Microsoft's Super Secret Directory | Lucideus Research
Windows: Wish to Hide your secret files? , there is a solution that Microsoft has provided!
To create a completely confidential and secure directory for your files, that can not be deleted or accessed without the correct path to it.
Summary: We shall be using Reserved Keywords and Alternate Data Streams in Microsoft Windows
- In Windows, certain device names are not allowed as filenames/folder names https://msdn.microsoft.com/en-us/library/86k9f82k.aspx , that being said you can try naming a fie 'AUX' and windows will not let you keep that name.
- So is it impossible to make a folder named after device name? NO! With an easy fix provided essentially by Microsoft itself.
- Now comes the an important concept i.e Alternate Data Streams(ADS) which may be used to hide files. It is a relatively uncommon feature of NTFS. ADS enables forking a file to hide contents within a file. Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. They might be listing with "/r" flag in "dir" command however.
- Lets create a Notepad file name is "common-file" . This file may be only file that already exists within the NTFS file structure.
- Let us assume that you have a file that needs to be secured. Let that file be "payload.txt" for this demonstration. Now we may use Alternate Data Stream, to store this file in alternate stream of the "common-file.txt" we just created.
- Note: "dir /r" is used to list Alternate data stream if any in the NTFS system, as told earlier.
- We now store the payload.txt into common-file.txt under the name of "metadata.txt"
- Now as we have our payload.txt file stored in alternate data stream, lets merge the another concept with ADS now.
- Next concept is the understanding how extended length path can help in hiding any file. For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to disable all string parsing and to send the string that follows it straight to the file system. Thus it bypasses the naming restrictions in Windows.
- For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to disable all string parsing and to send the string that follows it straight to the file system. Also, it turns off automatic expansion of the path string, the "\\?\" prefix also allows the use of ".." and "." in the path names.
- We can name a file/folder with device name using prefix "\\?\" . Is it of any advantage? YES! it creates a file/folder named after a reserved keyword. This folder has a special privileges, nobody can delete this folder as this functionality is restricted by Windows.
- The directory can not be entered or deleted ( Note: I am from Administrator Command Prompt )
- We shall now copy this common-file to the "AUX" directory we just created.
- We have our payload file at following path
\\?\C:\test\AUX\common-file.txt:metadata.txt
- This file is only accessible if exact path location is known, this helps evade any user or anti virus to even locate the malicious files or our secret files. No one can delete or enter the AUX directory from GUI or via Command line without the exact path.
- Just to keep it more interesting and show more use cases of extended path, let us move our payload.txt file to the path as shown below. We shall write to ADS of common-file.txt but at the path \\?\C:\test\"..\. \"
- The advantage is like a USB malware, if we open this directory from GUI, following Error is thrown
Now, We have explored few examples of Data Hiding Techniques in Windows. The possible scenarios are numerous and are usually exploited to prevent anti-malware solutions to access certain directories. This might be used to embed executables within the ADS and inaccessible directories.
Further Reading:
https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
https://www.irongeek.com/i.php?page=security/altds
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx
https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
https://www.irongeek.com/i.php?page=security/altds
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx