stealth files in windows

Question

0.00/5 (No votes)

See more:

, +

Dear Developers!

I have to write an application with very strict security guidlines. It is necessary, to hide a file completely from any user of the computer.

My application provides macros for a specific target application. Normaly the macros are saved encrypted in a container file (already done) and when the user need one, it will be encrypted and handed out in the background. The target applcation unfortunatly needs to have a string with a path to the macro, but this is hardly possible without giving the user the chance to copy the macro.

What I tried until now:

- Create a MemFile and share it -> failed, no pointer accepted.
- myApp.exe:myMacro.vba -> failed, macro not found.

Also I tried various methods to hide files using standard things like hidden folders and so on, but it's all not secure enough.

The macro just needs to exist while it is executet by the target application, then it must be deleted. EVERY USER IS WELL INFORMED ABOUT THIS APPLICATION AND WHAT IT'S DOING! But he should use our Know How and not copy it!

What direction should I go further, because there is limited time:

- try to create a local server and use 127.0.0.1?
- try to create a file driver, where I can access the macro from RAM?
- any other ideas?

Thanks a lot for anything that helps me!

updates:

- The user will accept, because he wants to use the functionality of the macros.

- I can't handle the access rights of the user, because everybody can install this tool.

- while the macros are not used, they are stored on disc, but in special container files with heavy encryption (already done). just when one should be executed, it will be encrypted (using a memfile) and then I have to pass it to the application. the "pass it to the application" is the only weak point in this system, the other things works pretty fine.

- to connect the application i created my application as an automation server and connect it through a macro from the other application.

Posted 9-Apr-12 22:50pm

User 6344851

Updated 10-Apr-12 2:31am

v2

Add a Solution

Comments

JackDingler 10-Apr-12 15:50pm

I don't understand why your application can't access your repository.

Now, I can imagine a scenario like you're describing.

Take MacroQuest for instance, a third party macro tool that is used in the game Everquest in violation of the Eula. You could add a component to this system that is accessed with a macro. And in such a case, you might want to execute other macros without the user knowing you are doing it, or being tracked by MacroQuest. Using such a tool, you could activate exploits that violate the user's trust and the EULA for the game, and they would never know.

Good luck with that.

[no name] 11-Apr-12 4:26am

Thats certainly a point, and I we discussed it with our customer!

But this is an industry solution and one aspect is, that the company who owns the macros will control the security. If there are only tested an bug fixed macros in the system, it's a little bit harder to do damage.

At the moment, there are a lot of macros uncontroled and everybody can manipulate or "steal" them. With this solution every macro you want to use have passed a compliance test and is save. The application also has an error report function, that sends messeges to a support team if there is a problem and every macro in the system must be signed by the developer.

5 solutions

Solution 4

Here's an interesting solution in c# from Iteration at NullCoders.com.

C#

using System;
using System.Windows.Forms;
using System.IO;  

private void GhostFolder(string FolderPath)
        {
            try
            {

                //Creates a New DirInfo Instance
                DirectoryInfo di = new DirectoryInfo(@FolderPath);

                //Create Temp folder path.
                string TempPath = di.Parent.FullName + "\\GhostedTempFolder";

                //If our temp directory was found, there must of been an error on previous run, so lets delete it.
                if (Directory.Exists(TempPath) == true)
                {
                    //Delete all the files
                    foreach (string Path in Directory.GetFiles(TempPath, "*.*", SearchOption.AllDirectories))
                        File.Delete(Path);

                    //Delete Directory
                    Directory.Delete(TempPath);
                }

                //Create a new Temp Directory again.
                Directory.CreateDirectory(TempPath);

                //Trys to delete the current desktop.ini if it exists.
                File.Delete(TempPath + "\\desktop.ini");

                //Make folder System so blank icon shows.
                File.SetAttributes(TempPath, FileAttributes.System);
                
                //Creates Desktop.ini with new Folder Icon.
                StreamWriter file = new System.IO.StreamWriter(TempPath + "\\desktop.ini");
                file.WriteLine("[.ShellClassInfo]");
                file.WriteLine("IconResource=C:\\Windows\\system32\\SHELL32.dll,49");
                file.Close();
                
                //Copy all directories
                foreach( string folders in Directory.GetDirectories(@FolderPath, "*.*", SearchOption.AllDirectories))
                    Directory.CreateDirectory(folders.Replace(FolderPath, TempPath));
                
                //Copy all the files
                foreach (string files in Directory.GetFiles(@FolderPath, "*.*", SearchOption.AllDirectories))
                    File.Copy(files, files.Replace(FolderPath,TempPath));                                

                //Creates New Directory Object
                DirectoryInfo HiddenFolder = new DirectoryInfo(@TempPath);
                
                //Creates new path thats semi hidden.
                string NewName = HiddenFolder.FullName.Replace(HiddenFolder.Name, char.ConvertFromUtf32(160));

                //Rename Folder
                HiddenFolder.MoveTo(NewName);

                //Refresh Folder for Update
                HiddenFolder.Refresh();
                
                //Removes Origional Direcotry
                Directory.Delete(@FolderPath, true);
                
                //Clean up any garbage.
                GC.Collect();
                
                //Display Success Message
                MessageBox.Show("Folder was successfully ghosted, may take a few minutes for windows to refresh the cache.", "Success", MessageBoxButtons.OK, MessageBoxIcon.Information);

            }
            catch (Exception ee)
            {
                MessageBox.Show(ee.Message);
            }
        }

Posted 10-Apr-12 16:03pm

Tox1k

Solution 5

I decided to go the clean but hard way.

First I read Rajeev Nagar's book "Windows NT File System Internals : A Developer's Guide" (and a few other books related to windows debuging and driver developement), then I had a closer look at the "dokan" project and TryeCrypt, which are both open source.

It took me a few weeks to implement my own dirver. This was a realy short time, because it wasn't necessary to implement the whole NTFS functionality. The directory which contains the mount point (sort of junction point, to tell the IO-Manager where to send requests) is closed for all other applications, and there are just a few operations which the involved applications need.

The solution:

I wrote a file filter driver, which provides an interface to answer IO-Manager requests. Than there must be a library, which allowes you, to redirect the IO-Manager requests to user mode. In user mode I implemented a file system, which stores the files in a file class (C++).
For security functions it's very easy to get the process number of the asking process into user mode, so I'm able to check if the process is permitted to proceed. If yes, I give the CreateFile-request a handle, if not I send error codes.

The whole thing is too big to post it as answer, but I'm working on a simple example for an article.

Now I finished the project and facing a new job in hardware near developement. There are not much people who have knowledge about writing windows kernel mode code, so I advice everybody who has enough nerves and interest to learn this! :-)

Posted 21-Oct-12 0:08am

User 6344851

Comments

JackDingler 22-Oct-12 15:36pm

Nice work. :)

Solution 2

The way you formulated is a counter-sense: "use and not copy" is something impossible for a computer, since copy is the mechanism that makes whatever CPU working.

And if you are targeting something that works in the user space, you must be visible from the user space. You can make copy more complicated, but not impossible.

The idea of the file driver is good, but not impossible to be detected and seen. And may be your user don't agree about you installing drivers on their machine without the approval of the operating system technical support, for which they also payed a license.

It's time to tell your guidelines makers the story of the Sony root-kit: the judge clearly stated: "That's your software, but that's not your computer".

see http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal[^]

Posted 10-Apr-12 0:31am

Emilio Garavaglia

Comments

[no name] 10-Apr-12 8:40am

there is no way to protect something on a computer completely! but it should not be possible to activate the "show hidden foler" button in the explorer settings and see the file (for example).

JackDingler 10-Apr-12 13:13pm

For administrators it had better be. If you do what you want, it would be a dream come true for virus makers.

