Copy locked file

[masmuser]

Hi,

I am trying to write some code which can copy locked files ( system registry files ).
Does someone have some experience with that?
What I have done so far:
get SeBackupPrivilege no problem ( charge is a macro which replaces invoke, o is offset )
   charge GetCurrentProcess
   charge OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,o hToken
   charge LookupPrivilegeValue,o aZero,o SeBackup,o tokenPriv.Privileges.Luid
   mov tokenPriv.PrivilegeCount,1
   mov tokenPriv.Privileges.Attributes,SE_PRIVILEGE_ENABLED
   charge AdjustTokenPrivileges,hToken,0,o tokenPriv,260,o buffer,o aVar

CreateFile is also successful:
   charge CreateFile,o path1,READ_CONTROL or ACCESS_SYSTEM_SECURITY,FILE_SHARE_READ,o secur,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,0

mov ebx,eax
then:
   charge GetFileSize,ebx,0
   mov edi,eax
   charge GlobalAlloc,GMEM_FIXED,eax
   mov esi,eax
   mov lpcon,0
   charge BackupRead,ebx,esi,edi,o bytesread,0,0,o lpcon

This is where the trouble begins. I get access denied.

Any ideas?

Thanks

[akane]

Maybe youre looking for RegSaveKey(hkey, path, 0) api :green
Anyway you still need to adjust SE_BACKUP_NAME privilege

[masmuser]

Maybe youre looking for RegSaveKey(hkey, path, 0) api :green
Anyway you still need to adjust SE_BACKUP_NAME privilege

Thank you very much indeed.   :clap: You would have been more helpful if you had read my question before replying. What on earth does that have to do with RegSaveKey?
did you lose your key lately?  :bg

And as you can see I have already obtained the SE_BACKUP_NAME privilege.  :boohoo:

This forum looks so abandoned, it would be a shame if I had to go to a C forum to ask my question. Where are those assembly gurus?

[VLaaD]

If you are trying to do this on windows, this one can be extremely helpful:
(Microsoft Volume Shadow Copy SDK 7.2)

(PR Indroduction Modus Operandi): You probably always wondered *how* Veritas knows what to backup and how it is making backup of running SQL server database - "Just" combine volume's USN journal records discovery with executor, Volume Shadow Copy under the same GUI skeleton and here it is :)

http://www.microsoft.com/downloads/details.aspx?FamilyID=0B4F56E4-0CCC-4626-826A-ED2C4C95C871&displaylang=en

P.S. Validation required, and I can't give that to anyone, or share it on the public place in accordance with EULA (in fact, I can, but I won't  :green2) - espetially being Microsoft Partner, commited (but not fanatically) to the common thing. Do you know how to pronounce "our thing" in Italian?  :8)

Cheers

QOTD: "During desaturation of acidic liquids, never add water directly in the acid, always do the opposite - add acid to the water, slowly with constant mixing"

[sinsi]

Backing up a registry hive:
1. RegOpenKeyEx(...)
2. RegSaveKeyEx(...)

Apparently, a locked file can be read if it is memory-mapped as well.

What on earth does that have to do with RegSaveKey?

Seems pretty obvious to me -

I am trying to write some code which can copy locked files ( system registry files ).

[hutch--]

 :bg

Code Select Expand


        invoke CreateFile,fname,GENERIC_READ,
                          FILE_SHARE_WRITE or FILE_SHARE_READ,
                          NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL or \
                          FILE_FLAG_POSIX_SEMANTICS,NULL
        mov hFile, eax


The action is in "FILE_FLAG_POSIX_SEMANTICS" and it works fine on win2k/XP, no idea if it still works on Vista.

The technique is useful if you have some crap in your registry that maintains a locked file that you can neither read nor open. This will get you a copy of the file.

[masmuser]

:bg

Code Select Expand


        invoke CreateFile,fname,GENERIC_READ,
                          FILE_SHARE_WRITE or FILE_SHARE_READ,
                          NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL or \
                          FILE_FLAG_POSIX_SEMANTICS,NULL
        mov hFile, eax


The action is in "FILE_FLAG_POSIX_SEMANTICS" and it works fine on win2k/XP, no idea if it still works on Vista.

The technique is useful if you have some crap in your registry that maintains a locked file that you can neither read nor open. This will get you a copy of the file.

Thanks Hutch,
I am on xp.
Didn't work. the GENERIC_READ flag causes CreateFile to fail.

[VLaaD]

There is another approach, if you want to keep it small...

Download http://undocumented.ntinternals.net/ntundoc.chm, then http://reverseengineering.online.fr/Winternals/XP_SP2_32Bits_headers.rar.


EDIT Don't make reference in this forum to reverse engineering as it is exckluded by the forum rules.



