fast_rizwaan
Junior Member
Registration Date: 11-04-2003
Member #: 5106
Location: india
Level: 16 [?]
Experience: 9,626
Next Level: 10,000
 |
|
 REALLY hidden files with NTFS's ADS - Run Programs Hidden from taskmanager |
     |
You may be interested to know about another "SECRET" that the boys in
Redmond try not to advertise. It is called Alternative Data Streams,
and it basically allows you to "hide" files within other files.
M$ provides no tools (other than low level SDK functions) to even know
that these Alternative Data Streams exist. Niether "Explorer", nor
"dir", nor "attrib", nor any other resource kit app will help you
discover these streams. In fact, to the best of my knowledge, most
virus detection programs only scan the primary stream, and not any of
the associated alternative streams. In addition, once an ADS has been
associated with a file, it copies right along with the file when going
from NTFS to NTFS.
To see a non destructive example, drop down to the CMD line and try the following. (Win NT/2k/XP w/ NTFS ... no FAT)
First create a basic host file ... lets say a text file in the root dir on the c drive
C:\>echo Hello World > MyTest.txt
Then attach, your favorite exe (or whatever you want), as an ADS (solitare ?)
C:\>type c:\WINNT\system32\sol.exe > MyTest.txt:MyProg.Exe
Inspect your file all you want. Even delete the original program if you really want to (sol.exe).
Now run your hidden version of solitare anytime you'd like.
C:\>start c:\MyTest.txt:MyProg.exe
(Look at Task Manager and check out Solitare's new process name)
Scary ... isn't it? Do you know what's on your hard drive?
For more info see:
http://patriot.net/~carvdawg/docs/dark_side.html
http://www.codeproject.com/csharp/NTFSStreams.asp - C# P-Invoke SDK wrappers
http://www.heysoft.de/Frames/f_sw_la_en.htm - A tool to view ADS via the command line (no source code provided).
http://www.winnetmag.com/Articles/Print.cfm?ArticleID=19878
|
|
02-13-2004 02:58
