Hi,
I am trying to write some code which can copy locked files ( system registry files ).
Does someone have some experience with that?
What I have done so far:
get SeBackupPrivilege no problem ( charge is a macro which replaces invoke, o is offset )
charge GetCurrentProcess
charge OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,o hToken
charge LookupPrivilegeValue,o aZero,o SeBackup,o tokenPriv.Privileges.Luid
mov tokenPriv.PrivilegeCount,1
mov tokenPriv.Privileges.Attributes,SE_PRIVILEGE_ENABLED
charge AdjustTokenPrivileges,hToken,0,o tokenPriv,260,o buffer,o aVar
CreateFile is also successful:
charge CreateFile,o path1,READ_CONTROL or ACCESS_SYSTEM_SECURITY,FILE_SHARE_READ,o secur,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,0
mov ebx,eax
then:
charge GetFileSize,ebx,0
mov edi,eax
charge GlobalAlloc,GMEM_FIXED,eax
mov esi,eax
mov lpcon,0
charge BackupRead,ebx,esi,edi,o bytesread,0,0,o lpcon
This is where the trouble begins. I get access denied.
Any ideas?
Thanks
Maybe youre looking for RegSaveKey(hkey, path, 0) api :green
Anyway you still need to adjust SE_BACKUP_NAME privilege
Quote from: akane on December 21, 2007, 08:43:22 PM
Maybe youre looking for RegSaveKey(hkey, path, 0) api :green
Anyway you still need to adjust SE_BACKUP_NAME privilege
Thank you very much indeed. :clap: You would have been more helpful if you had read my question before replying. What on earth does that have to do with RegSaveKey?
did you lose your key lately? :bg
And as you can see I have already obtained the SE_BACKUP_NAME privilege. :boohoo:
This forum looks so abandoned, it would be a shame if I had to go to a C forum to ask my question. Where are those assembly gurus?
If you are trying to do this on windows, this one can be extremely helpful:
(Microsoft Volume Shadow Copy SDK 7.2)
(PR Indroduction Modus Operandi): You probably always wondered *how* Veritas knows what to backup and how it is making backup of running SQL server database - "Just" combine volume's USN journal records discovery with executor, Volume Shadow Copy under the same GUI skeleton and here it is :)
http://www.microsoft.com/downloads/details.aspx?FamilyID=0B4F56E4-0CCC-4626-826A-ED2C4C95C871&displaylang=en
P.S. Validation required, and I can't give that to anyone, or share it on the public place in accordance with EULA (in fact, I can, but I won't :green2) - espetially being Microsoft Partner, commited (but not fanatically) to the common thing. Do you know how to pronounce "our thing" in Italian? :8)
Cheers
QOTD: "During desaturation of acidic liquids, never add water directly in the acid, always do the opposite - add acid to the water, slowly with constant mixing"
Backing up a registry hive:
1. RegOpenKeyEx(...)
2. RegSaveKeyEx(...)
Apparently, a locked file can be read if it is memory-mapped as well.
Quote from: masmuser on December 21, 2007, 10:54:37 PM
What on earth does that have to do with RegSaveKey?
Seems pretty obvious to me -
Quote from: masmuser on December 21, 2007, 12:39:39 PM
I am trying to write some code which can copy locked files ( system registry files ).
:bg
invoke CreateFile,fname,GENERIC_READ,
FILE_SHARE_WRITE or FILE_SHARE_READ,
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL or \
FILE_FLAG_POSIX_SEMANTICS,NULL
mov hFile, eax
The action is in "FILE_FLAG_POSIX_SEMANTICS" and it works fine on win2k/XP, no idea if it still works on Vista.
The technique is useful if you have some crap in your registry that maintains a locked file that you can neither read nor open. This will get you a copy of the file.
Quote from: hutch-- on December 22, 2007, 12:59:51 AM
:bg
invoke CreateFile,fname,GENERIC_READ,
FILE_SHARE_WRITE or FILE_SHARE_READ,
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL or \
FILE_FLAG_POSIX_SEMANTICS,NULL
mov hFile, eax
The action is in "FILE_FLAG_POSIX_SEMANTICS" and it works fine on win2k/XP, no idea if it still works on Vista.
The technique is useful if you have some crap in your registry that maintains a locked file that you can neither read nor open. This will get you a copy of the file.
Thanks Hutch,
I am on xp.
Didn't work. the GENERIC_READ flag causes CreateFile to fail.
There is another approach, if you want to keep it small...
Download http://undocumented.ntinternals.net/ntundoc.chm, then http://reverseengineering.online.fr/Winternals/XP_SP2_32Bits_headers.rar.
EDIT Don't make reference in this forum to reverse engineering as it is exckluded by the forum rules.
Then try to approach file open with a single call like this C-ish prototype:
UNICODE_STRING us;
RtlInitUnicodeString(&us, pcszFilePath);
OBJECT_ATTRIBUTES oa;
memset(&oa, 0, sizeof(oa));
oa.Length = sizeof(oa);
oa.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
oa.ObjectName = &us;
IO_STATUS_BLOCK iosb;
HANDLE hFile;
NTSTATUS nts;
nts = NtCreateFile( &hFile,
SYNCHRONIZE |
FILE_GENERIC_READ |
FILE_READ_ATTRIBUTES |
FILE_READ_EA,
&oa,
&iosb,
NULL, // Skipping allocation buffer, and...
0, // it's size, because we are not providing it in this case
FILE_SHARE_READ | // The same parameter can be found in more familiar CreateFile()
FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
// From now on is the difference between documented and undocumented functions!
FILE_OPEN, // M.o.
FILE_SEQUENTIAL_ONLY | // Analogoue to the file flags and attributes, but 1st: native, 2nd: more stuff!
FILE_SYNCHRONOUS_IO_NONALERT |
FILE_OPEN_FOR_BACKUP_INTENT,
NULL, // Pointer to a buffer required in order to pass extended attributes
0); // ...and corresponding size of the buffer to which points previous param
P.S. And of course, this handle can be freely used in a call to ReadFile(), it is the same thing.
Quote from: VLaaD on December 22, 2007, 01:29:39 AM
There is another approach, if you want to keep it small...
Download http://undocumented.ntinternals.net/ntundoc.chm, then http://reverseengineering.online.fr/Winternals/XP_SP2_32Bits_headers.rar, headers with now documented structures and functions, thanks to French Reverse Enigeering Team (F.R.E.T.).
Then try to approach file open with a single call like this C-ish prototype:
UNICODE_STRING us;
RtlInitUnicodeString(&us, pcszFilePath);
OBJECT_ATTRIBUTES oa;
memset(&oa, 0, sizeof(oa));
oa.Length = sizeof(oa);
oa.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
oa.ObjectName = &us;
IO_STATUS_BLOCK iosb;
HANDLE hFile;
NTSTATUS nts;
nts = NtCreateFile( &hFile,
SYNCHRONIZE |
FILE_GENERIC_READ |
FILE_READ_ATTRIBUTES |
FILE_READ_EA,
&oa,
&iosb,
NULL, // Skipping allocation buffer, and...
0, // it's size, because we are not providing it in this case
FILE_SHARE_READ | // The same parameter can be found in more familiar CreateFile()
FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
// From now on is the difference between documented and undocumented functions!
FILE_OPEN, // M.o.
FILE_SEQUENTIAL_ONLY | // Analogoue to the file flags and attributes, but 1st: native, 2nd: more stuff!
FILE_SYNCHRONOUS_IO_NONALERT |
FILE_OPEN_FOR_BACKUP_INTENT,
NULL, // Pointer to a buffer required in order to pass extended attributes
0); // ...and corresponding size of the buffer to which points previous param
P.S. And of course, this handle can be freely used in a call to ReadFile(), it is the same thing.
Thanks. Those constants are not defined in the header files you linked to.
Here is one of the tools I used that code in. Its a tiny app that you can drop a locked file onto and it will save it to disk. I primarily use it if I get some crap in the registry that maintains a locked file that I cannot access normally.
[attachment deleted by admin]
Quote from: hutch-- on December 22, 2007, 02:23:57 AM
Here is one of the tools I used that code in. Its a tiny app that you can drop a locked file onto and it will save it to disk. I primarily use it if I get some crap in the registry that maintains a locked file that I cannot access normally.
It does nothing for me
Does it create a file called "testfile.drp" ?
Quote from: hutch-- on December 22, 2007, 09:37:52 AM
Does it create a file called "testfile.drp" ?
I don't know. I looked at the code. It can't work. Maybe you'd want to try it. Try copying file1 byte "C:\WINDOWS\system32\config\system",0
I think you have to use SetNamedSecurityInfo or SetSecurityInfo to change some security flags, but these APIs are complete newland to me and I have no idea what to do with them.
It could also be SetKernelObjectSecurity which is also a tough API.
Maybe you should tell us what yopu are trying to open. The small tool successfully opens things like locked video files being streamed into your computer, locked log files that are locked and being updated by the creating application, in fact it seems to save everything I have ever pointed at it.
You use it by running it then dropping the file name you want from Explorer or Winfile into it using drag and drop. The version I posted saves a file to disk called "testfile.drp" which is identical to the file dropped into it.
Quote from: masmuser on December 22, 2007, 08:46:05 AM
Quote from: hutch-- on December 22, 2007, 02:23:57 AM
Here is one of the tools I used that code in. Its a tiny app that you can drop a locked file onto and it will save it to disk. I primarily use it if I get some crap in the registry that maintains a locked file that I cannot access normally.
It does nothing for me
masmuser,
The tool works fine for me. Did you check the folder where you saved the tool? It's there you should look for testfile.drp
Quote from: Vortex on December 22, 2007, 12:17:00 PM
Quote from: masmuser on December 22, 2007, 08:46:05 AM
Quote from: hutch-- on December 22, 2007, 02:23:57 AM
Here is one of the tools I used that code in. Its a tiny app that you can drop a locked file onto and it will save it to disk. I primarily use it if I get some crap in the registry that maintains a locked file that I cannot access normally.
It does nothing for me
masmuser,
The tool works fine for me. Did you check the folder where you saved the tool? It's there you should look for testfile.drp
It does create the drb file. But it is nothing. It just has the name and size of the original file, as it has been so coded. But the CreateFile function has failed ( according to GetLastError. Try it. the file to copy is
"C:\WINDOWS\system32\config\system"
Here is a slightly modified version that should be simpler to use for someone who does not appear to understand the code it contains.
Create a seperate directory, place the EXE in it.
Run the EXE then select the locked file you need from Explorer or Winfile and drag and drop it into the client area of the EXE. It should then write an exact copy of the file into the directory that the EXE is placed in.
[attachment deleted by admin]
Quote from: hutch-- on December 22, 2007, 01:39:49 PM
Here is a slightly modified version that should be simpler to use for someone who does not appear to understand the code it contains.
Create a seperate directory, place the EXE in it.
Run the EXE then select the locked file you need from Explorer or Winfile and drag and drop it into the client area of the EXE. It should then write an exact copy of the file into the directory that the EXE is placed in.
Hutch, it does create a zero filled file. check it out. call GetLastError after CreateFile, you will get an error saying something like the file is opened by another process. just drag C:\WINDOWS\system32\config\system and you'll see.
Quotejust drag C:\WINDOWS\system32\config\system and you'll see.
This time, me too I got a file filled with NULLs.
Hutch, could you try the file
C:\WINDOWS\system32\config\system ?
O.S: Windows XP SP2 Pro
It works for me under Windows 2000 SP4. If I try to copy the file directly I get a sharing violation, but if I drop it on the client area of the window I get a file that has the same name and size as the original.
I also get a zero-filled file (XP home sp2) - CreateFile returns ERROR_SHARING_VIOLATION.
Quote from: MichaelW on December 22, 2007, 09:33:40 PM
It works for me under Windows 2000 SP4. If I try to copy the file directly I get a sharing violation, but if I drop it on the client area of the window I get a file that has the same name and size as the original.
the file you are getting is zero filled because the code will create a file regardless of the return value of CreateFile. these files are protected by the system and it seems to be very difficult to get read or write access to them. It is however possible, I know of at least one freeware program which can do it. it is called erunt. I also know some big name system back up utilities which pass on these protected files. so we are dealing with a very tough issue here. :dazzled:
Yes, it is zero filled. For some stupid reason I was equating zero filled to zero length :(
Yes, thanks for the file name, it fails on most of the files in system32\config. You would need to know the locking machanism to copy these files as it appears to be different from user based API code for file IO and security.
You could try your luck using functions from NTDLL.DLL.
Quote from: hutch-- on December 22, 2007, 11:13:36 PM
Yes, thanks for the file name, it fails on most of the files in system32\config. You would need to know the locking machanism to copy these files as it appears to be different from user based API code for file IO and security.
You could try your luck using functions from NTDLL.DLL.
:bg :bg
it is not a question of luck. you need the right info. that is why I came here.
:bg
You will be part of the way there when you work out how to OS protects the files so they cannot be opened. As I seriously doubt its published information, luck is your best friend. If you can find some data on NTDLL.DLL functions your luck may improve. :green2
Quote from: hutch-- on December 23, 2007, 10:38:26 AM
:bg
You will be part of the way there when you work out how to OS protects the files so they cannot be opened. As I seriously doubt its published information, luck is your best friend. If you can find some data on NTDLL.DLL functions your luck may improve. :green2
I was hoping you would at least try to help :green2
But I still do thank you for providing the Masm32 package, with all those libraries and definitions.
So I guess I am finished here for the time being :bdg
Well, there is a way....
I've been playing with this as well for backup purposes of the system file since it seems to corrupt quite often. What you need to do is obtain the handle of the file. Then nicely ask the process (system, PID 4) which is locking it to borrow it for a few seconds.
(This is no joke, but I can't tell the full story since some techniques are most likely not allowed on this board) ;)
Quote from: white scorpion on December 24, 2007, 11:15:18 AM
Well, there is a way....
I've been playing with this as well for backup purposes of the system file since it seems to corrupt quite often. What you need to do is obtain the handle of the file. Then nicely ask the process (system, PID 4) which is locking it to borrow it for a few seconds.
(This is no joke, but I can't tell the full story since some techniques are most likely not allowed on this board) ;)
well then just ask nicely our kind admin if he would allow some details of your experience. :thumbu
Please forget my previous post.
I've just tested it and it works on every file (regardless of their type of lock) except the files locked by the system process (on XP that is).
This occurs because the system process is a protected process.
The only way to access data that that process is using is in kernelmode, so a driver is required to make a backup of the systemfile.
I can't remember I had this same problem back when I was searching for it, but it wasn't on XP either, maybe something changed there...
Sorry for giving you false hope ;)
Quote from: masmuser on December 22, 2007, 10:11:49 PM
the file you are getting is zero filled because the code will create a file regardless of the return value of CreateFile. these files are protected by the system and it seems to be very difficult to get read or write access to them. It is however possible, I know of at least one freeware program which can do it. it is called erunt. I also know some big name system back up utilities which pass on these protected files. so we are dealing with a very tough issue here. :dazzled:
Yes, you are right, erunt does backup the SYSTEM file while Windows is running.