Besides, after you spend all this effort locking this down, all I need to do is hook into your app and watch it open and read the file to get these 'secret' contents.

Emilio Garavaglia 10-Apr-12 13:19pm

Ohhhh ... fantastic!

But if you can read and write hidden file, every programmer can. How long do you think will last until an utility for that purpose will came around?
The explorer is nothing more tham the evolution of the file manager that is the evoultion of the ... Norton Commander!

[no name] 10-Apr-12 15:27pm

thanks for teaching me history of file systems, it's a very interesting topic and i promise i go through after i finished this project! ;-)

Solution 3

Perhaps what you want is to use a GlobalAlloc and encrypt your data in memory.

Or maybe use pipes to connect your apps?

Posted 10-Apr-12 7:14am

JackDingler

Comments

[no name] 10-Apr-12 15:30pm

pipes and allocated memory is only a solution if i can control both applications, but unfortunatly i can control only mine.

JackDingler 10-Apr-12 15:38pm

This statement makes no sense at all in context to your requirements.

A file wouldn't help you either, if you can't define requirements for both applications. How would the application that you have no control over, ever get code added to access the file? It seems clear that it would never happen.

[no name] 10-Apr-12 18:36pm

my app is an automation server and the other app too. if the user wants to execute a macro from the collection, he has a button in the target app, that starts a macro, which creates the connection to my app, looks like this:

set myobj = createobject("myApp.application")
int = myobj.runscripts()
myobj.delete()

on the "myobj.runscript()", my app gives the user a list of macros, he choose one, my app decrypts it, and executes it like this:

targetobject = createobject("targetApp.appplication")
targetobject.runscript("path", "some_properties")

the example here is very simple and should just show how it works. this code is already written and works fine, but i have to save the decrypted script to disk and thats my problem.

JackDingler 11-Apr-12 2:11am

Why does it have to save to disk?

Is that what the environment demands?

[no name] 11-Apr-12 4:29am

I need to get a path for the "targetobject.runscript(String, String)" command. All other things aren't allowed.

JackDingler 11-Apr-12 9:53am

Yeah, I get the idea that you need to pass data from one application to another. I just don't understand why it has to go to magnetic media and back.

Why can't your app return the string for the macro, or an HGLOBAL to GlobalAlloc'd memory?

You have to return a filename anyway. Why not just return the macro text itself?

I'm getting a strong impression that solutions are driving your design, rather than the other way around.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

nv3 · Accepted Answer · 2012-04-09T23:05:00

Solution 1

Difficult to answer without knowing what level of access your users have. If a user has administrator right there is in my opinion no way of totally hiding a file from him. That would be counter-productive, because as an administrator I am expected to have access to all files on the system.

So either you should:

(a) Make sure that your users never get administrator rights

or

(b) Search for another way to execute your macros, for example from a temporary memory buffer.

Perhaps you can store the macro in an encrypted way. Then be kind of a small application shell load it into a memory buffer and execute from there.

Posted 9-Apr-12 23:05pm

nv3

Comments

[no name] 10-Apr-12 8:34am

solution (b) sounds interesting! but how i manage to get a path to a temporary memory buffer, because the target application don't accept pointers.

nv3 10-Apr-12 8:57am

Solution (b) only works by some help of your target application. I had assumed that you can make changes in the application.

If that is not the case, your only chance is to hide the macro file as good as possible. For example store it under a random name in some rarely used and overcrowded directory and of course setting it's attributes to hidden. A really clever user with an admin account will however be able to find your file, for example by FileMon or some similar utility. If your application can read the file, so an administrator can.

It really comes down to how secret the contents of your macros really is. If this contents is a big competitive advantage for your company, your only chance is to modify the application so that it can read the macro from an encrypted file. Even then you must watch out carefully how to store the password for the encryption.

[no name] 10-Apr-12 15:23pm

thanks for your very good pieces of advice!

I did a lot of research in protecting a file or directory using the win32api and that's the compromise we will go in the first line if no other solution is found.