search

EricZimmerman / KapeFiles

This repository serves as a place for community created Targets and Modules for use with KAPE.
MIT License
651 stars 193 forks source link

Unhandled Exception "The file or directory is not a reparse point" #423

Closed BeanBagKing closed 3 years ago

BeanBagKing commented 3 years ago

KAPE version

0.9.6.0

Describe the bug

While trying to run KAPE against a disk image mounted with Arsenal Image Mounter's "Windows file system driver bypass", an unhanded exception dealing with (not a) reparse points.

Command line: .\kape.exe --tsource D: --tdest C:\Users\\Desktop\test --tflush --target Firefox --vss --vhdx test --zv false --gui

To Reproduce

Steps to reproduce the behavior:

  1. Full disk image captured via F-Response as a .EO1 file.
  2. Image mounted with Arsenal Image Mounter v 3.3.138 (full/pro version) using "Windows file system driver bypass" mount option to expose file system metafiles. I was specifically looking for $I30 files here, per https://github.com/EricZimmerman/KapeFiles/issues/180 when I ran into this problem.
  3. Start KAPE and use the command line above, or from the console log in "additional context". Or, using gkape, select a target that tries to enumerate these not reparse points. Target source in my case is the image mounted by AIM (D:). No other options seem to really matter.
  4. See error. In the case of gkape, the command window will close, and you'll have to recover the crash from the console log. If you're running the command line version, you should see the same output though.

Expected behavior

No crash, and no issues enumerating anything in the mounted image. This should include the [DELETED] and [METADATA] "folders" exposed by AIM (not sure if that's an issue yet, haven't made it that far).

Screenshots

kape

Additional context

There are two console logs below. Both appear to deal with different not reparse points (same issue, different targets/locations).

2021-02-17 09:33:18.7496 | I | KAPE version 0.9.6.0 Author: Eric Zimmerman (kape@kroll.com)
2021-02-17 09:33:18.7496 | I | KAPE directory: C:\Tools\KAPE
2021-02-17 09:33:18.7496 | I | Command line: --tsource D: --tdest C:\Users\<snip>\Desktop\test --tflush --target Chrome,ChromeExtensions,ChromeFileSystem,Edge,EdgeChromium,Firefox,InternetExplorer,Opera,PuffinSecureBrowser --vss --vhdx test --zv false --gui 
2021-02-17 09:33:18.7496 | I | System info: Machine name: DESKTOP-<snip>, 64-bit: True, User: <snip> OS: Windows10 (10.0.19041)
2021-02-17 09:33:19.2316 | I | Using Target operations
2021-02-17 09:33:19.2345 | W |  Flushing target destination directory 'C:\Users\<snip>\Desktop\test'
2021-02-17 09:33:19.2345 | W |  Creating target destination directory 'C:\Users\<snip>\Desktop\test'
2021-02-17 09:33:19.2345 | I | Found 9 targets. Expanding targets to file list...
2021-02-17 09:33:19.2973 | W | VSCs found on volume D: 0. Mounting...
2021-02-17 09:33:19.5271 | F | (4390) The file or directory is not a reparse point: [D:\Documents and Settings]:    at Alphaleonis.Win32.NativeError.ThrowException(UInt32 errorCode, String readPath, String writePath) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\NativeError.cs:line 96
   at Alphaleonis.Win32.Filesystem.Device.GetLinkTargetData(SafeFileHandle safeHandle, String reparsePath) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\Device\Device.cs:line 507
   at Alphaleonis.Win32.Filesystem.Device.GetLinkTargetInfo(SafeFileHandle safeHandle, String reparsePath) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\Device\Device.cs:line 431
   at Alphaleonis.Win32.Filesystem.File.GetLinkTargetInfoCore(KernelTransaction transaction, String reparsePath, Boolean continueOnException, PathFormat pathFormat) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\Filesystem\File Class\File.GetLinkTargetInfo.cs:line 111
   at kape.Classes.Helpers.ResolveReparsePoints(String dir)
   at kape.Classes.Helpers.ExpandDirectory(String dir)
   at kape.Program.ExpandTarget(Target target)
   at kape.Program.ProcessTarget(Target target, String startDirectory)
   at kape.Program.LoadTargetFile(TargetCollection targetFile)
   at kape.Program.LoadTargetFile(TargetCollection targetFile)
   at kape.Program.Main(String[] args)
2021-02-17 09:33:19.5334 | W | Unhandled exception! Attempting to write current Console Log to 'C:\Tools\KAPE\2021-02-17T14_33_18_3589083_ConsoleLog.txt'

