Vulnerability Development mailing list archives
RE: How to hide a file ? (From most people)
From: "Holmes, Ben" <Ben.Holmes () getronics com>
Date: Wed, 9 Jan 2002 19:13:59 +1100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you want to hide it from most people, here are some ways, and they will work against some, but not all people. You have to consider your target crowd, some people (people in even the most basic forensics investigation) are going to be looking for things that don't belong or are hidden, others are not. Some are going to be stumblers, so that if it is not hidden, but it is obscure, it will be found (sometimes by accident). Here is what I have done to hide files: 1. Alternate Data Steams (ADS). You can create alternat data streams on any NTFS partition by using a colon to delimiter where it is going. You can also right click a file and enter some information in the version page and that create an ADS. Not as many people know that a DIRECTORY can also have an ADS. Not all utilities look for them (I saw a performance eval of various ADS detection utils on Forensics by someone, it was very well presented) but they are still fully useful and usable. A forensics investigation will quickly turn this out, so use names like :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} or :^ESummaryInformation Even then it will make it will be detected and often queried, as well as this, it makes executing harder as it does not have .EXE (or .com, or .scr etc) in the end. If you want to make it so you can execute them easier, see the section below about hidden batch commands. 2. Hidden in an executable. Viruses have been doing this for years. The only difference is you make it so your code doesn't spread to more executables and also make sure that your code contains the executable you are trying to run and also a way of running it. An example would be, I write a code that modifies the entry point of an executable to point to the end of it, where I store my payload and then my payload checks if a certain command line parameter was used or if some other condition is present. If nothing is different it just jumps back to the orig entry point and the normal program runs, but if it is triggered, it decrypts, decompresses etc my stored program and executes it. This is mainly useful for small programs and it is VERY difficult to do and requires a lot of knowledge. It can be detected by comparing to the original file, but, look in \PROGRAM FILES and tell me you could tell me if one was modified. 3. Hidden in just about any file. Look for a file, add your .exe to the end uuencoded and then pass it through a uudecoding filter. If it is an ASCII file, you can even add a ^Z character before your text, but then you have to filter that out in a binary dump before encoding it. Many other ways of hiding inside another file are available but they all need extraction before running, and sometimes re-encoding (like with UUDECODE or DEBUG.EXE). 4. Hidden in plain sight. There are many files in that \WINNT\SYSTEM32 directory, and many are executables. If you can code you can even make it encrypted and look like it does something else (troganize?), especially give it false version credentials (a component of a less-known version of Direct X...). Al great idea is to make it a .VXD or .SYS or .DLL and if you have coding skills a .DLL that is run with RUNDLL... The date and time stamps aren't hard to fool, just set the system date to the date you want and modify the file in some way.. (I have heard of a touch util in the reskit?). If it is VERY small, call it something with the extension of .inf and place it in the \winnt\inf directory. 5. Temporary Files As an extension to (4), make a directory (using a CMD prompt) in your Temporary Internet Files directory called: Temporary Internet Files\Content.IE5\U8YI9OP and then put your files in there. Make sure everything is hidden On Win 2000 you should find the folder in: C:\Documents and Settings\<USER>\Local Settings\Temporary Internet Files Under Win NT 4.0 it should be under the users profile directory (\WINNT\PROFILE\<USER>\Temporary Internet Files) I think... Another good location is make a hidden directory called MSIO98._MS in the root directory and most people will think it was just left over from an old install, or better sill use the directory left over by an old (failed if possible) install.. your main temporary directory is not a good idea :) - --- ** Note on Hidden batch commands If you want to do a lot of commands it is good to have a batch file, but, it exposes everything you are doing... except if it in a batch file that is common. Find a common batch file, add a line to it that says: IF "%1"=="BADBOY" GOTO BADBOY then edit the lines to the end like this: GOTO END :BADBOY <Your Commands here> :END ** Random Notes Moving a directory or file can preserve its security AFS even under a new directory and can look suspect to a forensics examination, but it can be useful if you want it to look like other people have used the directory (i.e. give it some legitimacy). If you have admin access, you can make it owned by any person at all, and even make it created by any person at all, even at a time you were not physically capable of doing it just by putting something in the startup menu of the user. If you have not got admin privs on the system (and can't get them), but have exec privs on it as a user, then leave the computer on and schedule a task for when you are definitely away from the PC to do any dirty work. Maybe task schedular can also be used to create an easy but rarely looked at way of extracting and running ADS. Removable media, network scares and hidden partitions are all other good ideas. If you are after FULLY impossible to find data, just twofish encrypt it and stick it on some unused sectors that are not mapped for use by any file and remember the sectors, offset and length. You can mark those sectors bad if you want to stop any program using them. Using reserved words and/or whitespaces is something that I forgot to mention, reserved words are devices and SuperHidden files like $MFT.. (Try $MtfMirr [note the t and f swap.. hard to see] and hide it and system it). Also WhiteSpaces (ASCII 255) is also useful as a hidden space, make a directory that is the same name as another one but hidden and with a whitespace.. Just some random ideas... I really hope it helps, I'm sure there are more ways still... - -- Benjamin Holmes Getronics, Brisbane, Queensland, AUSTRALIA
-----Original Message----- From: Udi dahan [mailto:udi () co zahav net il] Sent: Tuesday, 8 January 2002 9:35 PM To: vuln-dev () security-focus com Subject: How to hide a file ? Hi all, I was wondering if there's a way to hide a file under windows 2000 server, so that it will not be seen when using "show hidden file", "show all files" and so on. I want to hide a file but I want to be able to run the file only when I know exactly where it is and what is the file name. Do you guys have any Idea ? Udi Dahan Security Team Manager Abuse Department Internet-Gold eMail: udi () co zahav net il Tel: 03-9399721 Cel: 055-399781 Fax:03-9399859 CONFIDENTIAL The contents of this email and any attachments may be confidential. It is intended for the named recipient(s) only. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to any other person or make any copies. ************************************************************** ********** **************
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: Pee Gee Peeeeee! iQA/AwUBPDv7xnLvuelW5gClEQLq/gCg8374t+og17qNg+1qQeYifmDT49sAoJEa N83R2RUo7YNQExAdJobRmS0x =lRFb -----END PGP SIGNATURE-----
Current thread:
- RE: How to hide a file ? (From most people) Holmes, Ben (Jan 09)
- Re: How to hide a file ? (From most people) Patrick Chambet (Jan 10)
- RE: How to hide a file ? (From most people) Bojan Zdrnja (Jan 11)
- Re: How to hide a file ? (From most people) Nick Lange (Jan 12)
- Re: How to hide a file ? (From most people) Jonatan Bagge (Jan 14)
- Re: How to hide a file ? (From most people) Pieter-Bas IJdens (Jan 14)
- RE: How to hide a file ? (From most people) Bojan Zdrnja (Jan 14)
- Re: How to hide a file ? (From McAfee) Jon Zobrist (Jan 15)
- Re: How to hide a file ? (From McAfee) Kurt Seifried (Jan 16)
- RE: How to hide a file ? (From most people) Bojan Zdrnja (Jan 11)
- Re: How to hide a file ? (From most people) Patrick Chambet (Jan 10)