Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: Circumventing windows file protections...

  1. #1

    Question Circumventing windows file protections...

    I'm looking at an application that saves "high value content" in a tmp file in the temp directory while it's handling it. When it finishes handling it, and closes the file, it gets deleted automatically.

    A little research has shown me that they're calling CreateFile with 0 for the sharing options, and with the DELETE_ON_CLOSE flag set.

    I'm looking for a "non-driver, non-hooking" way to break windows stranglehold on these files so that I can copy them to another directory for later inspection.

    Anyone know how to do this?

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    there's a list of about 20 programs here that might do the trick for you: http://ccollomb.free.fr/unlocker/

  3. #3
    GREAT! Thanks disavowed! (Even a link to one that has source).

  4. #4
    If the file exists for some time you could use the WinAPI CreateHardLink to create a second dir entry for that file. When the application deletes the file, then only the first dir entry is deleted, the second entry together with the file data will be intact and available for inspection.

    radix

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    & if you want save FLV files from such deletion, use Opera browser, which has FLV-file copy in it's cache!

  6. #6
    Quote Originally Posted by radix View Post
    If the file exists for some time you could use the WinAPI CreateHardLink to create a second dir entry for that file. When the application deletes the file, then only the first dir entry is deleted, the second entry together with the file data will be intact and available for inspection.

    radix
    According to the Win32 API:

    "Flags, attributes, access, and sharing that are specified in CreateFile operate on a per-file basis. That is, if you open a file that does not allow sharing, another application cannot share the file by creating a new hard link to the file."


  7. #7
    Quote Originally Posted by evaluator View Post
    & if you want save FLV files from such deletion, use Opera browser, which has FLV-file copy in it's cache!
    Hmm INTERESTING! But I'm interested in AAC files.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Yet another resource to try, if you do not have enough already, is one of the file recovery tools available. Unless the app really WIPES and over-writes the file in question, you should be able to un-delete it with minimal effort, if you do it early enough after the program runs. . .

  9. #9
    I guess I should have stated this earlier, I'm looking to do this programatically.

    It's starting to look like a "CreateRemoteThread" and using CopyFile, might be the hot ticket.

    One thing I was thinking about was changing the permissions on the file, but I don't know if that's possible with it still being open.

    What I'm up to, is I'd like to write some code to snag the media that is sent to my machine by a website with a name that refers to a woman who opened a box in Greek mythology that unleashed all the evils into the world. That should keep JMI happy. I avoided the name, but still told you who it is.

    The media that they send down is in AAC format, and their site runs a flash player that calls DirectX stuff under the hood to handle them.

  10. #10
    Oh thank God you didn't directly mention "Pandora's" name.

    Did I give it away???

    Regards,
    JMI

  11. #11
    You crack me up sometimes JMI. Since it's technically a target, and we don't mention target names, I figured I'd err on the side of safety.

    I've found some weird results. I found an app called "WhoUses", which is supposed to tell you who has a file locked. So, I fire up PANDORA, and using ProcMon I see the location, and the name of the file it has opened. So, I supply WhoUses with the filename, and it returns NOTHING. It's like it can't tell who has the file locked.

  12. #12
    Quote Originally Posted by FrankRizzo View Post
    ...That is, if you open a file that does not allow sharing, another application cannot share the file by creating a new hard link to the file."
    Yes, while the app is running you cannot access the file via the created hard link - but the hard link protects the file data from getting lost if the file (the first created dir entry) gets deleted, so you can access the file data *after* the app has terminated.

    radix

  13. #13
    Yep, works like a charm! Thanks radix!

  14. #14
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Other methods: Close the running app with task manager, attach Olly to it and close Olly, and the oldest and most likely to create damage - hit the power switch, or pull the plug.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  15. #15
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    psuedo code..
    loader starts process suspended and breaks at first code execution..not many ways to do that..Search for Pointers to code pushed onto the stack of a call before a function and set a breakpoint just after the call..(the return address)..
    Write file 'dump' to the stream and access the Stream in wordpad..

    Code:
    RTL_USER_PROCESS_PARAMETERS PROCESS_PARAMETERS = GetUserProcessParameters();
    Status  =NtCreateFile(&FileHandle,L"'\\??\\PROCESS_PARAMETERS::ImagePathName:StreamDump");
    NtCreateSection(&Section,FileHandle);
    NtMapViewOfSection(Section,_PEB.ImageBaseAddress,FileEOF-FileBaseAddress);
    now that is completely untested..and there some inkling of DualMapping in there..but you might already have seen that

    so here are others options ive contemplated...
    single step with lookahead call & jmp disassembly (looks for encrypted routines..)
    single step with Stack code checking..(disassembly of 'suspicious' stack values..ie this shouldn't test a value if it only has the lower word in the dword filled out..handles)
    use 'a' encryption check based on the ones found by the lookahead routines(calls and jmps) to see if they are still encrypted.. if not return to next framesetup for next call..repeat checks for encryption routines
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. A small question regarding swf protections
    By Hero in forum The Newbie Forum
    Replies: 0
    Last Post: December 4th, 2009, 08:32
  2. Circumventing custom SEH
    By REBlog in forum Blogs Forum
    Replies: 0
    Last Post: October 19th, 2007, 20:27
  3. Armadillo + other protections...
    By Hero in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: March 28th, 2007, 08:26
  4. This PE file is not in standerd windows format ???
    By Care+ in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: December 24th, 2002, 00:46
  5. windows xp debugger problems, rv's tracer on windows xp.
    By tsehp in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: April 6th, 2002, 12:11

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •