News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

How to get EXE file's Security attribute 'block'?

Started by UtillMasm, April 28, 2009, 04:42:39 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

UtillMasm

April 28, 2009, 04:42:39 AM Last Edit: April 28, 2009, 08:10:36 AM by UtillMasm
how to get EXE file's Security attribute 'block'?

and how to unblock it?

and how to set it to blocked?

this attribute looks like below:

Security:
    This file came from another computer and might be blocked to help protect this computer.

evlncrn8

#1
April 28, 2009, 07:20:54 AM
do you mean the security in the data directories?... ie: usually this is the digital signature...

if so, its in the pe header, and in this case its a file offset (not a va) if there is one present...
removing it, simply patch it out in the data directory...

dedndave

#2
April 28, 2009, 12:46:27 PM
some of this type info is stored in a separate place on NTFS drives (ACL list)
i.e. it is not stored in the .exe, itself

UtillMasm

#3
April 28, 2009, 12:50:42 PM
can we use Windows API to edit it?

akane

#4
April 28, 2009, 01:35:29 PM
Use CreateFile with following format: {[path\}filename:streamname.
For example, editing the zone id from a downloaded pdf, using the wordpad:
Code Select
D:\download\programming>write "Detecting System Emulators.pdf:Zone.Identifier"
Wordpad should display this
Code Select
[ZoneTransfer]
ZoneId=3
Pressing the Unlock button just deletes this stream using DeleteFile("file name:Zone.Identifier")

UtillMasm

#5
April 28, 2009, 02:34:58 PM
 :U
comment #
  C:\china>set path=\masm32\bin
  C:\china>set include=\masm32\include
  C:\china>ml.exe /c /coff /Cp DeleteFileA.asm
  Microsoft (R) Macro Assembler Version 6.14.8444
  C:\china>set lib=\masm32\lib
  C:\china>link.exe /subsystem:windows DeleteFileA.obj
  Microsoft (R) Incremental Linker Version 5.12.8078
#
.386
.model flat,stdcall
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
  buffer db "C:\china\badguy.exe:Zone.Identifier"
.code
  start:
  invoke DeleteFile,addr buffer
  invoke ExitProcess,NULL
end start

GregL

#6
April 29, 2009, 03:26:26 AM
More info:  Vista Blocked File Protection Control

I disabled this as described in the article. It's really annoying!

SysInternals Streams is really handy too.

UtillMasm

#7
April 29, 2009, 05:03:40 AM Last Edit: April 29, 2009, 08:03:11 AM by UtillMasm
 :U

C:\china>echo [ZoneTransfer] > BadGuy.exe:Zone.Identifier

C:\china>more < BadGuy.exe:Zone.Identifier
[ZoneTransfer]

C:\china>echo ZoneId=3 >> BadGuy.exe:Zone.Identifier

C:\china>more < BadGuy.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3

C:\china>streams.exe BadGuy.exe

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www. sysinternals. com

C:\china\BadGuy.exe:
   :Zone.Identifier:$DATA       28

C:\china>

#######################################

Streams makes use of an undocumented native function for retrieving file stream information.

Streams or ntfs3g is masm open source?

#######################################

http://win32.mvps.org/ntfs/streams.html

c:\china>streams.exe BadGuy.exe

BadGuy.exe
        26  :Zone.Identifier:$DATA

[attachment deleted by admin]

UtillMasm

#8
April 29, 2009, 08:04:50 AM
convert vc++ 5 to masm 6.14.8444 is long way. :toothy
tip, open exe in ollydbg and translate it assembly, and need some cup of tea.

UtillMasm

#9
May 01, 2009, 03:09:04 PM
Code Select

printf("\nstream [%lu] \"%S\":\n",wsi.dwStreamNameSize,wsi.dwStreamNameSize? wsi.cStreamName: L"");


this printf is VC++ 5.0, if you use Vista SDK, it's error!

   Vista SDK
Code Select

    C:\china>dump_ntfs_streams_vistaSdk.exe test.exe

    stream [0] "":
      type: security
      size: 160

    stream [0] "":
      type: data
      size: 469504

    stream [44] ":Zone.Identifier:$DATA  type: other streams
      size: 26

   VC++ 5.0
Code Select

    C:\china>dump_ntfs_streams_vc5.exe test.exe

    stream [0] "":
      type: security
      size: 160

    stream [0] "":
      type: data
      size: 469504

    stream [44] ":Zone.Identifier:$DATA":
      type: other streams
      size: 26

printf is changed?

