Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alicangnll/pyshadow

Python ShadowCopy Analyzer for Cyber Security Researchers!
https://github.com/alicangnll/pyshadow

Last synced: about 1 month ago
JSON representation

Python ShadowCopy Analyzer for Cyber Security Researchers!

Awesome Lists containing this project

README

        

#### Python ShadowCopy Analyzer for Cyber Security Researchers!

### Disclaimer

The information provided in this blog post is intended for informational purposes only. It is not intended to encourage or promote any illegal or unethical activities, including hacking, cyberattacks, or any form of unauthorized access to computer systems, networks or data.

### What is the ShadowCopy

ShadowCopy is a technology that allows you to create backup snapshots or copies of computer volumes or files, even if they are in use. It is also known as Volume Shadow Copy Service, Volume Snapshot Service or VSS. You can use ShadowCopy to restore lost files, recover from ransomware or cryptolocker attacks, or revert your system to a previous state using a system restore point.



ShadowCopy is available in Windows 7, 8 and 10, but you need to enable it first.

### Important

Run CMD with Administrator (need Administrator grant)!

### Abilities


  • Recover deleted files from ShadowCopies

  • Create Pipe / Symlinks to ShadowCopies

  • List all ShadowCopies

  • Create ShadowCopy

  • Delete ShadowCopy

### Working On


  • Export ShadowCopy to VHD file

### Installation

PyPi : PyShadowCopy

### Example Code


# List all ShadowCopy

'''
Example Result
ID : {e9a894be-dae7-49cb-9196-b5a22148210b}
Creation Date : 6.11.2022 19:58:20
Shadow Copy Location : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7
'''

list = ReShadowCode.VSS_ListShadows()
for shadowlist in list:
print("ID : " + shadowlist["id"] + "\nCreation Date : " + shadowlist["creation_time"] + "\nShadow Copy Location : " + shadowlist["shadowcopy"] + "\n")

# Create a ShadowCopy
ReShadowCode.VSS_Create()

# Create a pipe/symlink with ShadowCopy() (Ex. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyid)
ReShadowCode.VSS_Create_Pipe("C:\\Shadow1", "id")
# Get file list from ShadowCopy
'''
Example Result
Ali
Ali Can Gönüllü
Ali_000_vcRuntimeMinimum_x64.log
Ali_000_vcRuntimeMinimum_x86.log
Ali_001_vcRuntimeAdditional_x64.log
Ali_001_vcRuntimeAdditional_x86.log
All Users
Default
Default User
desktop.ini
Public
TEMP
'''
list = ReShadowCode.VSS_Get_FileList("C:\\Shadow1\\Users")
for files in list:
print(files)

### Images