Vulnerability Development mailing list archives
RE: How to hide a file ?
From: "Farahbakhshian, Mike (OD)" <FarahbaM () OD NIH GOV>
Date: Wed, 9 Jan 2002 11:08:07 -0500
FWIW: An ADS executable can be invoked directly via cygwin bash, for example $ ./explorer.exe:sol.exe In addition, cygwin 'ps' will show the full name: explorer.exe:sol.exe, so I'm beginning to think that CMD.EXE actually parses out anything after the colon from argv[1] when argv[0] is START. The implication being that using ADS to hide a file becomes more and more useless if another environment is provided. Also: I have verified using 'df' that cygwin 'rm' actually does remove ADS streams -- the space does return to free store. -- Mike Farahbakhshian System Engineer, Z-Tech Corporation 301-294-5560 (Office) 301-252-8852 (Mobile) farahbam () od nih gov -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Wednesday, January 09, 2002 9:59 AM To: J. J. Horner Cc: John Stauffacher; 'Matthew LaGrange'; vuln-dev () security-focus com Subject: Re: How to hide a file ? JJ, First off, let me say that in the past, I've tested the 'start' command like this, and hit hasn't worked. I'll have to do more testing...but I did what you did below, verbatim...
On Windows2k, I run the following commands: C:\ads>type c:\winnt\system32\sol.exe > c:\ads\explorer.exe:sol.exe C:\ads>start c:\ads\explorer.exe:sol.exe On task manager, it shows up as sol.exe, on pulist (from the resource kit) it shows up as explorer.exe. It works this way whether I run via Run or via command-line start.
When I ran the above, I didn't get a listing for Sol.exe *at all*. I tried using the Task Manager, pulist.exe, as well as pslist.exe from SysInternals. In every case, the new process showed up as 'explorer.exe'. Very odd behavoir. Now, I made a change to the setup above. Instead of an executable, I put the ADS behind a text file: C:\ads>type c:\winnt\system32\sol.exe > c:\ads\myfile2.txt:sol.exe Running it w/ the 'start' command appears as 'myfile.txt' in Task Manager, pulist, and pslist. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Attachment:
Farahbakhshian, Mike (OD).vcf
Description:
Current thread:
- Re: How to hide a file ?, (continued)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? Jon Zobrist (Jan 09)
- RE: How to hide a file ? Altheide, Cory (Jan 08)
- RE: How to hide a file ? Ken Pfeil (Jan 08)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 08)
- RE: How to hide a file ? Incs, Harry (Jan 08)
- Re: How to hide a file ? bugtraq (Jan 08)
- RE: How to hide a file ? Pete Simpson (Jan 09)
- RE: How to hide a file ? Ed Moyle (Jan 09)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 09)
- RE: How to hide a file ? Matthew LaGrange (Jan 09)
- RE: How to hide a file ? Young, Brandon (Jan 09)
- Re: How to hide a file ? Blue Boar (Jan 09)
- RE: How to hide a file ? Bojan Zdrnja (Jan 10)
- RE: How to hide a file ? H C (Jan 10)
- Re: How to hide a file ? Blue Boar (Jan 09)
- RE: How to hide a file ? Vincent Tiu (AV-PH) (Jan 09)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 10)
- How to hide a file ? Kurt Seifried (Jan 10)
- How to hide a file ? Kurt Seifried (Jan 10)