RE: How to hide a file ? (From most people)

["Holmes, Ben" <Ben.Holmes () getronics com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


If you want to hide it from most people, here are some ways, and they
will work against some, but not all people.

You have to consider your target crowd, some people (people in even the
most basic forensics investigation) are going to be looking for things
that don't belong or are hidden, others are not.

Some are going to be stumblers, so that if it is not hidden, but it is
obscure, it will be found (sometimes by accident).

Here is what I have done to hide files:

1. Alternate Data Steams (ADS).

You can create alternat data streams on any NTFS partition by using a
colon to delimiter where it is going.  You can also right click a file
and enter some information in the version page and that create an ADS.

Not as many people know that a DIRECTORY can also have an ADS.  Not all
utilities look for them (I saw a performance eval of various ADS
detection utils on Forensics by someone, it was very well presented) but
they are still fully useful and usable.

A forensics investigation will quickly turn this out, so use names like 
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 
or 
:^ESummaryInformation 

Even then it will make it will be detected and often queried, as well as
this, it makes executing harder as it does not have .EXE (or .com, or
.scr etc) in the end.  If you want to make it so you can execute them
easier, see the section below about hidden batch commands.

2. Hidden in an executable.

Viruses have been doing this for years.  The only difference is you make
it so your code doesn't spread to more executables and also make sure
that your code contains the executable you are trying to run and also a
way of running it.

An example would be, I write a code that modifies the entry point of an
executable to point to the end of it, where I store my payload and then
my payload checks if a certain command line parameter was used or if
some other condition is present.  If nothing is different it just jumps
back to the orig entry point and the normal program runs, but if it is
triggered, it decrypts, decompresses etc my stored program and executes
it.

This is mainly useful for small programs and it is VERY difficult to do
and requires a lot of knowledge.  It can be detected by comparing to the
original file, but, look in \PROGRAM FILES and tell me you could tell me
if one was modified.

3. Hidden in just about any file.

Look for a file, add your .exe to the end uuencoded and then pass it
through a uudecoding filter.  If it is an ASCII file, you can even add a
^Z character before your text, but then you have to filter that out in a
binary dump before encoding it.  Many other ways of hiding inside
another file are available but they all need extraction before running,
and sometimes re-encoding (like with UUDECODE or DEBUG.EXE).

4. Hidden in plain sight.

There are many files in that \WINNT\SYSTEM32 directory, and many are
executables.  If you can code you can even make it encrypted and look
like it does something else (troganize?), especially give it false
version credentials (a component of a less-known version of Direct
X...).  Al great idea is to make it a .VXD or .SYS or .DLL and if you
have coding skills a .DLL that is run with RUNDLL...  The date and time
stamps aren't hard to fool, just set the system date to the date you
want and modify the file in some way.. (I have heard of a touch util in
the reskit?).

If it is VERY small, call it something with the extension of .inf and
place it in the \winnt\inf directory.

5. Temporary Files 

As an extension to (4), make a directory (using a CMD prompt) in your
Temporary Internet Files directory called:
Temporary Internet Files\Content.IE5\U8YI9OP and then put your files in
there.

Make sure everything is hidden

On Win 2000 you should find the folder in:

C:\Documents and Settings\<USER>\Local Settings\Temporary Internet Files

Under Win NT 4.0 it should be under the users profile directory
(\WINNT\PROFILE\<USER>\Temporary Internet Files) I think...

Another good location is make a hidden directory called MSIO98._MS in
the root directory and most people will think it was just left over from
an old install, or better sill use the directory left over by an old
(failed if possible) install..

your main temporary directory is not a good idea :)

- ---

** Note on Hidden batch commands

If you want to do a lot of commands it is good to have a batch file,
but, it exposes everything you are doing... except if it in a batch file
that is common.  Find a common batch file, add a line to it that says:

IF "%1"=="BADBOY" GOTO BADBOY

then edit the lines to the end like this:

GOTO END
:BADBOY
<Your Commands here>
:END

** Random Notes

Moving a directory or file can preserve its security AFS even under a
new directory and can look suspect to a forensics examination, but it
can be useful if you want it to look like other people have used the
directory (i.e. give it some legitimacy).

If you have admin access, you can make it owned by any person at all,
and even make it created by any person at all, even at a time you were
not physically capable of doing it just by putting something in the
startup menu of the user.  If you have not got admin privs on the system
(and can't get them), but have exec privs on it as a user, then leave
the computer on and schedule a task for when you are definitely away
from the PC to do any dirty work.

Maybe task schedular can also be used to create an easy but rarely
looked at way of extracting and running ADS.

Removable media, network scares and hidden partitions are all other good
ideas.

If you are after FULLY impossible to find data, just twofish encrypt it
and stick it on some unused sectors that are not mapped for use by any
file and remember the sectors, offset and length.  You can mark those
sectors bad if you want to stop any program using them.

Using reserved words and/or whitespaces is something that I forgot to
mention, reserved words are devices and SuperHidden files like $MFT..
(Try $MtfMirr [note the t and f swap.. hard to see] and hide it and
system it).  Also WhiteSpaces (ASCII 255) is also useful as a hidden
space, make a directory that is the same name as another one but hidden
and with a whitespace..

Just some random ideas...

I really hope it helps, I'm sure there are more ways still...

- -- Benjamin Holmes
Getronics, Brisbane, Queensland, AUSTRALIA


> -----Original Message-----
> From: Udi dahan [mailto:udi () co zahav net il]
> Sent: Tuesday, 8 January 2002 9:35 PM
> To: vuln-dev () security-focus com
> Subject: How to hide a file ?
>
>
> Hi all,
>
> I was wondering if there's a way to hide a file under windows 2000
> server, 
> so that it will not be seen when using "show hidden file", "show all
> files" and so on.
> I want to hide a file but I want to be able to run the file 
> only when I
> know exactly where it is 
> and what is the file name.
>
> Do you guys have any Idea ?
>
>
>
> Udi Dahan
> Security Team Manager
> Abuse Department
> Internet-Gold
> eMail: udi () co zahav net il
> Tel: 03-9399721
> Cel: 055-399781
> Fax:03-9399859
>
> CONFIDENTIAL
>
> The contents of this email and any attachments may be confidential.
> It is intended for the named recipient(s) only.
> If you are not the named recipient, please notify the sender 
> immediately
> and do not disclose the contents to any other person or make 
> any copies.
> **************************************************************
> **********
> **************

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Pee Gee Peeeeee!

iQA/AwUBPDv7xnLvuelW5gClEQLq/gCg8374t+og17qNg+1qQeYifmDT49sAoJEa
N83R2RUo7YNQExAdJobRmS0x
=lRFb
-----END PGP SIGNATURE-----