EH-Net

Hey all,

Pardon my Assembly ignorance.  I am wondering if you can use Assembly language to access files locked for exclusive access by Windows.  For example, can I use Assembly to gain read access to Index.dat or the Swap File?   I am not entirely sure how you go about doing this since Windows locks files based on their Handles.   Since Assembly has lower level access, I am wondering if there are way to circumvent file locks.   Anyone have experience with this?

Numerous hex editors have circumvent file locks by reconstructing the file system on the fly.   I wonder if there is an easier way.

I'm a relative newbie at assembly language programming also, so I'm not going to try to answer your main question, but I'm really curious as to why you think assembly has "lower level access" than any other programming language, and what that exactly means.

seeing as all compiled languages all end up running as machine code which can be directly translated into assembly language, you should be able to do most things with most languages, writing assembly just gives you a finer level of control. 

anyway, just thoughts.

Well, like I said, I am an Assembly n00b.  Perhaps I phrased this wrong.   I believe that Assembly doesn't use file handles for I/O operation.   If I can access NTFS directly through Assembly, I may be able to bypass Windows file locking APIs.  NTFS doesn't lock files, Windows does it through File Handles.   Does this make more sense?

*Caveat* I am not an Assembly guru by any stretch of the imagination.
From what I know you are correct that Assembly doesn't use file handles it uses memory addresses instead (I think).  You could definitely write an Assembly program that accessed a locked file using it's memory address.  Although you might be limited in what you could do with it.

Thanks.   I suppose the trick would be to figure out how to translate the Windows file Handle to a memory address. 

So.. I'm not a windows kernel hacker, but here is some speculation.  My guess would be that the ideal way to get to the things that you want is not assembly, but instead dll injection.  If you want to delete locked files, process explorer can probably help you.  If you want to scrape program memory, a debugger or such can be your best friend.  So I guess the real question is, what is your goal.  A file handle is basically just a view into the file that the operating system helps you keep track of so that you aren't doing a lot of other work that the operating system is already doing for you.  Files aren't always in one place on the disk, so the file handle makes sure you don't have to deal with that.  If you are trying to do something specific with these files, elaborate a little more and there may be some tools out there that will help you do what you'd like without writing any code.

Hmm, dll injection may be an option.   I hadn't thought of that.   What I am trying to do is mainly copy certain files for offline analysis while the machine is running.   For example, I am trying to copy pagefile.sys and SYSTEM (registry).   I don't need to view or delete them from the default location.   

I can get these files by doing a complete live image, but that type of acquisition has other issues, like bit shifting and time requirements.