2021-02-17 09:37:59.5056 | I | KAPE version 0.9.6.0 Author: Eric Zimmerman (kape@kroll.com)
2021-02-17 09:37:59.5175 | I | KAPE directory: C:\Tools\KAPE
2021-02-17 09:37:59.5175 | I | Command line: --tsource D: --tdest C:\Users\<snip>\Desktop\test --tflush --target Firefox --vss --vhdx test --zv false --gui 
2021-02-17 09:37:59.5175 | I | System info: Machine name: DESKTOP-<snip>, 64-bit: True, User: <snip> OS: Windows10 (10.0.19041)
2021-02-17 09:37:59.9999 | I | Using Target operations
2021-02-17 09:37:59.9999 | W |  Flushing target destination directory 'C:\Users\<snip>\Desktop\test'
2021-02-17 09:37:59.9999 | W |  Creating target destination directory 'C:\Users\<snip>\Desktop\test'
2021-02-17 09:37:59.9999 | I | Found 30 targets. Expanding targets to file list...
2021-02-17 09:38:00.0805 | W | VSCs found on volume D: 0. Mounting...
2021-02-17 09:38:00.1104 | W |  'D:\Users\<snip>\AppData\Roaming\Mozilla\Firefox\Profiles' does not exist. Skipping
2021-02-17 09:38:00.1242 | W |  'D:\Users\<snip>\AppData\Roaming\Mozilla\Firefox\Profiles' does not exist. Skipping
2021-02-17 09:38:00.1242 | W |  'D:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles' does not exist. Skipping
2021-02-17 09:38:00.1242 | W |  'D:\Users\Public\AppData\Roaming\Mozilla\Firefox\Profiles' does not exist. Skipping
2021-02-17 09:38:00.1242 | W |  'D:\Users\Default\AppData\Roaming\Mozilla\Firefox\Profiles' does not exist. Skipping
2021-02-17 09:38:00.1242 | W |  'D:\Users\<snip>\AppData\Roaming\Mozilla\Firefox\Profiles' does not exist. Skipping
2021-02-17 09:38:00.1412 | W |  'D:\Users\<snip>\AppData\Roaming\Mozilla\Firefox\Profiles' does not exist. Skipping
2021-02-17 09:38:00.3475 | F | (4390) The file or directory is not a reparse point: [D:\Users\All Users]:    at Alphaleonis.Win32.NativeError.ThrowException(UInt32 errorCode, String readPath, String writePath) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\NativeError.cs:line 96
   at Alphaleonis.Win32.Filesystem.Device.GetLinkTargetData(SafeFileHandle safeHandle, String reparsePath) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\Device\Device.cs:line 507
   at Alphaleonis.Win32.Filesystem.Device.GetLinkTargetInfo(SafeFileHandle safeHandle, String reparsePath) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\Device\Device.cs:line 431
   at Alphaleonis.Win32.Filesystem.File.GetLinkTargetInfoCore(KernelTransaction transaction, String reparsePath, Boolean continueOnException, PathFormat pathFormat) in C:\Users\jjangli\Documents\GitHub\AlphaFS\AlphaFS\Filesystem\File Class\File.GetLinkTargetInfo.cs:line 111
   at kape.Classes.Helpers.ResolveReparsePoints(String dir)
   at kape.Classes.Helpers.ExpandDirectory(String dir)
   at kape.Program.ExpandTarget(Target target)
   at kape.Program.ProcessTarget(Target target, String startDirectory)
   at kape.Program.LoadTargetFile(TargetCollection targetFile)
   at kape.Program.Main(String[] args)
2021-02-17 09:38:00.3475 | W | Unhandled exception! Attempting to write current Console Log to 'C:\Tools\KAPE\2021-02-17T14_37_59_1137344_ConsoleLog.txt'

