https://github.com/ghostpack/lockless
Lockless allows for the copying of locked files.
https://github.com/ghostpack/lockless
Last synced: about 1 year ago
JSON representation
Lockless allows for the copying of locked files.
- Host: GitHub
- URL: https://github.com/ghostpack/lockless
- Owner: GhostPack
- License: other
- Created: 2020-03-28T20:57:25.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2021-04-30T17:51:41.000Z (about 5 years ago)
- Last Synced: 2023-11-07T18:18:28.742Z (over 2 years ago)
- Language: C#
- Size: 33.2 KB
- Stars: 201
- Watchers: 10
- Forks: 57
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# LockLess
----
LockLess is a C# tool that allows for the enumeration of open file handles and the copying of locked files.
It was inspired by [@fuzzysec](https://twitter.com/fuzzysec)'s [Get-Handles.ps1](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-Handles.ps1) and draws on [code from Stackoverflow](https://stackoverflow.com/questions/860656/using-c-how-does-one-figure-out-what-process-locked-a-file) as well.
Handles are enumerated with NtQuerySystemInformation:SystemHandleInformation.
To copy out a locked file, the code:
* Opens the process that has a lock on the file with `DuplicateHandle` permissions.
* Uses `DuplicateHandle()` to duplicate the specific file handle associated with the file we're wanting to copy.
* Uses `CreateFileMapping()` to create a mapping of the duplicated file handle.
* Uses `MapViewOfFile()` to map the entire file into memory.
* Uses `WriteFile()` to write out the mapped contents to the temporary file specified.
LockLess is licensed under the BSD 3-Clause license.
## Usage
C:\Temp\LockLess.exe
LockLess.exe [/process:NAME1,NAME2,...] [/copy | /copy:C:\Temp\file.ext]
File out which process has a handled to the locked "WebCacheV01.dat" file:
C:\Temp>LockLess.exe WebCacheV01.dat
[*] Searching processes for an open handle to "WebCacheV01.dat"
[+] Process "taskhostw" (5332) has a file handle (ID 880) to "C:\Users\harmj0y\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat"
Copy the locked "WebCacheV01.dat" file to a temporary file:
C:\Temp>LockLess.exe WebCacheV01.dat /copy
[*] Searching processes for an open handle to "WebCacheV01.dat"
[+] Process "taskhostw" (5332) has a file handle (ID 880) to "C:\Users\harmj0y\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat"
[*] Copying to: C:\Users\harmj0y\AppData\Local\Temp\tmp18BE.tmp
[*] Copied 23068672 bytes from "C:\Users\harmj0y\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" to "C:\Users\harmj0y\AppData\Local\Temp\tmp18BE.tmp"
Copy the file "WebCacheV01.dat" locked by "taskhostw" to a specific location:
C:\Temp>LockLess.exe WebCacheV01.dat /process:taskhostw /copy:C:\Temp\out.tmp
[*] Searching processes for an open handle to "WebCacheV01.dat"
[+] Process "taskhostw" (9668) has a file handle (ID 892) to "C:\Users\harmj0y\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat"
[*] Copying to: C:\Temp\out.tmp
[*] Copied 23068672 bytes from "C:\Users\harmj0y\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" to "C:\Temp\out.tmp"
Enumerate all open handles, outputting as a CSV:
C:\Temp>LockLess.exe all
ProcessName,ProcessID,FileHandleID,FileName
Code,4740,64,C:\Users\harmj0y\AppData\Local\Programs\Microsoft VS Code
...(snip)...
## Compile Instructions
We are not planning on releasing binaries for LockLess, so you will have to compile yourself :)
LockLess has been built against .NET 3.5 and is compatible with [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/downloads/). Simply open up the project .sln, choose "release", and build.