Hiding data on Windows with illegal file-, foldernames and subsubstreams

First of all if you want to hide or encrypt your data you should rely on tools like TrueCrypt.

This here is only a proof of concept which shows how you can trick Windows and make your files not accessible for persons who are not familiar with this technique.

As some of you might know you can’t create folders or files with names like ” ” or “.” or “COM1” or “CON” or “sysstem.” But there is a trick do create these files and folder anyway (except for the “.” and “..”)

All you need is the command line and this little prefix

\?

With it you can do a lot more than usual.

See the following examples.

mkdir "\?C:sysstem "
mkdir "\?C:sysstem ."
mkdir "\?C:sysstem .."
mkdir "\?C:sysstemsysstem."
mkdir "\?C:sysstem                sysstem              "
mkdir "\?C:sysstemCOM1"
mkdir "\?C:sysstemCON"
mkdir "\?C:sysstemLPT1"

You can create all these folders without a problem. Most of these directories are not accessible from the explorer, but over the commandline.

Next thing you can do is to create a substream on a folder. It’s not possible to just give it the name of a space character because the editor will implicitly add an .txt to it. Just give it a weird extension.

notepad "\?C:sysstem : . -"

Notepad says that the filestream does not exist and if you want to create it. Say yes.

After you have done so you may notice this characters in the the titlebar

脠Ȋ - Editor_2012-12-14_09-38-06

 

if you saved the text the charcaters will change to the following

ୀᄒ - Editor_2012-12-14_09-38-19

Notice that if you copy files with substreams from NTFS to another filesystem, all the substreams will be gone because other filesystems are not able to store these.

It is also possible to fill ones harddiskspace where it is not possible to free up the space. And with the fact that you created ” ..” folders, they are not able to delete these folders or files because explorer will crash or just give errors if you do so.

Try to fool around a little and tell me if you have found more crazy stuff.

System File Permission management in Windows CMD – First steps

An efficient way to set permissions + inheritance on a NTFS is do this by Windows CMD (Batch) rather than by clicking trough all the dialogs like a madman.

Here is a case scenario where the usernames and the foldernames of the users are exact the same.

Example:

  • Username: johndoe
  • Foldername: johndoe
  • Domain: sysstem
Define your domain or read it via the predefined variable (%USERDOMAIN%)
Set the location of your directory where the userfolders are located in.
The Script goes through all directories and sets the rights OI (Object Inheritance), CI (Container Inheritance), F (Full Permission).
“inheritance:d” copies the permission of the parent, breaks the inheritance and saves it to all child objects and containers recursivly.

@echo off
setLocal EnableDelayedExpansion
set dir=\fileserver01.sysstem.ataustriaviennausers
set domain=sysstem
set logfile=icacls.log

for /f "tokens=*" %%a in ('dir %dir% /b') do (
	echo %%a>>%logfile%
	icacls %dir%%%a /grant %domain%%%a:^(OI^)^(CI^)^(F^) /inheritance:d >> %logfile%
)
echo See %logfile% for Errors
pause

Here is an overview of how one can set the inheritance.

Microsoft NTFS Permission Inheritance (c) Microsoft (Original URL: http://i.msdn.microsoft.com/cc163885.fig05(en-us).gif)

If you are on a Windows Server 2003 SP2 x86 you will need the a patch from the Microsoft-site which will not require a restart since it might be only a simple bytepatch.

I am not sure if I could provide the patch here on my site so here is a link to download this patch. You need to register with an email-address so Microsoft could contact you if they made any changes on the patch.

Quick Admin Check with Version info for Windows in Batch

A little script which checks for your Version and also tells you if you have Admin rights or not.

@echo off

rem ***************************************
rem Info: http://en.wikipedia.org/wiki/Ver_(command)
rem ***************************************

ver | findstr "DOSBox version 0.72. Reported DOS version 5.0.">nul && echo DOSBox
ver | findstr "Windows NT. Version 4.0">nul && echo Windows NT
ver | findstr "Microsoft Windows 2000 [Version 5.00.2195]">nul && echo Windows 2000
ver | findstr "Microsoft Windows XP [Version 5.1.2600]">nul && echo Windows XP
ver | findstr "Microsoft Windows [Version 5.2.3790]">nul && echo Windows Server 2003 or XP 64bit
ver | findstr "Microsoft Windows [Version 6.0.6001]">nul && echo Windows Vista
ver | findstr "Microsoft Windows [Version 6.0.6002]">nul && echo Windows Server 2008
ver | findstr "Microsoft Windows [Version 6.1.7600]">nul && echo Windows Server 2008 R2 or Windows 7 SP0
ver | findstr "Microsoft Windows [Version 6.1.7601]">nul && echo Windows 7 SP1
ver | findstr "Microsoft Windows [Version 6.2.9200]">nul && echo Windows 8

(mkdir %windir%system32test 2>nul && rmdir %windir%system32test) || goto error
echo User has admin rights
goto End

:Error
echo User has *NO* admin rights
goto End

:End
pause>nul