Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂
Table of Content
- Analyze a Windows Service
- Auditing permissions
- About handles and the SAM file
- Password Hashes
- Memory Dump
A process handle is an integer value that identifies a process to Windows. It acts like a pointer. The Win32 API calls them a HANDLE; handles to windows are called HWND and handles to modules HMODULE. Threads inside processes have a thread handle, and files and other resources (such as registry keys) have handles too. If you do not release your handle to a resource, other people may not be able to access it – this is why you sometimes cannot delete a file because Windows claims it is in use.
Example of such a case can be a broken installer. The setup terminates, but the handle is still open. Then you’ll notify that you can’t delete some files or folders that were previousely created by the installer, because they’re locked by the handle.
A nice tool which we can use to check which process owns a handle for specific files and folders are handle.exe
Let’s open a file called notes.txt with winword.exe. If we do a check with the tool handle.exe for the file notes.txt we can identify the process handle who locks the file.
We can now try to close that handle, but we have to be very careful with that. Closing handles can cause application crashes or system damages.
If we want to try to access or copy the SAM (Security Access Manager) Database/System file we notice that it is not possible in a running windows session!
As we can see it is locked by localsystem and try to closing that handle won’t be a good idea if we wan’t end up with a mess 😉
A solution for accessing the SAM Database could be boot up a live system and copy the file, but there’s another cool trick that I’ve learned. If we only need to read a file we can copy it from a snapshot instead of a live file. Operating System keeps Snapshot of the system!
We can list existing snapshots by typing the following command:
vssadmin list shadows
If there isn’t listed any actual snapshot we can create a new one by typing the following command:
Get-wmiObject -list Win32_ShadowCopy
(Get-wmiObject -list Win32_ShadowCopy).Create("C:\","ClientAccessible")
If we have our snapshot we can map that snapshot and copy the SAM and System file from there.
mklink /d C:\Shadowcopy "Shadow Copy Volume\"
In the CQURE Challenge there was a file called CQLocker.exe. I did run that file in one of my virtual machines to see what it does. After executing it, a new file callled CQLocker.txt will be created and a message pops out:
Can you see the „CQLocker.txt“ file? Try to read or change it now.
Trying to open or change the file looks like this:
Very similar to the case above! Let’s try this time to close the handle with processexplorer.
Yes, we’ve got it!
Alternativ this can also be done with the tool handle.exe
handle.exe -p "process ID" -c "file number" -y
Some repeating questions:
What happens if one process opens a file for writing and later, another wants to read the same file?
It all depends on the process which asked for a handle for writing.
What happens when you terminate the process owning a handle?
The handle is closed
Does the handle.exe utility from sysinternals allow to list handles owned by particular process?
Yes with -p parameter
Which GUI Tool may be used for finding handles?
What can happen if you close the handle owned by another process?
Data corruption or system crash