Hi Guys,
I would like to share a small chunk of code to get the basic file information. This code is the basic and the initial part of file timestomp or manipulating the file creation, Modification and Last access.
The idea of the code below is to retrieve a file information where later we can write the information to another file that we want to stomp so that this file can blend with other file therefore it is going to be a bit harder for the forensic analyst to find the artefact based on the file creation
#include <windows.h>
#include <stdio.h>
#include <iostream>
using namespace std;
typedef struct _FILE_BASIC_INFORMATION {
LARGE_INTEGER CreationTime; // absolute system, number of 100-nanosecond intervals
LARGE_INTEGER LastAccessTime; // since the start of the year 1601 in the Gregorian calendar.
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
ULONG FileAttributes; // metadata about the file, ex.: archive, compressed, directory, hidden, etc.
} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION;
//https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationfile
typedef enum _FILE_INFORMATION_CLASS {
FileDirectoryInformation = 1,
FileFullDirectoryInformation, // 2
FileBothDirectoryInformation, // 3
FileBasicInformation, // 4
FileStandardInformation, // 5
FileInternalInformation, // 6
FileEaInformation, // 7
FileAccessInformation, // 8
FileNameInformation, // 9
FileRenameInformation, // 10
FileLinkInformation, // 11
FileNamesInformation, // 12
FileDispositionInformation, // 13
FilePositionInformation, // 14
FileFullEaInformation, // 15
FileModeInformation, // 16
FileAlignmentInformation, // 17
FileAllInformation, // 18
FileAllocationInformation, // 19
FileEndOfFileInformation, // 20
FileAlternateNameInformation, // 21
FileStreamInformation, // 22
FilePipeInformation, // 23
FilePipeLocalInformation, // 24
FilePipeRemoteInformation, // 25
FileMailslotQueryInformation, // 26
FileMailslotSetInformation, // 27
FileCompressionInformation, // 28
FileObjectIdInformation, // 29
FileCompletionInformation, // 30
FileMoveClusterInformation, // 31
FileQuotaInformation, // 32
FileReparsePointInformation, // 33
FileNetworkOpenInformation, // 34
FileAttributeTagInformation, // 35
FileTrackingInformation, // 36
FileIdBothDirectoryInformation, // 37
FileIdFullDirectoryInformation, // 38
FileValidDataLengthInformation, // 39
FileShortNameInformation, // 40
FileIoCompletionNotificationInformation, // 41
FileIoStatusBlockRangeInformation, // 42
FileIoPriorityHintInformation, // 43
FileSfioReserveInformation, // 44
FileSfioVolumeInformation, // 45
FileHardLinkInformation, // 46
FileProcessIdsUsingFileInformation, // 47
FileNormalizedNameInformation, // 48
FileNetworkPhysicalNameInformation, // 49
FileIdGlobalTxDirectoryInformation, // 50
FileIsRemoteDeviceInformation, // 51
FileUnusedInformation, // 52
FileNumaNodeInformation, // 53
FileStandardLinkInformation, // 54
FileRemoteProtocolInformation, // 55
FileRenameInformationBypassAccessCheck, // 56
FileLinkInformationBypassAccessCheck, // 57
FileVolumeNameInformation, // 58
FileIdInformation, // 59
FileIdExtdDirectoryInformation, // 60
FileReplaceCompletionInformation, // 61
FileHardLinkFullIdInformation, // 62
FileIdExtdBothDirectoryInformation, // 63
FileDispositionInformationEx, // 64
FileRenameInformationEx, // 65
FileRenameInformationExBypassAccessCheck, // 66
FileDesiredStorageClassInformation, // 67
FileStatInformation, // 68
FileMemoryPartitionInformation, // 69
FileStatLxInformation, // 70
FileCaseSensitiveInformation, // 71
FileLinkInformationEx, // 72
FileLinkInformationExBypassAccessCheck, // 73
FileStorageReserveIdInformation, // 74
FileCaseSensitiveInformationForceAccessCheck, // 75
FileKnownFolderInformation, // 76
FileMaximumInformation
} FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS;
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;
typedef NTSTATUS(WINAPI* NtQueryInformationFile_t)(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS);
BOOL getFileInformation(char * srcfile) {
FILE_BASIC_INFORMATION file_basicInfomation;
IO_STATUS_BLOCK io_StatusBlock;
//This is to resolve the address NtQueryInformationFile from the ntdll.dll
NtQueryInformationFile_t WinAPIGetFileInformation = (NtQueryInformationFile_t)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationFile");
if (WinAPIGetFileInformation != NULL) {
//This is to get the file handle that we are trying to get the file information
HANDLE fileSrc = CreateFile(srcfile, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (fileSrc != INVALID_HANDLE_VALUE) {
//This is to get the file basic information struct
if (WinAPIGetFileInformation(fileSrc, &io_StatusBlock, &file_basicInfomation, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation) == 0) {
cout << "File Last Access Time : "<<file_basicInfomation.LastAccessTime.QuadPart << endl;
return TRUE;
}
}
}
return FALSE;
}
int main(int argc, char* argv[]) {
char srcfile[20] = "C:/Temp/payload.txt";
if (getFileInformation(srcfile)) {
cout << "Getting the File Information is Success" << endl;
}
return 0;
}
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 