工具:NewFileTime SetMace
command:
#First create file new-item gh.txt
#powershell display file creation, last modification, and last access time attributes
PS D:\godhat> (ls gh.txt).CreationTimeUtc
PS D:\godhat> (ls gh.txt).LastWriteTimeUtc
PS D:\godhat> (ls gh.txt).LastAccessTimeUtc
#powershell Setting file creation, last modification, and last access time attributes
PS D:\godhat> (ls gh.txt).LastAccessTimeUtc="2019-12-31 22:33:44"
PS D:\godhat> (ls gh.txt).LastAccessTimeUtc
PS D:\godhat> (ls gh.txt).LastWriteTimeUtc="2019-12-31 11:22:33"
PS D:\godhat> (ls gh.txt).LastWriteTimeUtc
PS D:\godhat> (ls gh.txt).CreationTimeUtc="1949-10-01 14:00:01"
PS D:\godhat> (ls gh.txt).CreationTimeUtc
#Directory/folder time attribute modification, need to use Get-ChildItem, such as Fo1 directory
$F=Get-ChildItem Fo1
$F[1].Name
$F[1].CreationTime
0x00 Preface
In the penetration test, if you need to release a file on the target system, the time attribute of the parent directory (AccessTime, LastWriteTime, MFTChangeTime) will be changed. If you need to overwrite the original file on the target system, the time attribute of the original file will also be changed ( CreateTime,AccessTime,LastWriteTime,MFTChangeTime).
From the perspective of penetration, it is necessary to find a way to modify the time attributes of files to eliminate traces.
From the perspective of forensics, traces of attackers can be found through abnormal file attributes.
This article will introduce the methods and details of modifying file attributes, share the implementation code, and give suggestions on forensics in combination with the use of ideas.
0x01 introduction
This article will introduce the following:
· Basic concepts
·How to read file attributes
· Methods to modify file attributes
· Share code
· Use ideas
· Forensic advice
0x02 basic concepts
1. Time attribute in NTFS file system
Including the following four:
· CreateTime ( Created )
· AccessTime ( Accessed )
· LastWriteTime (Modified)
· MFTChangeTime
The first three can be obtained by right-clicking ->Properties, as shown below:
Cannot view MFTChangeTime directly.
MFTChangeTime records the modification time of MFT (Master File Table). If the file attribute changes, MFTChangeTime will be updated.
2. How to read MFTChangeTime
(1) Read through NtQueryInformationFile
Note: It is not available through WinAPI GetFileTime.
(2) Parse NTFS file format
The $STANDARD_INFORMATION (offset 0x10) and $FILE_NAME (offset 0x30) in the Master File Table contain the complete file attributes.
###3, Win7 system default CreateTime and AccessTime are consistent.
In Win7 system (and higher version) by default, the update of AccessTime is disabled.
In other words, the operation of only reading the file will not change the file attribute AccessTime. AccessTime is consistent with CreateTime. This is to reduce hard disk reads and writes.
Corresponding to the registry location HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem, the key value is NtfsDisableLastAccessUpdate.
A value of 1 means disabled, which is the default configuration, and a value of 0 means turned on. After modifying the registry, restart the system to take effect.
4. The changing law of file attributes
Read file: Will not change file attributes.
Overwrite file: change 4 attributes.
5. The changing law of folder attributes
New file/delete file/rename file:
Change the AccessTime, LastWriteTime and MFTChangeTime of the parent folder.
Overwrite file: Will not change file attributes.
Note: You can use SetMace to test, download address: https://github.com/jschicht/SetMace
0x03 Method of reading and modifying file attributes
1. Use WinAPI GetFileTime and SetFileTime
Able to manipulate three file attributes:
· CreateTime ( Created )
Cannot operate on MFTChangeTime
(1) Use of GetFileTime
Get FileTime through GetFileTime ().
Use FileTimeToSystemTime () to convert FileTime to SystemTime, which is UTC, the same standard.
Use SystemTimeToTzSpecificLocalTime () to convert SystemTime to LocalTime, that is, UTC plus time zone, taking into account the influence of time zone, and keeping it consistent with the time displayed by the current system.
(2) Use of SetFileTime
Use sscanf () to convert the input time data to SystemTime.
Convert SystemTime to FileTime through SystemTimeToFileTime ().
Use LocalFileTimeToFileTime () to convert FileTime to FILETIME corresponding to UTC, that is, FILETIME plus time zone, considering the influence of time zone, and keeping it consistent with the time displayed by the current system.
The implementation code is open source, download link:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/FileTimeControl_WinAPI.cpp
The code implements the following functions:
· View the time of the file/folder (CreateTime, AccessTime, LastWriteTime)
· Modify file/folder time
· Copy the time of file A to file B
2. Use NtQueryInformationFile and NtSetInformationFile
Able to manipulate four file attributes:
I directly quoted the code of timestomp in Metasploit in the implementation, the address is as follows:
https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/timestomp.c
Some functions have been added, download link:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/FileTimeControl_NTAPI.cpp
· View the file time (CreateTime, AccessTime, LastWriteTime, MFTChangeTime)
· Time to modify the file
· Set the time to a minimum (1601-01-01 00:00:00)
Note: The operation of the folder is not currently supported.
3. Use driver files
( 1 ) SetMace
Download link for reference: https://github.com/jschicht/SetMace
SetMace can read the time information of files and folders (including MFTChangeTime) normally.
But the time information cannot be modified. This is because since nt6.x, Windows prohibits loading unsigned driver files. If the driver protection can be bypassed, the time information can be modified.
( 2 ) WinHex
The paid version of WinHex supports writing operations to hard disk files and can be used to modify time information.
Supplement, file resource cloning
Use powershell to automatically call Resource Hacker to clone the resource information of executable files (exe, dll, scr, etc.).
Download link: https://github.com/threatexpress/metatwin
Note: This tool will not modify file attributes.
0x04 Use ideas
1. Release the file on the target system
The time attributes (AccessTime, LastWriteTime, MFTChangeTime) of the parent directory will be changed.
You can use SetMace to view the property changes.
To modify the time attribute of a folder, you can use FileTimeControl_WinAPI in 0x03 , which can modify the following three items:
To further clear the operation traces, you need to use WinHex to modify the $STANDARD_INFORMATION (offset 0x10) and $FILE_NAME (offset 0x30) in the Master File Table.
2. Overwrite the original files on the target system
The time attributes of the original file (CreateTime, AccessTime, LastWriteTime, MFTChangeTime) will be changed.
You can use FileTimeControl_NTAPI to read and modify time attributes.
0x05 forensic recommendations
1. View the time attribute MFTChangeTime of the file/folder, located in two locations:
· $STANDARD_INFORMATION in the Master File Table (offset 0x10)
· $FILE_NAME in the Master File Table (offset 0x30)
If MFTChangeTime is abnormal (the time is later than the other three), it can be considered that the file has been illegally modified under normal circumstances.
The tool SetMace can be used .