Solved

You're gonna love this....

Posted on 2002-03-20
22
312 Views
Last Modified: 2010-04-05
Create a new application, put ShellAPI in the uses clause, and put 3 buttons on the form.  Do these properties...

    Button1.Caption:='Create';
    Button2.Caption:='Notepad';
    Button3.Caption:='Calc';

...and then add this code to the click events of the buttons.

procedure TForm1.Button1Click(Sender: TObject);
var
     NewFile          :     TFileStream;
  OldFile          :     TFileStream;
begin
  NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\notepad.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
     NewFile:=TFileStream.Create('c:\temp\notepad.exe:calc.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\system32\calc.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe', nil, nil, SW_SHOW);
end;

procedure TForm1.Button3Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe:calc.exe', nil, nil, SW_SHOW);
end;

As you can see, the create button creates a file called "c:\temp\notepad.exe" and another file called "c:\temp\notepad.exe:calc.exe"

If you look in the temp directory after running the create procedure you will see notepad, but no calc.

Try executing the programs with buttons 2 & 3.  You'll see that you can indeed run calculator, even though it's not visibly there.

It seems that the windows OS does not stop you using colons in filenames, just DOS and explorer stop you.

Just thought others should know of this idiocy.  There could be files hidden within files all over the place.

I've found that you can copy the file and the "added" files go with it, but you can't email it and keep the "added" files - they just disappear.  So far I've not been able to corrupt the secondary file(s) that I added to an original one.  It seems that the FAT or NTFS does actually know the file is there and doesn't overwrite it with other stuff.  It's just the OS that can't see it.

Applications for this?  Maybe storing files within a file, in total secret.  Unless you actually know the :Name of the secondary added files, you'll never be able to access them.

Thoughts and comments are definately wanted on this.

I'd like to see what others think about it.

John.
0
Comment
Question by:Jaymol
22 Comments
 
LVL 11

Expert Comment

by:robert_marquardt
ID: 6882016
Does this really work with FAT?
For NTFS it could be setting another file stream.
Each NTFS file can have more than one data part.
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882022
Not tried on FAT actually - apologies for mentioning it.

John.
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882029
Actually - I just tried it and no, it doesn't work on FAT, just NTFS.

John.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 6

Expert Comment

by:kotan
ID: 6882032
In your code, you created "newfile.exe" not "notepad.exe". Is it wrong typing?

>NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882040
Sorry Kotan - made changes now.  Newfile, not notepad, is what the file is, but obviously it doesn't matter as long as you use the same name in all instances.

Thanks,

John.
0
 
LVL 17

Expert Comment

by:geobul
ID: 6882044
Yes, it should be
NewFile:=TFileStream.Create('c:\temp\notepad.exe', fmCreate);
to see the Jaymol's code in its full beauty.

Nice, nice... I like it, Jaymol.

Regards, Geo
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882048
Thanks Geo.
0
 
LVL 6

Expert Comment

by:kotan
ID: 6882090
Please refer this, it talk much about stream

http://www.microsoft.com/msj/1198/ntfs/ntfs.htm
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882098
So it's a "feature", not a bug.  Still definately worth being aware of it as I assume most are not.

Thanks Kotan.
0
 
LVL 11

Expert Comment

by:robert_marquardt
ID: 6882130
This is a feature of the NTFS file system even virus checkers often forget about.
A file can have more than one stream of data assigned.
0
 
LVL 3

Expert Comment

by:raidos
ID: 6882136
That is a very nasty NTFS "bug" ?

Goddamn, it would be too damn easy to exploit it, i guess!

I wonder how many viruses use this ability to Use diskspace without it ever getting noticed...

Anybody find a way of listing the files inside the file ?

i tried with FindFirst('C:\Temp\NewFile.exe:*.*', faAnyfilem SR), that didn't yield any results...

Regards
//raidos
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882147
I tried that myself raidos, but to no avail.  I don't know how to do a search for these types of file.  I bet if you could find out, it would be worth something.

John.
0
 
LVL 3

Expert Comment

by:raidos
ID: 6882173
This site describes 2 ways of enumerating Multiple streams.
Haven't read it to hard. And it includes C Source code.

Should be a breeze to port. =))

http://www.mvps.org/win32/ntfs/streams.html

Regards
//raidos
0
 
LVL 8

Expert Comment

by:TOndrej
ID: 6882223
Alternate streams are a known feature of NTFS.
Have a look at http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams (source code included).
0
 
LVL 9

Expert Comment

by:ginsonic
ID: 6882278
listening
0
 

Expert Comment

by:DelFreak
ID: 6883189
Very interesting. Why won't it work on FAT though?
0
 
LVL 8

Expert Comment

by:TOndrej
ID: 6883276
> Why won't it work on FAT though?
Simply because FAT does not support alternate streams.
0
 
LVL 5

Expert Comment

by:Gwena
ID: 6884084
:-)
0
 
LVL 17

Expert Comment

by:Wim ten Brink
ID: 6896342
Cool! Another person who discovers alternate streams on NTFS... :-)
Cool feature, isn't it? It allows you to hide sensitive information from the average user. A good was to put your password-files a bit safer. Not only encrypt those files but put them in an alternate stream!

For the die-hard DOS-prompt fans, try this on ?NTFS:
On the prompt C:> type
  dir >Test:test

This results in a file of 0 bytes. Cool, isn't it? Now type:
  more <Test.test

And there's your information that you've safely stored in an alternate stream.
And yes, it could be abused by virusses and hackers but the thing is, these files don't copy well from one medium to the other. Simply copy the file to a FAT/FAT32/floppy disk and back and you've destroyed the alternate stream. Try to send it as an attachment and the alternate stream is gone...
It isn't as unsafe as it seems...
0
 

Expert Comment

by:CleanupPing
ID: 9343242
Jaymol:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 7

Expert Comment

by:knightmad
ID: 9470940
Wow, Its been a long time since this comment have been visited!

Jaymol,
No comment has been added lately (19 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: PAQ/No Refund

-- Please DO NOT accept this comment as an answer ! --

Thanks,

knightmad
EE Cleanup Volunteer

Remember you (all) can object this recommendation if you disagree, just leave a post here explaining why are you objecting and what should be done instead.
Within 7 days probably this thread will be closed, so, hurry up! : )
0
 

Accepted Solution

by:
YensidMod earned 0 total points
ID: 9536883
This question is PAQed and no points refunded (of 0)

YensidMod
Community Support Moderator
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
delphi exception 7 64
Delphi : could not find program, '...exe' 2 175
Press three keys together and trigger a function 3 57
MS Access from Delphi 31 33
The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
Objective: - This article will help user in how to convert their numeric value become words. How to use 1. You can copy this code in your Unit as function 2. than you can perform your function by type this code The Code   (CODE) The Im…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question