CQURE Academy 5-Day Challenge: Day 3

Wednesday was Day 3 of the 5-day challenge. CQURE appears to be monitoring feedback because they’ve added a way to comment on and discuss the day’s challenge. Nicely done! (Unfortunately, they used Facebook Connect which I would rather stay away from.) Still, it’s nice to see them being very responsive!

The video tutorial showed different ways of viewing and manipulating file handles and getting around exclusive handles to read a file using the shadow copy feature of the OS (if you are unable to close a process or handle for fear of causing issues on the system). Create a shadow copy sounded a bit daunting at first, but it’s really just a single PowerShell command to invoke a WMI function. Then the shadow copy volume can be mounted using mklink. It seems almost too easy.

This day’s skills assessment again used a small custom utility that would create a file and keep it locked. The challenge was to read the contents of the file or delete the file itself. The CQLocker.exe utility allowed itself to be closed, but that did not release the file handle. A quick look with Process Explorer, as demonstrated in the tutorial, revealed that the owner of the file handle was ssms.exe!

2017-05-10_23-33-59
cqlocker.txt locked by ssms.exe

This was a file created in profile temp folder. Process Explorer easily killed the file and then the contents were readable. I also attempted to close the handle without killing the ssms.exe process. That too worked just as demonstrated in the tutorial video. Success!

After Tuesday’s rather disappointing score of 60% and without the possibility for a do-over, I had to be ready for the knowledge assessment. One question dealt with a more advanced use of the Sysinternals handle utility not covered in the tutorial. I had to go and look up – I hope that was OK. Turns out that paid of because my score was once again 100%.

This wasn’t my first rodeo with file handles – I have some experience from malware cleaning. Still, the video was well done and thorough. The demonstration of how to use the Windows shadow copy feature to read an otherwise locked OS file was great. I would highly recommend anyone watch that excellent tutorial video.

Advertisements

One thought on “CQURE Academy 5-Day Challenge: Day 3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s