Since I got pretty interested at this I've taken a closer look at it, this is how it works:
1. AdjustTokenPrivileges for SeBackupPrivilege
2. Open HKEY_LOCAL_MACHINE\SYSTEM
3. invoke RegSaveKeyExA,hKey,addr backupfile,0,REG_NO_COMPRESSION
That's it, no need to get handles or stuff like that.
The above also works for the other files like SAM, SOFTWARE, etc.
I'll setup a program soon which should do the above automatically ;)
Quote from: white scorpion on December 24, 2007, 03:06:11 PM
Quote from: masmuser on December 22, 2007, 10:11:49 PM
the file you are getting is zero filled because the code will create a file regardless of the return value of CreateFile. these files are protected by the system and it seems to be very difficult to get read or write access to them. It is however possible, I know of at least one freeware program which can do it. it is called erunt. I also know some big name system back up utilities which pass on these protected files. so we are dealing with a very tough issue here. :dazzled:
Yes, you are right, erunt does backup the SYSTEM file while Windows is running.
Since I got pretty interested at this I've taken a closer look at it, this is how it works:
1. AdjustTokenPrivileges for SeBackupPrivilege
2. Open HKEY_LOCAL_MACHINE\SYSTEM
3. invoke RegSaveKeyExA,hKey,addr backupfile,0,REG_NO_COMPRESSION
That's it, no need to get handles or stuff like that.
The above also works for the other files like SAM, SOFTWARE, etc.
I'll setup a program soon which should do the above automatically ;)
:(
sorry but won't work.
when you restore the registry in this manner it will only be added to the new registry without replacing it.
Well, you can boot with the recovery console and replace the file manually, I thought that was your intention in the first place.
That way you make a backup now, and when (if) the system crashes you can set the hives back by overwriting the original files with the backed up ones...
Quote from: white scorpion on December 25, 2007, 12:08:52 AM
Well, you can boot with the recovery console and replace the file manually, I thought that was your intention in the first place.
That way you make a backup now, and when (if) the system crashes you can set the hives back by overwriting the original files with the backed up ones...
:(
that would be too slow and for novices quite user unfriendly. :eek
getting read & write access to those files would make the whole thing lightning fast with a single click.
this is my concern with the request, there is almost no reason at all to need to be able to read and write to the special system files unless you want to do something destructive to a running machine. if you needed a copy for some technical reason, you can make a copy be booting the machine from the installation disk and copying it that way but accessing the file on the fly from a running OS version is a major security problem, much the reason why Microsoft protect the file so it cannot be easily messed with.
I would like to know why you need to access this file from a running OS and unless I am happy with the answer this topic will be closed and removed.
Quote from: hutch-- on December 25, 2007, 01:15:00 AM
this is my concern with the request, there is almost no reason at all to need to be able to read and write to the special system files unless you want to do something destructive to a running machine. if you needed a copy for some technical reason, you can make a copy be booting the machine from the installation disk and copying it that way but accessing the file on the fly from a running OS version is a major security problem, much the reason why Microsoft protect the file so it cannot be easily messed with.
I would like to know why you need to access this file from a running OS and unless I am happy with the answer this topic will be closed and removed.
Come on now. If I was a hacker why would I come here???????? :boohoo: :boohoo:
You have successfully screwed the purpose of masm and this forum, fiddling with those macros and moving in cicles. A bit more advanced coders are absolutely in the wrong place here.
you have completely kept it at a kindergarten level. more advanced discussions are beyond your knowledge and patience, and will be removed. what a power.
sorry if I touched your ego with that code. But keep in mind an API like CreateFile does deserve to have it's return value examied.
:boohoo:
:bg
Thanks for answering the question, it seems that you were up to no good trying to access and modify special system files on a running machine. Virus and trojan writers get no mileage here and you are no exception, feel free to take you "advanced" lack of knowledge elsewhere wher you will be more appreciated and feel like you are in the company of your peers.