Link to home
Start Free TrialLog in
Avatar of Jaymol
Jaymol

asked on

You're gonna love this....

Create a new application, put ShellAPI in the uses clause, and put 3 buttons on the form.  Do these properties...

    Button1.Caption:='Create';
    Button2.Caption:='Notepad';
    Button3.Caption:='Calc';

...and then add this code to the click events of the buttons.

procedure TForm1.Button1Click(Sender: TObject);
var
     NewFile          :     TFileStream;
  OldFile          :     TFileStream;
begin
  NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\notepad.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
     NewFile:=TFileStream.Create('c:\temp\notepad.exe:calc.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\system32\calc.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe', nil, nil, SW_SHOW);
end;

procedure TForm1.Button3Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe:calc.exe', nil, nil, SW_SHOW);
end;

As you can see, the create button creates a file called "c:\temp\notepad.exe" and another file called "c:\temp\notepad.exe:calc.exe"

If you look in the temp directory after running the create procedure you will see notepad, but no calc.

Try executing the programs with buttons 2 & 3.  You'll see that you can indeed run calculator, even though it's not visibly there.

It seems that the windows OS does not stop you using colons in filenames, just DOS and explorer stop you.

Just thought others should know of this idiocy.  There could be files hidden within files all over the place.

I've found that you can copy the file and the "added" files go with it, but you can't email it and keep the "added" files - they just disappear.  So far I've not been able to corrupt the secondary file(s) that I added to an original one.  It seems that the FAT or NTFS does actually know the file is there and doesn't overwrite it with other stuff.  It's just the OS that can't see it.

Applications for this?  Maybe storing files within a file, in total secret.  Unless you actually know the :Name of the secondary added files, you'll never be able to access them.

Thoughts and comments are definately wanted on this.

I'd like to see what others think about it.

John.
Avatar of robert_marquardt
robert_marquardt

Does this really work with FAT?
For NTFS it could be setting another file stream.
Each NTFS file can have more than one data part.
Avatar of Jaymol

ASKER

Not tried on FAT actually - apologies for mentioning it.

John.
Avatar of Jaymol

ASKER

Actually - I just tried it and no, it doesn't work on FAT, just NTFS.

John.
In your code, you created "newfile.exe" not "notepad.exe". Is it wrong typing?

>NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
Avatar of Jaymol

ASKER

Sorry Kotan - made changes now.  Newfile, not notepad, is what the file is, but obviously it doesn't matter as long as you use the same name in all instances.

Thanks,

John.
Yes, it should be
NewFile:=TFileStream.Create('c:\temp\notepad.exe', fmCreate);
to see the Jaymol's code in its full beauty.

Nice, nice... I like it, Jaymol.

Regards, Geo
Avatar of Jaymol

ASKER

Thanks Geo.
Please refer this, it talk much about stream

http://www.microsoft.com/msj/1198/ntfs/ntfs.htm
Avatar of Jaymol

ASKER

So it's a "feature", not a bug.  Still definately worth being aware of it as I assume most are not.

Thanks Kotan.
This is a feature of the NTFS file system even virus checkers often forget about.
A file can have more than one stream of data assigned.
That is a very nasty NTFS "bug" ?

Goddamn, it would be too damn easy to exploit it, i guess!

I wonder how many viruses use this ability to Use diskspace without it ever getting noticed...

Anybody find a way of listing the files inside the file ?

i tried with FindFirst('C:\Temp\NewFile.exe:*.*', faAnyfilem SR), that didn't yield any results...

Regards
//raidos
Avatar of Jaymol

ASKER

I tried that myself raidos, but to no avail.  I don't know how to do a search for these types of file.  I bet if you could find out, it would be worth something.

John.
This site describes 2 ways of enumerating Multiple streams.
Haven't read it to hard. And it includes C Source code.

Should be a breeze to port. =))

http://www.mvps.org/win32/ntfs/streams.html

Regards
//raidos
Alternate streams are a known feature of NTFS.
Have a look at http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams (source code included).
listening
Very interesting. Why won't it work on FAT though?
> Why won't it work on FAT though?
Simply because FAT does not support alternate streams.
:-)
Avatar of Wim ten Brink
Cool! Another person who discovers alternate streams on NTFS... :-)
Cool feature, isn't it? It allows you to hide sensitive information from the average user. A good was to put your password-files a bit safer. Not only encrypt those files but put them in an alternate stream!

For the die-hard DOS-prompt fans, try this on ?NTFS:
On the prompt C:> type
  dir >Test:test

This results in a file of 0 bytes. Cool, isn't it? Now type:
  more <Test.test

And there's your information that you've safely stored in an alternate stream.
And yes, it could be abused by virusses and hackers but the thing is, these files don't copy well from one medium to the other. Simply copy the file to a FAT/FAT32/floppy disk and back and you've destroyed the alternate stream. Try to send it as an attachment and the alternate stream is gone...
It isn't as unsafe as it seems...
Jaymol:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
Wow, Its been a long time since this comment have been visited!

Jaymol,
No comment has been added lately (19 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: PAQ/No Refund

-- Please DO NOT accept this comment as an answer ! --

Thanks,

knightmad
EE Cleanup Volunteer

Remember you (all) can object this recommendation if you disagree, just leave a post here explaining why are you objecting and what should be done instead.
Within 7 days probably this thread will be closed, so, hurry up! : )
ASKER CERTIFIED SOLUTION
Avatar of YensidMod
YensidMod

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial