6

I have one Vbscript which runs continuously on my system to monitor a web page on Internet Explorer.

I have permanently deleted this Vbscript file from its original location on system by mistake, However the script is still in RAM and is still running and monitoring the web page.

This script is very important to me but I have lost it :(

I want to know if there is any way by which I can recover the code of Vbscript file from system's RAM or any temporary file as the script is still running.

I am not allowed to use any file recovery software, so please don't suggest to install any third party data recovery software.

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Chanks
  • 86
  • 4
  • 1
    interesting query ... dont think if its possible without installing any recovery tool... but would like to follow your query to get some insights. – Pankaj Jaju Mar 11 '14 at 14:42
  • No. It's not possible. – Nathan Rice Mar 11 '14 at 17:59
  • 1
    @NathanRice Well, technically it might be possible to extract the code from a [memory dump](http://www.forensicswiki.org/wiki/Tools:Memory_Imaging). It might be easier to recover the deleted file from disk, though (if the blocks on disk haven't been re-used yet). It might even be easier to rewrite the script from scratch. Besides, if the script really is that important: why is there no backup? – Ansgar Wiechers Mar 11 '14 at 20:50
  • 100% Agree it would be possible to recover the file from disk, but he says right in his requirements that that's not an option. He also says he can't install any 3rd party tools so that'd preclude installing anything that might take a recoverable memory dump. – Nathan Rice Mar 11 '14 at 20:51
  • The script was deleted at the time when I was about to take the backup. Anyways thanks for the suggestion, the option to rewrite the script from scratch is always available. However I was curious about the recovery of file/code/machine code from RAM or temporary files. – Chanks Mar 12 '14 at 07:20
  • 5
    Tested on a Windows 7 64, with sysinternals procdump. The code is in memory and readable from the dump. – MC ND Mar 12 '14 at 08:04
  • If you right click then Properties on the Folder the script is in, does it have "Previous Versions" tab? – PatricK Mar 13 '14 at 01:56
  • No 'Previous Version' tab is not in properties. @MC ND I have taken the dumps, could you please let me know how can I read the dumps? – Chanks Mar 13 '14 at 07:37
  • @Chanks, in my case, my test where with a complex script i have at hand, and i was able to retrieve the script both with a hex editor and with the `strings` util, also from sysinternals. – MC ND Mar 13 '14 at 07:54
  • Yes, it's called a backup. Something every coder (and others) use. If your system isn't backed up, then use an editor that will at least keep version copies for you (like Notepad++). – RLH Apr 04 '14 at 01:42
  • 1
    Thanks all. Sorry for delayed response. I did take the dumps of process. I couldn't find any software to analyse the dumps. so I used online dump analyser to get the code. I got almost 95% of the correct code, only code within some loops were distorted but I managed. – Chanks Dec 01 '14 at 14:41
  • Could you post all you did as an Answer? :) – Lizz Dec 10 '14 at 04:42

3 Answers3

1

Try using 'ADPlus.vbs' script from WinDbg:
1. http://msdn.microsoft.com/en-us/windows/hardware/hh852365
2. http://support.microsoft.com/kb/286350

MacG
  • 271
  • 2
  • 4
1

As the code was running, I followed the below process to recover the running code:

  1. Go to Task Manager
  2. Select the process and create dump
  3. Open online dump analyser (www.osronline.com)
  4. Upload dump file
  5. Download the dump analysis

The dump analysis provided almost 95% of the correct code. Code within some loops were distorted or changed. As I was the owner of the code I was able to correct it.

Bugs
  • 4,491
  • 9
  • 32
  • 41
Chanks
  • 86
  • 4
0

Use HxD, it can view all ram content relative to any process at fly. It is commonly used to hack currently running games etc.

After locating your script, it might be needed to clear alphanumeric mess between your code, N++ and regex knowledge may be useful.

s1w_
  • 133
  • 8