Click here to Skip to main content
14,176,878 members
Click here to Skip to main content
Add your own
alternative version

Tagged as


26 bookmarked
Posted 12 Jun 2014
Licenced BSD

Target Eye Revealed part 6 - File Hiding

, 15 Jun 2014
Rate this:
Please Sign up or sign in to vote.
Target Eye uses an outdated approach for hiding files and yet it is recently becoming practical


This article is the sixth and last article in a series about the Target Eye Monitoring System , developed in 2000, and till 2010 when it became discontinued.

  1. The first article was about Target Eye's Auto Update mechanism, and how it is capable of checking for updates, downloading them when there are, installing them and running them instead of the old version currently running, all of the above, with no end-user intervention.
  2. The second article was about the Target Eye's screen capturing mechanism, and how compact JPG files are created combining a reasonable image quality and a small footprint.
  3. The third article was about the Shopping List mechanism.
  4. The forth article is about Keyboard capturing
  5. The fifth article deals with the packaging used to let our Secret Agent in. In other words, how Target Eye can be used to wrap it with what we refer to as "cover story".

About this article

The following article explains how files are hidden and when, along with exposing how to reveal these hidden files. Target Eye uses a simple mechanism to hide files but the trick will work on most Windows users since the option to reveal these hidden files is not part of the default user interface of the Files Explorer, so even if the "Show Hidden Items" is checked, the Target Eye hidden files will not be revealed.

Target Eye's TEHideFile() Function 

The TEHideFile() function is used to hide and unhide files as well as to change the size of a given file to a random size, making it harder to sample and detect it.   


By looking at the Target Eye 2005 source code, the function is defined as follow:

BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)

FileName = the full path and name of the file

Hide = tells the function whether to hide or reveal the file

RandomSize = tells the function whether to add "garbage" data to the file (without affecting the way it functions) whilst changing its size to a larger one.

How the Target Eye files becomes hidden

Target Eye uses what seems to be an old fashioned approach. Instead of using Kernel (SSDT manipulation) or user level global hooking, it just creates a similar system file. Such approach was useful in the old days of Windows XP. However, while testing it under Windows 7 and 8, one might realize that the hidden files are indeed hidden, even when the "Hidden Items" checkbox is checked. 

The following screenshot illustrates the "Hidden Items" checkbox:

As you can see, with the Windows 7 and 8 user interface, it is not straight forward to even realize that there are additional system files which are hiddden, even after checking the "View Hidden Items". It is common sense to assume that after checking this checkbox, ALL files will be visible. 

Well that is not the case with the Target Eye hidden files. These will not be visible even when this option is checked.

That creates an opportunity to relatively hide files from most of the users without using all sort of hooks and Kernel level manipulations.

How can these System Files be shown after all?

Well, here is exactly how.

1. You need to open the Folder Options dialog, which can be done by finding it. When you use Windows 8 search, you need to search "All" and not only "Files", type "Show Hidden Folders" and press Enter.

2. The Folder Options dialog will be shown:

You need to uncheck "Hide protected operating system files" and then press "Yes" when the warrning bellow appears.

You will only then be able to see Target Eye hidden files...


The TEHideFile() source code

A brief description of how to use the article or code. The class names, the methods and properties, any tricks or tips.

Blocks of code should be set as style "Formatted" like this:


// TEHideFile
BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)
    HANDLE g_hCapFile;    // Handle to file
    DWORD dwBytes;        // number of bytes read from file
    ULONG FileLen;        // length of the file
    FileLen=GetFileLen(FileName);    // Getting the file length
    if(FileLen==0) return(FALSE);    // If file is empty, quitting
    // Reading file
        // Error: file doesn't exist
    // Allocating a buffer to hold the file
    char *buffer=(char *)malloc(FileLen);
    // Read the file into the buffer
    // Closing the file
    // Deliting the file
    // If "Hide" is true, creating a new file using FILE_ATTRIBUTE_SYSTEM and FILE_ATTRIBUTE_HIDDEN attributes
    // if "Hide" is falce, creating a "normal" file
        g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);

