Notifications
Clear all

Even more SetMace

3 Posts
1 Users
0 Likes
358 Views
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

Just brushing some dust off the old topic of timestamp manipulation on NTFS. Version 1.0.0.10 of SetMace now implements a kernel mode driver, thus removing a lot of the restrictions put on the previous versions.

http//reboot.pro/topic/15960-setmace/

Now I think the project has reached a dead end, unless someone else wants to take it further into handling the raw structures of shadow copies..

 
Posted : 05/08/2014 4:17 am
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

Now I think the project has reached a dead end, unless someone else wants to take it further into handling the raw structures of shadow copies..

And then a few more fixes was done, to support MFT record size of 4096 bytes, dumping of timestamps from parent's INDX, as well as fixing an issue with synchronization of $STANDARD_INFORMATION timestamps and those found in the INDX of the parent.

Regarding the latter, it turned out a simple call to NtQueryInformationFile would force Windows to synchronize them.

 
Posted : 16/08/2014 8:51 pm
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

Added support for shadow copy timestamp modification, among other things. Now, also being a PoC for showing how to modify data within a Shadow Copy.

 
Posted : 07/09/2014 2:30 am
Share: