Hello! We have often talked about VSS (volume shadow copy of Windows) and the advantages and risks it entails. This time we are going to talk about how to backup any windows file both system and user. There are many files that cannot be read and written because they are in protected areas of the system, with VSS (Windows volume shadow copy) this problem does not exist because the files are not located in the restricted area of the system and the protection is disabled for them.
import win32com.client
import os
from shutil import copyfile
def vssList():
wcd=win32com.client.Dispatch("WbemScripting.SWbemLocator")
wmi=wcd.ConnectServer(".","root\cimv2")
obj=wmi.ExecQuery("SELECT * FROM win32_ShadowCopy")
return [x.DeviceObject for x in obj]
def vssCreate():
wmi=win32com.client.GetObject("winmgmts:\\\\.\\root\cimv2:Win32_ShadowCopy")
createmethod = wmi.Methods_("Create")
createparams = createmethod.InParameters
createparams.Properties_[1].value="c:\\"
results = wmi.ExecMethod_("Create",createparams)
return results.Properties_[1].value
if __name__ == "__main__":
print(vssCreate())
list = vssList()
copyfile("{0}\\Windows\\System32\\drivers\\etc\hosts".format(list[0]), "c:\\nuevo")
This method can be used to implement a backup system from the windows VSS. It can also serve as a way to become persistent on a system after exploiting it, since many antivirus do not include VSS in their system scans by default. This can be used in the following way after exploiting the system:
- The system is compromised and the binary is copied to the final location.
- Launch the creation of VSS (Windows volume shadow copy).
This way we already have a “safe” copy of the malicious binary on the system.
This is also used by ransomware, what they do is to launch a copy with VSS and encrypt the files from this one deleting the original ones from the disk. So it is sometimes possible to recover files from these VSS if we have been infected by one of these malwares and these malwares do not delete the VSS after encrypting the files.
It is important that if a system has been infected and is going to be “cleaned” and continue to be used (I am not in favor of this, I am in favor of reinstalling) that the VSS are purged to prevent the problem from resurfacing.