[attachment deleted by admin]

UtillMasm

#10
May 05, 2009, 04:17:46 PM
sourcefile:
Code Select

.386
.model flat,stdcall
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\windows.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib
.data
  filename byte 'test.exe',0
  sebackupnameprivilege db 'SeBackupPrivilege',0
  serestorenameprivilege db 'SeRestorePrivilege',0
.data?
  filehandle dd ?
  numread dd ?
  buf db 4096 dup (?)
  wsi dd ?
  ctx dd ?
  hi dd ?
  lo dd ?
.code
  EnablePrivilege proc uses ebx
  local hToken
  local tmpLuid:LUID,tkp:TOKEN_PRIVILEGES
  lea ebx,hToken
  invoke GetCurrentProcess
  invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,ebx
  invoke LookupPrivilegeValue,NULL,addr sebackupnameprivilege,addr tmpLuid
  push tmpLuid.LowPart
  pop tkp.Privileges[0].Luid.LowPart
  push tmpLuid.HighPart
  pop tkp.Privileges[0].Luid.HighPart
   mov tkp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED
  invoke LookupPrivilegeValue,NULL,addr serestorenameprivilege,addr tmpLuid
  push tmpLuid.LowPart
   pop tkp.Privileges[1].Luid.LowPart
  push tmpLuid.HighPart
   pop tkp.Privileges[1].Luid.HighPart
  mov tkp.Privileges[1].Attributes,SE_PRIVILEGE_ENABLED
   mov tkp.PrivilegeCount,2
  invoke AdjustTokenPrivileges,hToken,FALSE,addr tkp,sizeof TOKEN_PRIVILEGES,NULL,NULL
   invoke CloseHandle,hToken
  ret
  EnablePrivilege endp
  dumphdr proc uses ebx wsiDumpHdr:dword
   local buffer1[8]:byte
  mov ebx,wsiDumpHdr
   invoke MessageBoxW,NULL,addr [ebx].WIN32_STREAM_ID.cStreamName,NULL,MB_OK
  ret
  dumphdr endp
  start:
  invoke CreateFile,addr filename,GENERIC_READ,NULL,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS or FILE_FLAG_POSIX_SEMANTICS,NULL
  .if eax==INVALID_HANDLE_VALUE
  jmp error
  .endif
  .if eax!=INVALID_HANDLE_VALUE && eax!=NULL
   mov filehandle,eax
  invoke EnablePrivilege
   mov ctx,0
  doIt:
   invoke BackupRead,filehandle,addr buf,20,addr numread,FALSE,TRUE,addr ctx
  .if eax==0
    jmp error
  .endif
   .if numread==0
   jmp error
   .endif
  lea eax,buf
  .if [eax].WIN32_STREAM_ID.dwStreamNameSize > 0
    invoke BackupRead,filehandle,addr buf[20],[eax].WIN32_STREAM_ID.dwStreamNameSize,addr numread,FALSE,TRUE,addr ctx
   .if eax==0
    jmp error
     mov eax,numread
    .if eax != [wsi].WIN32_STREAM_ID.dwStreamNameSize
      jmp error
     .endif
    .endif
    outPut:
   invoke dumphdr,addr buf
    jmp skipData
   .endif
    skipData:
   invoke BackupSeek,filehandle,-1,7FFFFFFFh,addr lo,addr hi,addr ctx
   jmp doIt
  .endif
  error:
  invoke ExitProcess,NULL
end start

commandfile:
Code Select

@if exist BackupRead.obj del BackupRead.obj
@\masm32\bin\ml.exe /c /coff /Cp /FoBackupRead.obj /nologo BackupRead.asm
@if exist BackupRead.exe del BackupRead.exe
@\masm32\bin\link.exe /subsystem:windows /out:BackupRead.exe /nologo BackupRead.obj
@pause

:dance: :toothy :green :cheekygreen: :boohoo:

BlackVortex

#11
May 06, 2009, 07:21:58 AM
Hmm, this thread is interesting. Now, I'm more powerful   :thumbu      :lol

UtillMasm

#12
May 06, 2009, 08:16:02 AM
welcome to thread.

哈哈哈!

UtillMasm

#13
May 10, 2009, 08:18:17 AM
donkey's WinExplorer(GoASM Version) have handle ntfs stream. :U
Print
Go Up Pages1
User actions