Jaymol
asked on
You're gonna love this....
Create a new application, put ShellAPI in the uses clause, and put 3 buttons on the form. Do these properties...
Button1.Caption:='Create';
Button2.Caption:='Notepad' ;
Button3.Caption:='Calc';
...and then add this code to the click events of the buttons.
procedure TForm1.Button1Click(Sender : TObject);
var
NewFile : TFileStream;
OldFile : TFileStream;
begin
NewFile:=TFileStream.Creat e('c:\temp \newfile.e xe', fmCreate);
OldFile:=TFileStream.Creat e('c:\wind ows\notepa d.exe', fmShareDenyNone);
NewFile.CopyFrom(OldFile, OldFile.Size);
FreeAndNil(OldFile);
FreeAndNil(NewFile);
NewFile:=TFileStream.Creat e('c:\temp \notepad.e xe:calc.ex e', fmCreate);
OldFile:=TFileStream.Creat e('c:\wind ows\system 32\calc.ex e', fmShareDenyNone);
NewFile.CopyFrom(OldFile, OldFile.Size);
FreeAndNil(OldFile);
FreeAndNil(NewFile);
end;
procedure TForm1.Button2Click(Sender : TObject);
begin
ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe', nil, nil, SW_SHOW);
end;
procedure TForm1.Button3Click(Sender : TObject);
begin
ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe:calc. exe', nil, nil, SW_SHOW);
end;
As you can see, the create button creates a file called "c:\temp\notepad.exe" and another file called "c:\temp\notepad.exe:calc. exe"
If you look in the temp directory after running the create procedure you will see notepad, but no calc.
Try executing the programs with buttons 2 & 3. You'll see that you can indeed run calculator, even though it's not visibly there.
It seems that the windows OS does not stop you using colons in filenames, just DOS and explorer stop you.
Just thought others should know of this idiocy. There could be files hidden within files all over the place.
I've found that you can copy the file and the "added" files go with it, but you can't email it and keep the "added" files - they just disappear. So far I've not been able to corrupt the secondary file(s) that I added to an original one. It seems that the FAT or NTFS does actually know the file is there and doesn't overwrite it with other stuff. It's just the OS that can't see it.
Applications for this? Maybe storing files within a file, in total secret. Unless you actually know the :Name of the secondary added files, you'll never be able to access them.
Thoughts and comments are definately wanted on this.
I'd like to see what others think about it.
John.
Button1.Caption:='Create';
Button2.Caption:='Notepad'
Button3.Caption:='Calc';
...and then add this code to the click events of the buttons.
procedure TForm1.Button1Click(Sender
var
NewFile : TFileStream;
OldFile : TFileStream;
begin
NewFile:=TFileStream.Creat
OldFile:=TFileStream.Creat
NewFile.CopyFrom(OldFile, OldFile.Size);
FreeAndNil(OldFile);
FreeAndNil(NewFile);
NewFile:=TFileStream.Creat
OldFile:=TFileStream.Creat
NewFile.CopyFrom(OldFile, OldFile.Size);
FreeAndNil(OldFile);
FreeAndNil(NewFile);
end;
procedure TForm1.Button2Click(Sender
begin
ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe', nil, nil, SW_SHOW);
end;
procedure TForm1.Button3Click(Sender
begin
ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe:calc.
end;
As you can see, the create button creates a file called "c:\temp\notepad.exe" and another file called "c:\temp\notepad.exe:calc.
If you look in the temp directory after running the create procedure you will see notepad, but no calc.
Try executing the programs with buttons 2 & 3. You'll see that you can indeed run calculator, even though it's not visibly there.
It seems that the windows OS does not stop you using colons in filenames, just DOS and explorer stop you.
Just thought others should know of this idiocy. There could be files hidden within files all over the place.
I've found that you can copy the file and the "added" files go with it, but you can't email it and keep the "added" files - they just disappear. So far I've not been able to corrupt the secondary file(s) that I added to an original one. It seems that the FAT or NTFS does actually know the file is there and doesn't overwrite it with other stuff. It's just the OS that can't see it.
