Vulnerability Development mailing list archives

RE: How to hide a file ?

From: "Farahbakhshian, Mike (OD)" <FarahbaM () OD NIH GOV>
Date: Wed, 9 Jan 2002 11:08:07 -0500

FWIW:

An ADS executable can be invoked directly via cygwin bash, for example

$ ./explorer.exe:sol.exe

In addition, cygwin 'ps' will show the full name: explorer.exe:sol.exe, so
I'm beginning to think that CMD.EXE actually parses out anything after the
colon from argv[1] when argv[0] is START.

The implication being that using ADS to hide a file becomes more and more
useless if another environment is provided.

Also: I have verified using 'df' that cygwin 'rm' actually does remove ADS
streams -- the space does return to free store.


--
Mike Farahbakhshian
System Engineer, Z-Tech Corporation
301-294-5560 (Office)
301-252-8852 (Mobile)
farahbam () od nih gov


-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Wednesday, January 09, 2002 9:59 AM
To: J. J. Horner
Cc: John Stauffacher; 'Matthew LaGrange'; vuln-dev () security-focus com
Subject: Re: How to hide a file ?


JJ,

First off, let me say that in the past, I've tested
the 'start' command like this, and hit hasn't worked. 
I'll have to do more testing...but I did what you did
below, verbatim...

On Windows2k, I run the following commands:

C:\ads>type c:\winnt\system32\sol.exe >
c:\ads\explorer.exe:sol.exe
C:\ads>start c:\ads\explorer.exe:sol.exe

On task manager, it shows up as sol.exe, on pulist
(from the resource kit) it shows
up as explorer.exe.

It works this way whether I run via Run or via
command-line start.


When I ran the above, I didn't get a listing for
Sol.exe *at all*.  I tried using the Task Manager,
pulist.exe, as well as pslist.exe from SysInternals. 
In every case, the new process showed up as
'explorer.exe'.

Very odd behavoir.

Now, I made a change to the setup above.  Instead of
an executable, I put the ADS behind a text file:

C:\ads>type c:\winnt\system32\sol.exe > 
c:\ads\myfile2.txt:sol.exe

Running it w/ the 'start' command appears as
'myfile.txt' in Task Manager, pulist, and pslist. 



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Attachment: Farahbakhshian, Mike (OD).vcf
Description:

Current thread:

Re: How to hide a file ?, (continued)
- - - Re: How to hide a file ? J. J. Horner (Jan 09)
    - Re: How to hide a file ? H C (Jan 09)
    - Re: How to hide a file ? Jon Zobrist (Jan 09)
- RE: How to hide a file ? Altheide, Cory (Jan 08)
  - RE: How to hide a file ? Ken Pfeil (Jan 08)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 08)
- RE: How to hide a file ? Incs, Harry (Jan 08)
  - Re: How to hide a file ? bugtraq (Jan 08)
- RE: How to hide a file ? Pete Simpson (Jan 09)
- RE: How to hide a file ? Ed Moyle (Jan 09)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 09)
- RE: How to hide a file ? Matthew LaGrange (Jan 09)
- RE: How to hide a file ? Young, Brandon (Jan 09)
  - Re: How to hide a file ? Blue Boar (Jan 09)
    - RE: How to hide a file ? Bojan Zdrnja (Jan 10)
  - RE: How to hide a file ? H C (Jan 10)
- RE: How to hide a file ? Vincent Tiu (AV-PH) (Jan 09)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 10)
  - How to hide a file ? Kurt Seifried (Jan 10)
- How to hide a file ? Kurt Seifried (Jan 10)