HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 18 guests and 2 members online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Programmingarrow Using Assembly to access locked files
Ethical Hacker Community Forums
January 09, 2009, 07:30:51 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2009 - May 4 - 9. Boot Camps & an Ethical Hacking Conf. www.chicagocon.com
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Using Assembly to access locked files  (Read 2233 times)
0 Members and 1 Guest are viewing this topic.
Ketchup
Newbie
*
Offline Offline

Posts: 47


View Profile
« on: November 20, 2008, 10:28:43 PM »
Hey all,

Pardon my Assembly ignorance.  I am wondering if you can use Assembly language to access files locked for exclusive access by Windows.  For example, can I use Assembly to gain read access to Index.dat or the Swap File?   I am not entirely sure how you go about doing this since Windows locks files based on their Handles.   Since Assembly has lower level access, I am wondering if there are way to circumvent file locks.   Anyone have experience with this?

Numerous hex editors have circumvent file locks by reconstructing the file system on the fly.   I wonder if there is an easier way.
Logged
NickFnord
Jr. Member
**
Offline Offline

Posts: 50



View Profile WWW
« Reply #1 on: November 21, 2008, 05:24:17 AM »
Quote from: Ketchup on November 20, 2008, 10:28:43 PM
Since Assembly has lower level access,

I'm a relative newbie at assembly language programming also, so I'm not going to try to answer your main question, but I'm really curious as to why you think assembly has "lower level access" than any other programming language, and what that exactly means.

seeing as all compiled languages all end up running as machine code which can be directly translated into assembly language, you should be able to do most things with most languages, writing assembly just gives you a finer level of control. 

anyway, just thoughts.
Logged
Ketchup
Newbie
*
Offline Offline

Posts: 47


View Profile
« Reply #2 on: November 21, 2008, 08:38:41 AM »
Well, like I said, I am an Assembly n00b.  Perhaps I phrased this wrong.   I believe that Assembly doesn't use file handles for I/O operation.   If I can access NTFS directly through Assembly, I may be able to bypass Windows file locking APIs.  NTFS doesn't lock files, Windows does it through File Handles.   Does this make more sense?
Logged
geekyone
Full Member
***
Offline Offline

Posts: 133



View Profile
« Reply #3 on: November 21, 2008, 03:59:46 PM »
*Caveat* I am not an Assembly guru by any stretch of the imagination.
From what I know you are correct that Assembly doesn't use file handles it uses memory addresses instead (I think).  You could definitely write an Assembly program that accessed a locked file using it's memory address.  Although you might be limited in what you could do with it.
Logged
CISSP, CEH, GPEN, GCIH
Ketchup
Newbie
*
Offline Offline

Posts: 47


View Profile
« Reply #4 on: November 21, 2008, 04:30:53 PM »
Thanks.   I suppose the trick would be to figure out how to translate the Windows file Handle to a memory address. 
Logged
apollo
Jr. Member
**
Online Online

Posts: 51


View Profile WWW
« Reply #5 on: November 21, 2008, 07:56:29 PM »
So.. I'm not a windows kernel hacker, but here is some speculation.  My guess would be that the ideal way to get to the things that you want is not assembly, but instead dll injection.  If you want to delete locked files, process explorer can probably help you.  If you want to scrape program memory, a debugger or such can be your best friend.  So I guess the real question is, what is your goal.  A file handle is basically just a view into the file that the operating system helps you keep track of so that you aren't doing a lot of other work that the operating system is already doing for you.  Files aren't always in one place on the disk, so the file handle makes sure you don't have to deal with that.  If you are trying to do something specific with these files, elaborate a little more and there may be some tools out there that will help you do what you'd like without writing any code.
Logged
Ketchup
Newbie
*
Offline Offline

Posts: 47


View Profile
« Reply #6 on: November 24, 2008, 01:34:14 PM »
Hmm, dll injection may be an option.   I hadn't thought of that.   What I am trying to do is mainly copy certain files for offline analysis while the machine is running.   For example, I am trying to copy pagefile.sys and SYSTEM (registry).   I don't need to view or delete them from the default location.   

I can get these files by doing a complete live image, but that type of acquisition has other issues, like bit shifting and time requirements.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2007, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.044 seconds with 22 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
How many security events including conferences and training do you attend a year:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2009 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.