I'm not sure if it's relevant or helpful, but here is what AIM's readme says about the file system driver bypass:

Windows file system driver bypass - Mount the disk image as a virtual read-only file system, using DiscUtils rather than Windows file system drivers. This mount option is often used to bypass file system security and expose NTFS metafiles and streams. May also be useful to read files from disk images containing corrupted file systems. Please note, BitLocker-protected volumes are not supported and disk size values are an approximation of each volume's total file size (including things like multiple links to the same file and files with sparse allocation) so the size may appear larger than the expected volume size.

[...snip...]

Can you describe some of the things exposed by the Windows file system driver bypass mount option? • NTFS metafiles (e.g. $MFT, $LogFile, $UsnJrnl) • NTFS Alternate Data Streams (ADS) as files suffixed with their stream names alongside the "normal" files they are associated with • NTFS streams in the [METADATA] folder at the root of each volume. You will find the entire volume's folder structure replicated here, and within each folder you will find the associated streams using the naming convention (STREAMNAME)..(STREAMTYPE). You can also find concatenated stream data for the entire volume at the root of the [METADATA] folder, using the naming convention [(STREAMNAME)]..[(STREAMTYPE)]. The streams currently exposed are $OBJECT_ID, $INDEX_ROOT, $INDEX_ALLOCATION, $EA, and $LOGGED_UTILITY_STREAM. • On NTFS file systems, deleted files which have not been completely overwritten will be displayed in the [DELETED] folder at the root of each volume. Filenames will be appended (unless none of their clusters have been reallocated, in which case they will remain as is) to identify what percentage of their clusters have not yet been reallocated. If you see "[0pct]" appended to a filename, that indicates a very small number of clusters were reallocated and the percentage has been rounded down to 0. Also, orphans will be displayed within folders using the naming convention MFT-(#)_SEQ-(#). This functionality is based on the DiscUtils project and is best described as "quick file and folder recovery." Please note that while browsing the contents of the [DELETED] folder you may encounter various kinds of corruption related to deleted files and folders (which will result in the error "The disk structure is corrupted and unreadable.") and that the contents of deleted files from SSDs (as opposed to HDDs) will often be empty.

EricZimmerman commented 3 years ago

dont mount it with file system bypass and try it again?

granted you cant get $I30 via that way, but that would at least eliminate the e01 as being problematic.

SOMETHING is presenting as a reparse point, but when it tries to resolve it, its failing. this could be a bug in the way either aim or discutils is presenting data. hard to say.

i should look into adding $I30 support to kape or something else i suppose

EricZimmerman commented 3 years ago

why would you use VSS here? its not a physical disk?

you can also adjust your tsource to something more specific, such as the users profile, or firefox dir, to see if it can see the $I30s from there

BeanBagKing commented 3 years ago

dont mount it with file system bypass and try it again?

"Doctor, it hurts when I do this." "Then don't do that!” :P

The .EO1 file mounted with the standard "Read Only Disk Device" does seem to work fine.

For the VSS, sorry, habit. However, it doesn't seem to have an effect on the issue here.

As far as adjusting the source, AIM presents these files in the [METADATA] folder. Trying to adjust the tsource results in a failure of a different kind. I can open a seperate issue for this if you want, but if its the way discutils is presenting data, it may all be the same root cause.

Deferring <everything> due to IOException...

