标题: Windows "Volume Shadow Copy"简介 创建: 2019-08-09 12:47 更新: 2019-08-09 16:27 链接: https://scz.617.cn/windows/201908091247.txt -------------------------------------------------------------------------- 目录: ☆ Volume Shadow Copy 0) 原理 1) "Volume Shadow Copy"服务 2) 创建"Volume Shadow Copy" 3) 查看"Volume Shadow Copy" 4) 删除"Volume Shadow Copy" 5) 关闭"系统还原" ☆ 恶意用法 1) 创建待隐藏目录 2) 创建"Volume Shadow Copy" 3) 删除待隐藏目录 4) 获取目标DeviceObject 5) 访问位于"Volume Shadow Copy"中的被隐藏目录 6) 讨论 ☆ 参考资源 -------------------------------------------------------------------------- ☆ Volume Shadow Copy "Volume Shadow Copy"要求使用NTFS,FAT32不行。 本文以Win7举例,Win10等有其他变化。 0) 原理 参[1] VSC starts tracking the changes made to all the blocks on the volume. Whenever anyone writes data to a block, VSC makes a copy of that block and saves it on a hidden volume. So blocks are "backed up" only when they are about to get overwritten. The benefit of this approach is that no backup space is wasted on blocks that haven't changed at all since the last restore point was created. Notice that VSC operates on the block level, that is below the file system level. It sees the disk as a long series of blocks. (Still, it has some awareness of files, as you can tell it to exclude certain files and folders.) The second important fact is that shadow copies are incremental. Suppose it's Wednesday and your system has two shadow copies, created on Monday and Tuesday. Now, when you overwrite a block, a backup copy of the block is saved in the Tuesday shadow copy, but not in the Monday shadow copy. The Monday copy only contains the differences between Monday and Tuesday. More recent changes are only tracked in the Tuesday copy. In other words, if we were to roll back an entire volume to Monday, we would take the volume as it is now, "undo" the changes made since Tuesday (using the blocks saved in the Tuesday shadow copy), and finally "undo" the changes made between Monday and Tuesday. So the oldest shadow copy is dependent on all the more recent shadow copies. When you delete a file, all that Windows does is remove the corresponding entry (file name, path, properties) from the Master File Table. The blocks (units of disk space) that contained the file's contents are marked as unused, but they are not actually deleted. So all the data that was in the file is still there in the same blocks, until the blocks get overwritten (e.g. when you copy another file to the same volume). Therefore, if you delete a 700 MB movie file, Volume Shadow Copy does not have to back up 700 MB of data. Because it operates on the block level, it does not have to back up anything, as the blocks occupied by the file are unchanged! The only thing it has to back up is the blocks occupied by the Master File Table, which has changed. If you then start copying other files to the same disk, some of the blocks formerly occupied by the 700 MB file will get overwritten. VSC will make backups of these blocks as they get overwritten. Note that it's a mistake to think that VSS is backing up every change you make! It only backs up enough to enable you to go to a specific point in time. Here's an example scenario to clear things up: a. You create a file (version #1) b. You create a restore point c. You change the file (resulting in version #2) - VSS backs up version #1 d. A week later, you change the file again (resulting in version #3) - VSS doesn't back anything up, because it already has version #1 backed up. As a result, you can no longer go back to version #2. You can only go back to version #1 - the one that existed when the restore point was created. Note that actually VSS doesn't operate on files but on blocks, but the principle is the same. Shadow copies are read-only, so there is no way to delete a file from all the shadow copies. 1) "Volume Shadow Copy"服务 net start "Volume Shadow Copy" 或 sc start vss 手工使用"Volume Shadow Copy"时,不需要开启这个服务。 2) 创建"Volume Shadow Copy" 现在的Windows自带vssadmin.exe,一般来说至少支持如下子命令: ---- Commands Supported ---- Delete Shadows - Delete volume shadow copies List Providers - List registered volume shadow copy providers List Shadows - List existing volume shadow copies List ShadowStorage - List volume shadow copy storage associations List Volumes - List volumes eligible for shadow copies List Writers - List subscribed volume shadow copy writers Resize ShadowStorage - Resize a volume shadow copy storage association 你可能看到过这样的命令用于创建"Volume Shadow Copy": $ vssadmin create shadow /for=d: 但是,只有Server版Windows支持create子命令,非Server版Windows只能用其他方案 创建"Volume Shadow Copy"。 2.1) $ powershell.exe -command (Get-WmiObject Win32_ShadowCopy -List).Create('d:\','ClientAccessible') __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ReturnValue : 0 ShadowID : {02DD6DA9-0EA2-427F-A177-F14C10ECFD66} 2.2) $ powershell.exe -command (gwmi -List Win32_ShadowCopy).Create('d:\','ClientAccessible') 2.3) $ wmic shadowcopy call create volume='d:\' Executing (Win32_ShadowCopy)->create() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; ShadowID = "{02DD6DA9-0EA2-427F-A177-F14C10ECFD66}"; }; 2.4) $ vi createvsc.js -------------------------------------------------------------------------- GetObject("winmgmts:\\\\.\\root\\cimv2:Win32_ShadowCopy").Create("d:\\","ClientAccessible"); -------------------------------------------------------------------------- $ cscript.exe //nologo /e:jscript createvsc.js 2.5) 可以用rundll32在命令行上直接执行vbscript、jscript: $ rundll32.ext javascript:"\..\mshtml,RunHTMLApplication ";window.execScript('msgbox("hello")','vbs');window.close() $ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert("hello") 因此可以不创建createvsc.js而直接执行之: $ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";GetObject("winmgmts:\\\\.\\root\\cimv2:Win32_ShadowCopy").Create("d:\\","ClientAccessible") 3) 查看"Volume Shadow Copy" List Shadows [/For=ForVolumeSpec] [/Shadow=ShadowId|/Set=ShadowSetId] - Displays existing shadow copies on the system. Without any options, all shadow copies on the system are displayed ordered by shadow copy set. Combinations of options can be used to refine the list operation. - The Shadow Copy ID can be obtained by using the List Shadows command. When entering a Shadow ID, it must be in the following format: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} where the X's are hexadecimal characters. Example Usage: vssadmin List Shadows /Shadow={c5946237-af12-3f23-af80-51aadb3b20d5} 如下命令会显示系统中所有"Volume Shadow Copy",最后一个就是新创建的。 $ vssadmin list shadows ... Contents of shadow copy set ID: {74bb390d-3c96-4b3d-8cf7-ebb8a99e2818} Contained 1 shadow copies at creation time: 8/9/2019 10:54:11 AM Shadow Copy ID: {02dd6da9-0ea2-427f-a177-f14c10ecfd66} Original Volume: (D:)\\?\Volume{5b1258c6-7d55-11e6-a2dd-806e6f6e6963}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy14 Originating Machine: XXX-WIN764 Service Machine: XXX-WIN764 Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential 如果已知ShadowID,可以在参数中指定: $ vssadmin list shadows /shadow={02dd6da9-0ea2-427f-a177-f14c10ecfd66} 查看D盘所有"Volume Shadow Copy": $ vssadmin list shadows /for=d: 资源管理器中右键选中D盘->属性->已前的版本,这里看到的实际就是 "Volume Shadow Copy"。 4) 删除"Volume Shadow Copy" Delete Shadows /For=ForVolumeSpec [/Oldest] [/Quiet] Delete Shadows /Shadow=ShadowId [/Quiet] Delete Shadows /All - For the given ForVolumeSpec deletes all matching shadow copies. If /Oldest is given, the oldest shadow copy on the volume is deleted If /All is given, then all shadow copies on all volumes that can be deleted will be deleted. If /Shadow=ShadowId is given, the shadow copy with that Shadow Copy ID will be deleted. Only shadow copies that have the ClientAccessible type can be deleted. - The Shadow Copy ID can be obtained by using the List Shadows command. When entering a Shadow Copy ID, it must be in the following format: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} where the X's are hexadecimal characters. This ID can be obtained through the List Shadows command. Example Usage: vssadmin Delete Shadows /For=C: /Oldest 删除确定的"Volume Shadow Copy": $ vssadmin delete shadows /shadow={02dd6da9-0ea2-427f-a177-f14c10ecfd66} /quiet 或 $ powershell.exe -command "Get-WmiObject Win32_ShadowCopy | where {$_.ID -eq '{02dd6da9-0ea2-427f-a177-f14c10ecfd66}'} | Remove-WmiObject" 删除D盘所有"Volume Shadow Copy": $ vssadmin delete shadows /for=d: /quiet 5) 关闭"系统还原" 在某系统中,即使没有手工为D盘创建"Volume Shadow Copy",仍然看到7个C盘的 "Volume Shadow Copy"。 $ powershell.exe -command "gwmi Win32_ShadowCopy | select -Property DeviceObject" DeviceObject ------------ \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy9 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy10 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy13 资源管理器中右键选中C盘->属性->已前的版本,这里看到7个早期版本。这些都是因 开启"系统还原"功能而出现。 sysdm.cpl->系统属性->系统保护->保护设置-> 配置 关闭系统保护 关闭"系统还原"功能,不再自动创建"Volume Shadow Copy" 删除 删除"Volume Shadow Copy" 创建 创建"Volume Shadow Copy" 任务计划里有相应项: 控制面板 管理工具 任务计划程序 Microsoft Windows SystemRestore SR %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation ☆ 恶意用法 1) 创建待隐藏目录 比如在D盘创建"d:\hidedir\",将待隐藏文件复制到该目录: $ mkdir d:\hidedir $ copy "c:\windows\system32\notepad.exe" d:\hidedir $ mkdir d:\hidedir\zh-cn $ copy "c:\windows\system32\zh-cn\notepad.exe.mui" d:\hidedir\zh-cn 确保notepad.exe执行正常: $ d:\hidedir\notepad.exe 本文是举例,用了系统自带notepad.exe,必须复制notepad.exe.mui。如果是真实恶 意场景,没这么麻烦。 2) 创建"Volume Shadow Copy" $ wmic shadowcopy call create volume='d:\' Executing (Win32_ShadowCopy)->create() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; ShadowID = "{8FEF6254-3080-48B2-ADC5-8D53E28C300E}"; }; 3) 删除待隐藏目录 $ rmdir /s /q d:\hidedir 资源管理器中已经看不到hidedir目录,但由于之前创建过"Volume Shadow Copy", hidedir及其下面的notepad.exe都有备份,有办法继续访问这些备份。 4) 获取目标DeviceObject $ powershell.exe -command "gwmi Win32_ShadowCopy | select -Property DeviceObject" DeviceObject ------------ \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7 ... \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy13 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy20 一般来说,最后一行是我们要找的。也可用如下命令: $ vssadmin list shadows /for=d: | findstr /C:"Shadow Copy Volume" Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy20 5) 访问位于"Volume Shadow Copy"中的被隐藏目录 $ powershell.exe -command "dir \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\hidedir" Directory: \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\hidedir Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 2019/8/9 12:04 zh-cn -a--- 2016/3/26 2:00 193024 notepad.exe 注意,将目标DeviceObject中的问号改成点号,"?"->"."。 如果想执行位于"Volume Shadow Copy"中的notepad.exe,在cmd中执行: $ powershell.exe -command "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\hidedir\notepad.exe" 或者在powershell中执行: PS> \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\hidedir\notepad.exe 6) 讨论 该技术可以简单类比成一种隐藏的hard link。正常视图看到的文件有一个引用计数, "Volume Shadow Copy"中的相应文件也占用一个引用计数。在正常视图中删除文件时, 文件的引用计数递减,由于"Volume Shadow Copy"的存在,文件的引用计数并未清零, 文件实际仍然存在,只不过在正常视图中看不到罢了。 上述类比很不正确,不要当成严肃文字。在"原理"部分已经说过,VSC是基于块的, 不是基于文件的。但上述类比有助于快速想像发生了什么。 VSC本来是个正经功能,但像前文所述的恶意用法在各种攻击事件中很常见。如果有 所怀疑,如何快速找出位于"Volume Shadow Copy"中的hidedir?这是个开放式提问。 如果不能找出位于"Volume Shadow Copy"中的hidedir,可以直接删除所有 "Volume Shadow Copy"、关闭"系统还原"等等,但不是所有场景都允许你这么干。总 之,VSC是个坑。 ☆ 参考资源 [1] What you should know about Volume Shadow Copy/System Restore in Windows 7 & Vista (FAQ) - [2009-11-23] https://blog.szynalski.com/2009/11/volume-shadow-copy-system-restore/ (介绍了VSC对sdelete的影响) [2] Volume Shadow Copies in forensic analysis - Andrea Fortuna [2017-10-02] https://www.andreafortuna.org/2017/10/02/volume-shadow-copies-in-forensic-analysis/ (介绍了相关注册表项) [3] Excluding Files from Shadow Copies https://docs.microsoft.com/en-us/windows/win32/vss/excluding-files-from-shadow-copies