{"id":181,"date":"2018-06-30T21:45:20","date_gmt":"2018-06-30T20:45:20","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=181"},"modified":"2018-07-06T22:05:04","modified_gmt":"2018-07-06T21:05:04","slug":"about-handles-and-the-sam-file","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=181","title":{"rendered":"About handles and the SAM file"},"content":{"rendered":"<p>Inspired by the CQURE <a href=\"https:\/\/cqureacademy.com\/challenge\" target=\"_blank\" rel=\"noopener\">5 day challenge<\/a> I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42<\/p>\n<p>Table of Content<\/p>\n<ul>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=164\" target=\"_blank\" rel=\"noopener\">Analyze a Windows Service<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=199\" target=\"_blank\" rel=\"noopener\">Auditing permissions<\/a><\/li>\n<li><strong>About handles and the SAM file<\/strong><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=213\" target=\"_blank\" rel=\"noopener\">Password Hashes<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=253\" target=\"_blank\" rel=\"noopener\">Memory Dump<\/a><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">A process handle is an integer value that identifies a process to Windows. It acts like a pointer. The Win32 API calls them a HANDLE; handles to windows are called <strong>HWND<\/strong> and handles to modules <strong>HMODULE<\/strong>. Threads inside processes have a thread handle, and files and other resources (such as registry keys) have handles too. <strong>If you do not release your handle to a resource, other people may not be able to access it &#8211; this is why you sometimes cannot delete a file because Windows claims it is in use<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Example of such a case can be a broken installer. The setup terminates, but the handle is still open. Then you&#8217;ll notify that you can&#8217;t delete some files or folders that were previousely created by the installer, because they&#8217;re locked by the handle.<\/p>\n<p>A nice tool which we can use to check which process owns a handle for specific files and folders are <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/handle\" target=\"_blank\" rel=\"noopener\">handle.exe<\/a><\/p>\n<p>Let&#8217;s open a file called notes.txt with winword.exe. If we do a check with the tool handle.exe for the file notes.txt we can identify the process handle who locks the file.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-186 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_3.png\" alt=\"\" width=\"842\" height=\"162\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_3.png 842w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_3-300x58.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_3-768x148.png 768w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/a><\/p>\n<p>We can now try to close that handle, but we have to be very careful\u00a0 with that. Closing handles can cause application crashes or system damages.<\/p>\n<p>If we want to try to access or copy the SAM (Security Access Manager) Database\/System file we notice that it is not possible in a running windows session!<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-188 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_2.png\" alt=\"\" width=\"613\" height=\"576\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_2.png 613w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_2-300x282.png 300w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-184 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_1.png\" alt=\"\" width=\"738\" height=\"195\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_1.png 738w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_1-300x79.png 300w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/a><\/p>\n<p>As we can see it is locked by localsystem and try to closing that handle won&#8217;t be a good idea if we wan&#8217;t end up with a mess \ud83d\ude09<\/p>\n<p>A solution for accessing the SAM Database could be boot up a live system and copy the file, but there&#8217;s another cool trick that I&#8217;ve learned. If we only need to read a file we can copy it from a snapshot instead of a live file. Operating System keeps Snapshot of the system!<\/p>\n<p>We can list existing snapshots by typing the following command:<\/p>\n<p><code>vssadmin list shadows<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-189 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_4.png\" alt=\"\" width=\"862\" height=\"515\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_4.png 862w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_4-300x179.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_4-768x459.png 768w\" sizes=\"auto, (max-width: 862px) 100vw, 862px\" \/><\/a><\/p>\n<p>If there isn&#8217;t listed any actual snapshot we can create a new one by typing the following command:<\/p>\n<p style=\"text-align: justify;\"><code>Get-wmiObject -list Win32_ShadowCopy<\/code><br \/>\n<code>(Get-wmiObject -list Win32_ShadowCopy).Create(\"C:\\\",\"ClientAccessible\")<\/code><\/p>\n<p>If we have our snapshot we can map that snapshot and copy the SAM and System file from there.<\/p>\n<p><code>mklink \/d C:\\Shadowcopy \"Shadow Copy Volume\\\"<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-190 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_5.png\" alt=\"\" width=\"915\" height=\"363\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_5.png 915w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_5-300x119.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_5-768x305.png 768w\" sizes=\"auto, (max-width: 915px) 100vw, 915px\" \/><\/a><\/p>\n<p>In the CQURE Challenge there was a file called CQLocker.exe. I did run that file in one of my virtual machines to see what it does. After executing it, a new file callled CQLocker.txt will be created and a message pops out:<\/p>\n<blockquote><p>Can you see the &#171;CQLocker.txt&#187; file? Try to read or change it now.<\/p><\/blockquote>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-193 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_6.png\" alt=\"\" width=\"955\" height=\"656\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_6.png 955w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_6-300x206.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_6-768x528.png 768w\" sizes=\"auto, (max-width: 955px) 100vw, 955px\" \/><\/a><\/p>\n<p>Trying to open or change the file looks like this:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-194 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_7.png\" alt=\"\" width=\"707\" height=\"631\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_7.png 707w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_7-300x268.png 300w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><\/a><\/p>\n<p>Very similar to the case above! Let&#8217;s try this time to close the handle with processexplorer.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-195 size-large\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_8-1024x538.png\" alt=\"\" width=\"1024\" height=\"538\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_8-1024x538.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_8-300x158.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_8-768x403.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_8.png 1133w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>Yes, we&#8217;ve got it!<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-196 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_9.png\" alt=\"\" width=\"808\" height=\"349\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_9.png 808w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_9-300x130.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_9-768x332.png 768w\" sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/a><\/p>\n<p>Alternativ this can also be done with the tool handle.exe<\/p>\n<p><code>handle.exe cqlocker.txt<\/code><\/p>\n<p><code>handle.exe -p \"process ID\" -c \"file number\" -y<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-197 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_10.png\" alt=\"\" width=\"672\" height=\"446\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_10.png 672w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/c3_10-300x199.png 300w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/a><\/p>\n<p>Some repeating questions:<\/p>\n<p><strong>What happens if one process opens a file for writing and later, another wants to read the same file?<\/strong><br \/>\nIt all depends on the process which asked for a handle for writing.<\/p>\n<p><strong>What happens when you terminate the process owning a handle?<\/strong><br \/>\nThe handle is closed<\/p>\n<p><strong>Does the handle.exe utility from sysinternals allow to list handles owned by particular process?<\/strong><br \/>\nYes with -p parameter<\/p>\n<p><strong>Which GUI Tool may be used for finding handles?<\/strong><br \/>\nProcexp.exe<\/p>\n<p><strong>What can happen if you close the handle owned by another process?<\/strong><br \/>\nData corruption or system crash<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>Inspired by the CQURE 5 day challenge I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42 Table of <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=181\" title=\"About handles and the SAM file\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":184,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10],"tags":[],"class_list":["post-181","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-windows-security"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=181"}],"version-history":[{"count":12,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/181\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/181\/revisions\/269"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/184"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}