe pid).

It will load a dll (and execute code) named hook.dll located in c:\.

The source code of hook.dll is in the zip file.

You can replace it with any dll of your choice.

Attached Files

  • Attached File  demo.zip   239.69KB   359 downloads


#9 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 06 December 2015 - 01:12 PM

I tried the demo and it works fine.

 

Doing all this from a service will make no difference. At best you will be able to elevate yourself to "nt authority system" or session 0. This is still only usermode, though the highest privilege you can get in userland. Entering kernel mode in ring 0 from ring 3, is quite a distance, and is blocked unless you load up a kernel mode driver. The driver needs to be signed unless you booted into TestMode. Then you may have to rewrite parts of your codeinjection code as those functions only exist in userland like ntdll.dll and kernel32.dll. The kernel mode ones are are ZwXXXXX and exported in kernel (ntdll.dll provides these as NtXXXXX in userland). Then the next challenge is PatchGuard which is a security mechanism within the kernel that will detect if any code has been modifed within the address space of kernel. That's a tough nut to crack.



#10 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 06 December 2015 - 02:40 PM

Yep dead end it is.

I have tried a CreateFile('c:\pagefile.sys', GENERIC_READ ,file_share_read or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0) from all possible system processes (lsass, winlogon, csrss, etc) and I get an invalid handle in all cases.

 

Oh well, it was fun anyway to refresh my injection procedures and I am sure it will be of some use for some other purposes.

 

Too bad as I was "only" looking for a handle to pagefile.sys which I could duplicate and pass back to my get_extents routine.



#11 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 06 December 2015 - 03:39 PM

You could verify the handle in process explorer. Click the system process with pid 4 and scroll through the handles in the lower pane.



#12 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 19 March 2019 - 09:44 PM

Small update.

 

The LBA (for the file offset 0) will now be provided (using IOCTL_VOLUME_LOGICAL_TO_PHYSICAL).

 

Download in the 1st post (including source code).

 

 

 

3k0AlyP.png



#13 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

Following an interesting discussion here touching (amongst other things) on file extents, I have reviewed my source code.

 

Extents will now display the extents (rather than each individual cluster offset), the number of sectors for each extent, and the physical LBA.

 

The code is also published on github now.

 

Code uses FSCTL_GET_RETRIEVAL_POINTERS to retrieve the file extents and clusters, and IOCTL_VOLUME_LOGICAL_TO_PHYSICAL for the logical to physical offset translation.

 

YmfXUST.png



#14 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14725 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 4 weeks ago

Good :thumbsup: .

I can see no reason why the output is part in decimal, part in hex, you should IMHO make up your mind and make everything either decimal or hex.

 

Now a spin-off request :w00t:

 

A simple command line tool that, pointed to a file:

1) checks if it is contiguous (only one extent), and only if this is the case outputs the file:
2) LBA Start (in decimal, sectors)
3) LBA Length (in decimal, sectors)
4) Number of (contiguous) clusters used (decimal)

5) Size of the cluster (in decimal, sectors)
6) Size of the file (in decimal, bytes) from the filesystem

 

Let's call it ifcontig.exe.

 

I guess you know what use it could have ;).

 

:duff:

Wonko


  • Nuno Brito likes this

#15 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

For now, this "form" based tool more or less mimics getFileExtents (discussed on another thread).

 

But I am definitely tempted to drop the GUI and stick to a command line tool.

 

As this tool is kind of "without any particular purpose" but more of "demo / at your disposal for whatever purpose", I am most probably going to follow your lead and implement all your bullet points.

 

I am just a dummy dev guy and need a "PM" :)



#16 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14725 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 4 weeks ago

I am just a dummy dev guy and need a "PM"  :)

Naah, you are a (much esteemed) Author, but Authors usually need Editors and peer reviewers to better focus on the work and  produce if not better, more accurate results.  ;)

 

:duff:

Wonko



#17 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

Before converting this app into a command line following Wonko's suggestions, I have reviewed the output slightly.

 

For each extent, the vcn and lcn are provided (in number of clusters), the lba (in number of sectors, and the number of sectors.

