Vulnerability Development mailing list archives
RE: How to hide a file ?
From: "Mike Theriault" <Mike_Theriault () Jabil com>
Date: Tue, 8 Jan 2002 13:31:47 -0500
Yes I can reduplicate this, but I'm not sure I see the relevance of using
the POSIX subsystem on Win2K to hide a file. By the way, where did you get
VI from? My latest version of Interix doesn't come with it or emacs.
Mike Theriault
-----Original Message-----
From: Farahbakhshian, Mike (OD)
[mailto:FarahbaM () OD NIH GOV]
Sent: Tuesday, January 08, 2002 1:20 PM
To: vuln-dev () security-focus com
Subject: RE: How to hide a file ?
More interesting behavior:
The cygwin toolkit appears to be somewhat less braindead
than Windows
Explorer or CMD.EXE with handling ADS. (although still more
braindead than
it probably should be!)
(tested with cygwin -- DLL version 1.3.6)
'rm' will in fact remove alternate data streams.
'ls -a' will not show the ads in a general directory
listing; however, if
you explicitly name the file, it will show it (whereas 'dir'
will not). But
globbing will not work.
$ echo "Foo" > foo.txt
$ echo "Bar" > foo.txt:bar.txt
$ more foo.txt
Foo
$ more foo.txt:bar.txt
Bar
$ ls -al *.txt
-rw-r--r-- 1 mfarah users 8 Jan 8
13:16 foo.txt
$ ls -al foo.txt:bar.txt
-rw-r--r-- 1 mfarah users 6 Jan 8
13:16
foo.txt:bar.txt
$ ls -al foo.txt:bar*
ls: foo.txt:bar*: No such file or directory
$ rm foo.txt:bar.txt
$ ls -al foo.txt:bar.txt
ls: foo.txt:bar.txt: No such file or directory
$ more foo.txt:bar.txt # note that this worked before
foo.txt:bar.txt: No such file or directory
I am testing to see whether the inode is actually unlinked
and the space
returned to free store.
In addition, when a file is created using 'vi' and then an
ADS is opened
(with vi), a hidden file named .originalfilename is created.
Not very
interesting, given that vi is the only program I have tested
that does this
$ vi foo.txt
(data entered)
$ ls -a .f*
ls: .f*: No such file or directory
$ vi foo.txt:bar.txt
(data entered)
$ ls -al .f*
-rw-r--r-- 1 mfarah users 0 Jan 8
13:23 .foo.txt
Maybe the way that the POSIX subsystem accesses the FS
somehow mitigates the
effects of ADS? Can anyone else replicate this behavior
using Cygwin? (or
U/Win or Interix for that matter?)
- Mike
-----Original Message-----
From: Altheide, Cory [mailto:CAltheide () broadband att com]
Sent: Tuesday, January 08, 2002 12:30 PM
To: vuln-dev () security-focus com
Subject: RE: How to hide a file ?
Just a quick note on hiding using data streams...
While the streams themselves are transparent, creating an
alternate data
stream does alter the modified date of the "parent" file.
Cory Altheide
Internet Security Coordinator
AT&T Broadband Legal Demands Center
> -----Original Message-----
> From: Jose Nazario [mailto:jose () biocserver BIOC cwru edu]
> Sent: Tuesday, January 08, 2002 10:10 AM
> To: Udi dahan
> Cc: vuln-dev () security-focus com
> Subject: Re: How to hide a file ?
>
>
> On Tue, 8 Jan 2002, Udi dahan wrote:
>
> > I was wondering if there's a way to hide a file under
windows 2000
> > server, so that it will not be seen when using "show
hidden file",
> > "show all files" and so on. I want to hide a file but I
want to be
> > able to run the file only when I know exactly where it
is
> and what is
> > the file name.
>
> use the file streams. h carvey has written some nice
documentation on
> this:
> http://patriot.net/~carvdawg/perl.html
>
http://www.chi-publishing.com/isb/backissues/ISB_2001/ISB0601/
> ISB0601HC.pdf
>
> an additional discussion is available on:
> http://rr.sans.org/win/ADS.php
>
> enjoy,
>
> ____________________________
> jose nazario
> jose () cwru edu
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2
CD
> 48 A0 07 80
> PGP key ID 0xFD37F4E5
> (pgp.mit.edu)
>
>
Current thread:
- RE: How to hide a file ?, (continued)
- RE: How to hide a file ? Altheide, Cory (Jan 08)
- RE: How to hide a file ? Bryan Allerdice (Jan 08)
- RE: How to hide a file ? H C (Jan 08)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 08)
- RE: How to hide a file ? Altheide, Cory (Jan 08)
- RE: How to hide a file ? H C (Jan 08)
- RE: How to hide a file ? Oleg Kozitski (Jan 08)
- Re: How to hide a file ? Ryan Permeh (Jan 08)
- Re: How to hide a file ? Ron DuFresne (Jan 08)
- Re: How to hide a file ? Blue Boar (Jan 09)
- RE: How to hide a file ? H C (Jan 08)
- RE: How to hide a file ? Altheide, Cory (Jan 08)
- RE: How to hide a file ? Mike Theriault (Jan 08)
- RE: How to hide a file ? Matthew LaGrange (Jan 08)
- RE: How to hide a file ? John Stauffacher (Jan 08)
- RE: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- RE: How to hide a file ? John Stauffacher (Jan 08)