Solved

You're gonna love this....

Posted on 2002-03-20
22
309 Views
Last Modified: 2010-04-05
Create a new application, put ShellAPI in the uses clause, and put 3 buttons on the form.  Do these properties...

    Button1.Caption:='Create';
    Button2.Caption:='Notepad';
    Button3.Caption:='Calc';

...and then add this code to the click events of the buttons.

procedure TForm1.Button1Click(Sender: TObject);
var
     NewFile          :     TFileStream;
  OldFile          :     TFileStream;
begin
  NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\notepad.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
     NewFile:=TFileStream.Create('c:\temp\notepad.exe:calc.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\system32\calc.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe', nil, nil, SW_SHOW);
end;

procedure TForm1.Button3Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe:calc.exe', nil, nil, SW_SHOW);
end;

As you can see, the create button creates a file called "c:\temp\notepad.exe" and another file called "c:\temp\notepad.exe:calc.exe"

If you look in the temp directory after running the create procedure you will see notepad, but no calc.

Try executing the programs with buttons 2 & 3.  You'll see that you can indeed run calculator, even though it's not visibly there.

It seems that the windows OS does not stop you using colons in filenames, just DOS and explorer stop you.

Just thought others should know of this idiocy.  There could be files hidden within files all over the place.

I've found that you can copy the file and the "added" files go with it, but you can't email it and keep the "added" files - they just disappear.  So far I've not been able to corrupt the secondary file(s) that I added to an original one.  It seems that the FAT or NTFS does actually know the file is there and doesn't overwrite it with other stuff.  It's just the OS that can't see it.

Applications for this?  Maybe storing files within a file, in total secret.  Unless you actually know the :Name of the secondary added files, you'll never be able to access them.

Thoughts and comments are definately wanted on this.

I'd like to see what others think about it.

John.
0
Comment
Question by:Jaymol
22 Comments
 
LVL 11

Expert Comment

by:robert_marquardt
ID: 6882016
Does this really work with FAT?
For NTFS it could be setting another file stream.
Each NTFS file can have more than one data part.
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882022
Not tried on FAT actually - apologies for mentioning it.

John.
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882029
Actually - I just tried it and no, it doesn't work on FAT, just NTFS.

John.
0
 
LVL 6

Expert Comment

by:kotan
ID: 6882032
In your code, you created "newfile.exe" not "notepad.exe". Is it wrong typing?

>NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882040
Sorry Kotan - made changes now.  Newfile, not notepad, is what the file is, but obviously it doesn't matter as long as you use the same name in all instances.

Thanks,

John.
0
 
LVL 17

Expert Comment

by:geobul
ID: 6882044
Yes, it should be
NewFile:=TFileStream.Create('c:\temp\notepad.exe', fmCreate);
to see the Jaymol's code in its full beauty.

Nice, nice... I like it, Jaymol.

Regards, Geo
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882048
Thanks Geo.
0
 
LVL 6

Expert Comment

by:kotan
ID: 6882090
Please refer this, it talk much about stream

http://www.microsoft.com/msj/1198/ntfs/ntfs.htm
0
 
LVL 6

Author Comment

by:Jaymol
ID: 6882098
So it's a "feature", not a bug.  Still definately worth being aware of it as I assume most are not.

Thanks Kotan.
0
 
LVL 11

Expert Comment

by:robert_marquardt
ID: 6882130
This is a feature of the NTFS file system even virus checkers often forget about.
A file can have more than one stream of data assigned.
0
 
LVL 3

Expert Comment

by:raidos
ID: 6882136
That is a very nasty NTFS "bug" ?

Goddamn, it would be too damn easy to exploit it, i guess!

I wonder how many viruses use this ability to Use diskspace without it ever getting noticed...

Anybody find a way of listing the files inside the file ?

i tried with FindFirst('C:\Temp\NewFile.exe:*.*', faAnyfilem SR), that didn't yield any results...

Regards
//raidos
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Author Comment

by:Jaymol
ID: 6882147
I tried that myself raidos, but to no avail.  I don't know how to do a search for these types of file.  I bet if you could find out, it would be worth something.

John.
0
 
LVL 3

Expert Comment

by:raidos
ID: 6882173
This site describes 2 ways of enumerating Multiple streams.
Haven't read it to hard. And it includes C Source code.

Should be a breeze to port. =))

http://www.mvps.org/win32/ntfs/streams.html

Regards
//raidos
0
 
LVL 8

Expert Comment

by:TOndrej
ID: 6882223
Alternate streams are a known feature of NTFS.
Have a look at http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams (source code included).
0
 
LVL 9

Expert Comment

by:ginsonic
ID: 6882278
listening
0
 

Expert Comment

by:DelFreak
ID: 6883189
Very interesting. Why won't it work on FAT though?
0
 
LVL 8

Expert Comment

by:TOndrej
ID: 6883276
> Why won't it work on FAT though?
Simply because FAT does not support alternate streams.
0
 
LVL 5

Expert Comment

by:Gwena
ID: 6884084
:-)
0
 
LVL 17

Expert Comment

by:Wim ten Brink
ID: 6896342
Cool! Another person who discovers alternate streams on NTFS... :-)
Cool feature, isn't it? It allows you to hide sensitive information from the average user. A good was to put your password-files a bit safer. Not only encrypt those files but put them in an alternate stream!

For the die-hard DOS-prompt fans, try this on ?NTFS:
On the prompt C:> type
  dir >Test:test

This results in a file of 0 bytes. Cool, isn't it? Now type:
  more <Test.test

And there's your information that you've safely stored in an alternate stream.
And yes, it could be abused by virusses and hackers but the thing is, these files don't copy well from one medium to the other. Simply copy the file to a FAT/FAT32/floppy disk and back and you've destroyed the alternate stream. Try to send it as an attachment and the alternate stream is gone...
It isn't as unsafe as it seems...
0
 

Expert Comment

by:CleanupPing
ID: 9343242
Jaymol:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 7

Expert Comment

by:knightmad
ID: 9470940
Wow, Its been a long time since this comment have been visited!

Jaymol,
No comment has been added lately (19 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: PAQ/No Refund

-- Please DO NOT accept this comment as an answer ! --

Thanks,

knightmad
EE Cleanup Volunteer

Remember you (all) can object this recommendation if you disagree, just leave a post here explaining why are you objecting and what should be done instead.
Within 7 days probably this thread will be closed, so, hurry up! : )
0
 

Accepted Solution

by:
YensidMod earned 0 total points
ID: 9536883
This question is PAQed and no points refunded (of 0)

YensidMod
Community Support Moderator
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now