The other day I was watching some stuff on a video stream site. It was a knockoff of the all popular youtube, but this one took extra steps to make sure you could not download their videos.<\/p>\n
The easiest method for me to download videos from sites like this is to just check the temp internet folder and copy the file from there. This site was different. The file was in use by firefox the entire time (IE as well) and could not be copied or opened or written to without getting the classic ‘access denied’ message. Windows as we all know wont let you delete files that are in use including DLL’s and temp files (as we’ve all seen with malware). I believe it used a method similar to this:<\/p>\n
http:\/\/msdn.microsoft.com\/en-us\/library\/aa365203%28v=vs.85%29.aspx<\/p>\n
BOOL WINAPI LockFileEx(\r\n __in\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0HANDLE hFile,\r\n __in\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DWORD dwFlags,\r\n __reserved\u00a0\u00a0DWORD dwReserved,\r\n __in\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DWORD nNumberOfBytesToLockLow,\r\n __in\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DWORD nNumberOfBytesToLockHigh,\r\n __inout\u00a0\u00a0\u00a0\u00a0\u00a0LPOVERLAPPED lpOverlapped\r\n);<\/pre>\nWhats it do? Locks the specified file for exclusive access by the calling process. This function can operate either synchronously or asynchronously and can request either an exclusive or a shared lock.<\/div>\nThe second parameter, specifically the double word value is what gets me. When set to LOCKFILE_EXCLUSIVE_LOCK (0x00000002) any access to the shared segment of the file (which could be the whole damn thing) will result in our access denied message.<\/div>\nI tried numerous little techniques to get around this such as attaching to the process and attempting to insert code to waive the lock with UnLockFileEx(), but it failed and is too damn hard to pull off. Another idea I had was to just read the damn file from memory, but then I would be left with a HUGE chunk of hex data that’s supposed to be the video. I had almost given up hope when I remembered something about Posix – symlinks.<\/div>\nWindows doesn’t have symlinks per say, but rather HardLinks. A little known fact about hard links is that when the file you link to is deleted, the contents of the file are copied over, no questions asked to the file you linked from.<\/div>\nHere is the function and args:<\/div>\nCreateHardLink<\/h4>\n
http:\/\/msdn.microsoft.com\/en-us\/library\/aa363860%28v=vs.85%29.aspx<\/div>\n\nBOOL WINAPI CreateHardLink( __in\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0LPCTSTR lpFileName, __in\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0LPCTSTR lpExistingFileName, __reserved\u00a0\u00a0LPSECURITY_ATTRIBUTES lpSecurityAttributes );<\/p>\n
Seems self explanatory. Funny enough the security attributes param is supposed to be null since they never implemented it (yay).<\/p>\n
So what do we do? C to the rescue:<\/p>\n
<\/p>\n
\n#include <windows.h><\/span>\r\n#include <stdio.h><\/span>\r\n\r\nint<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv[])\r\n{\r\n\r\nif<\/span>(argc <<\/span> 2<\/span>)\r\n{\r\nprintf("usage is %s path + file to locked file<\/span>\\r\\n<\/span>"<\/span>,argv[0<\/span>]);\r\n\r\nreturn<\/span> 0<\/span>;\r\n\r\n}\r\nelse<\/span>\r\n{\r\nchar<\/span> *<\/span>lockedfilename =<\/span> argv[1<\/span>];\r\nchar<\/span> *<\/span>newfilename =<\/span> argv[2<\/span>];\r\n\r\nif<\/span>(CreateHardLink(newfilename,lockedfilename,NULL<\/span>))\r\n{\r\nprintf("Hard Link created between %s and %s<\/span>\\r\\n<\/span>"<\/span>,lockedfilename,newfilename);\r\nsystem("pause"<\/span>);\r\nreturn<\/span> 1<\/span>;\r\n}\r\nelse<\/span>\r\n{\r\nprintf("something went wrong, you prolly specified a bad file or something<\/span>\\r\\n<\/span>"<\/span>);\r\nreturn<\/span> 0<\/span>;\r\n}\r\n}\r\n}\r\n}\r\n<\/pre>\n<\/div>\nIf there’s a syntax error in this code, I’m sorry. I wrote the C off the top of my head. My little program allows you to save locked files to a new location. Further modifications to the code would be to call DeleteFile() or something like that after the link is created. Oh well.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
The other day I was watching some stuff on a video stream site. It was a knockoff of the all popular youtube, but this one took extra steps to make sure you could not download their videos. The easiest method for me to download videos from sites like this is to just check the temp […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/63"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=63"}],"version-history":[{"count":4,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/63\/revisions"}],"predecessor-version":[{"id":568,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/63\/revisions\/568"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}