 

Did not do the math yet but I guess LBA-LCN is equal to my partition offset.

 

OQzYnt8.png



#18 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14725 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 4 weeks ago

LBA-(LCN*cluster_size) you mean?

 

32681720-3995359*8=718848

 

:duff:

Wonko



#19 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

LBA-(LCN*cluster_size) you mean?

 

32681720-3995359*8=718848

 

:duff:

Wonko

 

LBA in sectors (block of 512 bytes) and LCN in clusters (blocks of clusters=4096 in my case).

All it takes I guess is to settle on one unit (clusters? sectors? bytes?) and then you are safe.

 

May be the formula could be reworded (to ease reading) in LBA-(LCN*Sectors_per_cluster).

 

But indeed, my partition HiddenSectors=718848 :) (aka StartingOffset=368050176 bytes).

->Partition_Info
StartingOffset: 368050176
HiddenSectors: 718848
->GetDiskFreeSpace
Sectors per cluster: 8
Bytes per sector: 512
ClusterSize: 4096


#20 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14725 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 4 weeks ago

LBA in sectors (block of 512 bytes) and LCN in clusters (blocks of clusters=4096 in my case).

All it takes I guess is to settle on one unit (clusters? sectors? bytes?) and then you are safe.

 

But indeed, my partition offset (in sectors) is 718848 :) (aka 368050176 bytes).

I don't get you. :unsure:

 

LBA can ONLY be expressed in sectors.

Clusters are usually expressed in number of sectors, i.e. you won't find anywhere on disk 4096 (bytes per cluster) you will only find 8 (sectors per cluster) in the BPB.

Bytes per sector (which is another field you find on disk, in the BPB) allows the conversion.

 

Size can be expressed in bytes.

Size on disk (what you have now as "File Cluster count:98 -> in bytes: 401408" [1]) can be expressed in bytes AND (though the result is obviously the same) you are probably doing 98*4096=401408 while you should be doing 98*8*512=401408

 

:duff:

Wonko

 

[1] Should you happen keep the ">" in the future command line version output, be warned that I will take immediately back the "much esteemed" :w00t: :ph34r:



#21 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

 

[1] Should you happen keep the ">" in the future command line version output, be warned that I will take immediately back the "much esteemed" :w00t: :ph34r:

 

Damn, pressure is high !! :)

I clearly dont want to lose this title !

 

Would you agree with the below?

-LCN and VCN are expressed in clusters

-LBA is expressed in sectors

-Offset is usually expressed in sectors or bytes



#22 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14725 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 4 weeks ago

Would you agree with the below?

-LCN and VCN are expressed in clusters

-LBA is expressed in sectors

-Offset is usually expressed in sectors or bytes

Yes.

Yes.

No.

 

There is usually no such field as "offset".

 

There is "LBA start address" or "Sectors Before" (which is actually already an offset) and it can only be in sectors.

 

Of course you can have a field "StartingOffset", but I personally would call it "Bytes before".

 

I am perplexed by the "hidden sectors", those are usually called "Sectors Before", they are not "hidden", they are simply "before" (or partition "LBA start").

 

:duff:

Wonko



#23 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

Actually a lot of my wording is influenced by the windows api (or the windows structures to be exact) I am using..

Hiddensectors for instance is used in the _PARTITION_INFORMATION_MBR structure.



#24 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

Zip file now contains a console version (both the GUI and the CMD version use the same source code).

 

XZGa4ar.png

 

 

@Wonko : this is a "first" version

Feel free to comment on the console output to better fit possible batches you may think of.

Pretty much everything can be customized : bytes, cluster, sectors, decimal/hexadecimal, remove/add some lines, change some characters, etc ...

 

And before you shoot, this is NTFS only for now.

I need to review your previous post (here) about how to adapt for FAT.

 

(simple) syntax :

extents 1.0 by erwan2212@gmail.com
extents filename
extents source destination


#25 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2506 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

Also, the console version (i will probably drop/remove the GUI version) is now developped with Freepascal.

Therefore, both win32 and win64 binaries are available.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users