        // Error: can't create the new file
    // Purging the contents of the buffer into the new file
        // Error: can't write to the new file
    // If RandomSize is true, creating random number of "garbage" bytes to the new file
        int x;
        char *temp;
        x=(int)((double)rand()/(double )RAND_MAX*8630.0)+3201;    // Creating a random size which is at least 3201 bytes
        temp=(char *)malloc(x);    // allocating memory
            int i;
            // Filling the buffer with random ("garbage") date
            for(i=0;i<x;i++) *(temp+i)=(int)((double)rand()/(double )RAND_MAX*((int)'z'-(int)'a'+1))+(int)'a';
            // Appending the buffer to the end of the file

I have written GetFileLen() to make it easier to measure a size of a given file:

ULONG GetFileLen(CString FileName)
    DWORD dwBytes;
    HANDLE g_hCapFile;
    if(FileName=="") return(0);

What about global API hooking?

To learn about Global API Hooking I recommend reading the excellent article by ApriorIT: Easy way to set up global API hooks. If you are interested in Kernel level hiding, that can be done using Drivers, There are several techniques, among them  SSDT/IDT tables manipulation. See this article for example or read this one about the SSDT. 

 Michael Haephrati CodeProject MVP 2013   

©2000-2010 Target Eye LTD (UK) 


All materials contained on this article are protected by International copyright law and may not be used, reproduced, distributed, transmitted, displayed, published or broadcast without the prior written permission given by Target Eye LTD (UK). You may not alter or remove any trademark, copyright or other notice from copies of the content.


This article, along with any associated source code and files, is licensed under The BSD License


About the Author

Michael Haephrati
CEO Secured Globe, Inc.
United States United States
Michael Haephrati, CEO and co-founder of Secured Globe, Inc. Worked on many ventures starting from HarmonySoft, designing Rashumon, the first Graphical Multi-lingual word processor for Amiga computer. During 1995-1996 he worked as a Contractor with Apple at Cupertino.

You may also be interested in...

Comments and Discussions

QuestionA few things... Pin
CodyDaemon14-Apr-15 6:01
memberCodyDaemon14-Apr-15 6:01 
AnswerRe: A few things... Pin
Michael Haephrati9-Aug-15 4:34
mvpMichael Haephrati9-Aug-15 4:34 
GeneralRe: A few things... Pin
CodyDaemon18-Aug-15 1:30
memberCodyDaemon18-Aug-15 1:30 
GeneralRe: A few things... Pin
Michael Haephrati18-Aug-15 1:45
mvpMichael Haephrati18-Aug-15 1:45 
QuestionGreat idea Pin
Harry W223-Jul-14 7:01
memberHarry W223-Jul-14 7:01 
GeneralMy vote of 5 Pin
Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)20-Jul-14 21:29
protectorTadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)20-Jul-14 21:29 
GeneralMy vote of 5 Pin
Mihai MOGA20-Jul-14 4:42
professionalMihai MOGA20-Jul-14 4:42 
GeneralRe: My vote of 5 Pin
Michael Haephrati20-Jul-14 5:38
mvpMichael Haephrati20-Jul-14 5:38 
QuestionVery nice article Pin
Weissman Shimon23-Jun-14 10:17
memberWeissman Shimon23-Jun-14 10:17 
QuestionGreat work Pin
kiquenet.com16-Jun-14 9:23
professionalkiquenet.com16-Jun-14 9:23 
AnswerRe: Great work Pin
Michael Haephrati16-Jun-14 9:25
mvpMichael Haephrati16-Jun-14 9:25 
GeneralRe: Great work Pin
kiquenet.com19-Jul-14 9:18
professionalkiquenet.com19-Jul-14 9:18 
GeneralRe: Great work Pin
Michael Haephrati19-Jul-14 9:22
mvpMichael Haephrati19-Jul-14 9:22 
GeneralAmazing! Pin
Member 1023960213-Jun-14 6:51
memberMember 1023960213-Jun-14 6:51 
GeneralRe: Amazing! Pin
Michael Haephrati14-Jun-14 0:13
mvpMichael Haephrati14-Jun-14 0:13 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web02 | 2.8.190526.1 | Last Updated 15 Jun 2014
Article Copyright 2014 by Michael Haephrati
Everything else Copyright © CodeProject, 1999-2019
Layout: fixed | fluid