<snip>

Could not copy file 'D:\[METADATA]\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\$I30..$INDEX_ROOT' to 'C:\Users\<snip>\Desktop\test\D\[METADATA]\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\$I30..$INDEX_ROOT'. Error: Incorrect function.

WARNING: THERE WERE 130,628 FILE COPY FAILURES! See the console log for details!!!

Copied 0 out of 130,628 files in 272.9556 seconds. File copy errors: 130,628. See console log for details! See '*_CopyLog.csv' in the VHD(X)/Zip located in 'C:\Users\<snip>\Desktop\test' for copy details
Initializing VHDX creation. This may take a while...

No files were copied. Cannot create VHD(x) file!

Total execution time: 273.4090 seconds

Press any key to exit

My tkape file

Description: File Attributes (e.g $I30)
Author: Mike Peterson
Version: 1.0
Id: 054f8990-d877-4d84-98d6-23dc6cceaf2b
RecreateDirectories: True
Targets:
    -
        Name: $I30
        Category: File Attributes
        Path: C:\[METADATA]
        Recursive: True 
        FileMask: "*$I30*"

And my command line

.\kape.exe --tsource D: --tdest C:\Users\<snip>\Desktop\test --tflush --target FileAttributes2 --vhdx test --zv false --gui
EricZimmerman commented 3 years ago

yea no idea on that one. will have to see if i can replicate it

BeanBagKing commented 3 years ago

I seem to have confirmed that nothing gets copied out, so as you said, there's probably some underlying problem with diskutils

tkape

Description: Just a test
Author: Mike Peterson
Version: 1.0
Id: 1828de2a-d81e-47a8-a0d2-87ad96e33035
RecreateDirectories: True
Targets:
    -
        Name: test
        Category: test
        Path: C:\
        Recursive: False
        FileMask: "swapfile.sys"

Results

KAPE version 0.9.6.0 Author: Eric Zimmerman (kape@kroll.com)

KAPE directory: C:\Tools\KAPE
Command line: --tsource D: --tdest C:\Users\<snip>\Desktop\test --tflush --target test --vhdx test --zv false --gui

System info: Machine name: DESKTOP-<snip>, 64-bit: True, User: <snip> OS: Windows10 (10.0.19041)

Using Target operations
        Flushing target destination directory 'C:\Users\<snip>\Desktop\test'
        Creating target destination directory 'C:\Users\<snip>\Desktop\test'
Found 1 targets. Expanding targets to file list...
Found 1 file in 0.051 seconds. Beginning copy...
        Deferring 'D:\swapfile.sys' due to IOException...
Deferred file count: 1. Copying locked files...
Could not copy file 'D:\swapfile.sys' to 'C:\Users\<snip>\Desktop\test\D\swapfile.sys'. Error: Incorrect function.

WARNING: THERE WERE 1 FILE COPY FAILURES! See the console log for details!!!

Copied 0 out of 1 files in 0.2931 seconds. File copy errors: 1. See console log for details! See '*_CopyLog.csv' in the VHD(X)/Zip located in 'C:\Users\<snip>\Desktop\test' for copy details
Initializing VHDX creation. This may take a while...

No files were copied. Cannot create VHD(x) file!

Total execution time: 0.6077 seconds

Press any key to exit
EricZimmerman commented 3 years ago

my guess is the CD file system emulation the bypass mode is using

BeanBagKing commented 3 years ago

Thanks, if this isn't an issue on the KAPE side, I understand if you close it. It would be nice to have interoperability between tools though. Arsenal was really good about giving me a trial license to try to get this working with if you need to replicate, and if there is anything else I can test, let me know.

EricZimmerman commented 3 years ago

spent some time digging into this. its not a simple fix. its more related to the fact that bypassmode uses CD file system vs NTFS, so none of the functions work the same.

cant do anything with this for now, at least in the short term. i will look into adding $I30 extraction to KAPE too