.

Using Assembly to access locked files

<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Nov 20, 2008 11:28 pm

Using Assembly to access locked files

Hey all,

Pardon my Assembly ignorance.  I am wondering if you can use Assembly language to access files locked for exclusive access by Windows.  For example, can I use Assembly to gain read access to Index.dat or the Swap File?  I am not entirely sure how you go about doing this since Windows locks files based on their Handles.  Since Assembly has lower level access, I am wondering if there are way to circumvent file locks.  Anyone have experience with this?

Numerous hex editors have circumvent file locks by reconstructing the file system on the fly.  I wonder if there is an easier way.
~~~~~~~~~~~~~~
Ketchup
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Fri Nov 21, 2008 6:24 am

Re: Using Assembly to access locked files

Ketchup wrote: Since Assembly has lower level access,


I'm a relative newbie at assembly language programming also, so I'm not going to try to answer your main question, but I'm really curious as to why you think assembly has "lower level access" than any other programming language, and what that exactly means.

seeing as all compiled languages all end up running as machine code which can be directly translated into assembly language, you should be able to do most things with most languages, writing assembly just gives you a finer level of control. 

anyway, just thoughts.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Nov 21, 2008 9:38 am

Re: Using Assembly to access locked files

Well, like I said, I am an Assembly n00b.  Perhaps I phrased this wrong.  I believe that Assembly doesn't use file handles for I/O operation.  If I can access NTFS directly through Assembly, I may be able to bypass Windows file locking APIs.  NTFS doesn't lock files, Windows does it through File Handles.  Does this make more sense?
~~~~~~~~~~~~~~
Ketchup
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Fri Nov 21, 2008 4:59 pm

Re: Using Assembly to access locked files

*Caveat* I am not an Assembly guru by any stretch of the imagination.
From what I know you are correct that Assembly doesn't use file handles it uses memory addresses instead (I think).  You could definitely write an Assembly program that accessed a locked file using it's memory address.  Although you might be limited in what you could do with it.
CISSP, CEH, GPEN, GCIH, GCFA
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Nov 21, 2008 5:30 pm

Re: Using Assembly to access locked files

Thanks.  I suppose the trick would be to figure out how to translate the Windows file Handle to a memory address. 
~~~~~~~~~~~~~~
Ketchup
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Fri Nov 21, 2008 8:56 pm

Re: Using Assembly to access locked files

So.. I'm not a windows kernel hacker, but here is some speculation.  My guess would be that the ideal way to get to the things that you want is not assembly, but instead dll injection.  If you want to delete locked files, process explorer can probably help you.  If you want to scrape program memory, a debugger or such can be your best friend.  So I guess the real question is, what is your goal.  A file handle is basically just a view into the file that the operating system helps you keep track of so that you aren't doing a lot of other work that the operating system is already doing for you.  Files aren't always in one place on the disk, so the file handle makes sure you don't have to deal with that.  If you are trying to do something specific with these files, elaborate a little more and there may be some tools out there that will help you do what you'd like without writing any code.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Nov 24, 2008 2:34 pm

Re: Using Assembly to access locked files

Hmm, dll injection may be an option.  I hadn't thought of that.  What I am trying to do is mainly copy certain files for offline analysis while the machine is running.  For example, I am trying to copy pagefile.sys and SYSTEM (registry).  I don't need to view or delete them from the default location. 

I can get these files by doing a complete live image, but that type of acquisition has other issues, like bit shifting and time requirements.
~~~~~~~~~~~~~~
Ketchup

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software