Then try to approach file open with a single call like this C-ish prototype:

Code Select Expand


UNICODE_STRING us;
RtlInitUnicodeString(&us, pcszFilePath);

OBJECT_ATTRIBUTES oa;
memset(&oa, 0, sizeof(oa));
oa.Length = sizeof(oa);
oa.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
oa.ObjectName = &us;

IO_STATUS_BLOCK iosb;
HANDLE hFile;
NTSTATUS nts;
nts = NtCreateFile( &hFile,
SYNCHRONIZE |
FILE_GENERIC_READ |
FILE_READ_ATTRIBUTES |
FILE_READ_EA,
&oa,
&iosb,
NULL, // Skipping allocation buffer, and...
0, // it's size, because we are not providing it in this case
FILE_SHARE_READ | // The same parameter can be found in more familiar CreateFile()
FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
// From now on is the difference between documented and undocumented functions!
FILE_OPEN, // M.o.
FILE_SEQUENTIAL_ONLY | // Analogoue to the file flags and attributes, but 1st: native, 2nd: more stuff!
FILE_SYNCHRONOUS_IO_NONALERT |
FILE_OPEN_FOR_BACKUP_INTENT,
NULL, // Pointer to a buffer required in order to pass extended attributes
0); // ...and corresponding size of the buffer to which points previous param


P.S. And of course, this handle can be freely used in a call to ReadFile(), it is the same thing.

[masmuser]

There is another approach, if you want to keep it small...

Download http://undocumented.ntinternals.net/ntundoc.chm, then http://reverseengineering.online.fr/Winternals/XP_SP2_32Bits_headers.rar, headers with now documented structures and functions, thanks to French Reverse Enigeering Team (F.R.E.T.).

Then try to approach file open with a single call like this C-ish prototype:

Code Select Expand


UNICODE_STRING us;
RtlInitUnicodeString(&us, pcszFilePath);



OBJECT_ATTRIBUTES oa;
memset(&oa, 0, sizeof(oa));
oa.Length = sizeof(oa);
oa.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
oa.ObjectName = &us;

IO_STATUS_BLOCK iosb;
HANDLE hFile;
NTSTATUS nts;
nts = NtCreateFile( &hFile,
SYNCHRONIZE |
FILE_GENERIC_READ |
FILE_READ_ATTRIBUTES |
FILE_READ_EA,
&oa,
&iosb,
NULL, // Skipping allocation buffer, and...
0, // it's size, because we are not providing it in this case
FILE_SHARE_READ | // The same parameter can be found in more familiar CreateFile()
FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
// From now on is the difference between documented and undocumented functions!
FILE_OPEN, // M.o.
FILE_SEQUENTIAL_ONLY | // Analogoue to the file flags and attributes, but 1st: native, 2nd: more stuff!
FILE_SYNCHRONOUS_IO_NONALERT |
FILE_OPEN_FOR_BACKUP_INTENT,
NULL, // Pointer to a buffer required in order to pass extended attributes
0); // ...and corresponding size of the buffer to which points previous param


P.S. And of course, this handle can be freely used in a call to ReadFile(), it is the same thing.

Thanks. Those constants are not defined in the header files you linked to.

[hutch--]

Here is one of the tools I used that code in. Its a tiny app that you can drop a locked file onto and it will save it to disk. I primarily use it if I get some crap in the registry that maintains a locked file that I cannot access normally.

[attachment deleted by admin]

[masmuser]

Here is one of the tools I used that code in. Its a tiny app that you can drop a locked file onto and it will save it to disk. I primarily use it if I get some crap in the registry that maintains a locked file that I cannot access normally.

It does nothing for me

[hutch--]

Does it create a file called "testfile.drp" ?

[masmuser]

Does it create a file called "testfile.drp" ?

I don't know. I looked at the code. It can't work. Maybe you'd want to try it. Try copying    file1    byte "C:\WINDOWS\system32\config\system",0

I think you have to use SetNamedSecurityInfo or SetSecurityInfo to change some security flags, but these APIs are complete newland to me and I have no idea what to do with them.
It could also be SetKernelObjectSecurity which is also a tough API.

[hutch--]

Maybe you should tell us what yopu are trying to open. The small tool successfully opens things like locked video files being streamed into your computer, locked log files that are locked and being updated by the creating application, in fact it seems to save everything I have ever pointed at it.

You use it by running it then dropping the file name you want from Explorer or Winfile into it using drag and drop. The version I posted saves a file to disk called "testfile.drp" which is identical to the file dropped into it.

[Vortex]

Here is one of the tools I used that code in. Its a tiny app that you can drop a locked file onto and it will save it to disk. I primarily use it if I get some crap in the registry that maintains a locked file that I cannot access normally.

It does nothing for me

masmuser,

The tool works fine for me. Did you check the folder where you saved the tool? It's there you should look for testfile.drp