Applications for this? Maybe storing files within a file, in total secret. Unless you actually know the :Name of the secondary added files, you'll never be able to access them.
Thoughts and comments are definately wanted on this.
I'd like to see what others think about it.
John.
ASKER
Not tried on FAT actually - apologies for mentioning it.
John.
John.
ASKER
Actually - I just tried it and no, it doesn't work on FAT, just NTFS.
John.
John.
In your code, you created "newfile.exe" not "notepad.exe". Is it wrong typing?
>NewFile:=TFileStream.Crea te('c:\tem p\newfile. exe', fmCreate);
>NewFile:=TFileStream.Crea
ASKER
Sorry Kotan - made changes now. Newfile, not notepad, is what the file is, but obviously it doesn't matter as long as you use the same name in all instances.
Thanks,
John.
Thanks,
John.
Yes, it should be
NewFile:=TFileStream.Creat e('c:\temp \notepad.e xe', fmCreate);
to see the Jaymol's code in its full beauty.
Nice, nice... I like it, Jaymol.
Regards, Geo
NewFile:=TFileStream.Creat
to see the Jaymol's code in its full beauty.
Nice, nice... I like it, Jaymol.
Regards, Geo
ASKER
Thanks Geo.
ASKER
So it's a "feature", not a bug. Still definately worth being aware of it as I assume most are not.
Thanks Kotan.
Thanks Kotan.
This is a feature of the NTFS file system even virus checkers often forget about.
A file can have more than one stream of data assigned.
A file can have more than one stream of data assigned.
That is a very nasty NTFS "bug" ?
Goddamn, it would be too damn easy to exploit it, i guess!
I wonder how many viruses use this ability to Use diskspace without it ever getting noticed...
Anybody find a way of listing the files inside the file ?
i tried with FindFirst('C:\Temp\NewFile .exe:*.*', faAnyfilem SR), that didn't yield any results...
Regards
//raidos
Goddamn, it would be too damn easy to exploit it, i guess!
I wonder how many viruses use this ability to Use diskspace without it ever getting noticed...
Anybody find a way of listing the files inside the file ?
i tried with FindFirst('C:\Temp\NewFile
Regards
//raidos
ASKER
I tried that myself raidos, but to no avail. I don't know how to do a search for these types of file. I bet if you could find out, it would be worth something.
John.
John.
This site describes 2 ways of enumerating Multiple streams.
Haven't read it to hard. And it includes C Source code.
Should be a breeze to port. =))
http://www.mvps.org/win32/ntfs/streams.html
Regards
//raidos
Haven't read it to hard. And it includes C Source code.
Should be a breeze to port. =))
http://www.mvps.org/win32/ntfs/streams.html
Regards
//raidos
Alternate streams are a known feature of NTFS.
Have a look at http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams (source code included).
Have a look at http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams (source code included).
listening
Very interesting. Why won't it work on FAT though?
> Why won't it work on FAT though?
Simply because FAT does not support alternate streams.
Simply because FAT does not support alternate streams.
:-)
Cool! Another person who discovers alternate streams on NTFS... :-)
Cool feature, isn't it? It allows you to hide sensitive information from the average user. A good was to put your password-files a bit safer. Not only encrypt those files but put them in an alternate stream!
For the die-hard DOS-prompt fans, try this on ?NTFS:
On the prompt C:> type
dir >Test:test
This results in a file of 0 bytes. Cool, isn't it? Now type:
more <Test.test
And there's your information that you've safely stored in an alternate stream.
And yes, it could be abused by virusses and hackers but the thing is, these files don't copy well from one medium to the other. Simply copy the file to a FAT/FAT32/floppy disk and back and you've destroyed the alternate stream. Try to send it as an attachment and the alternate stream is gone...
It isn't as unsafe as it seems...
Cool feature, isn't it? It allows you to hide sensitive information from the average user. A good was to put your password-files a bit safer. Not only encrypt those files but put them in an alternate stream!
For the die-hard DOS-prompt fans, try this on ?NTFS:
On the prompt C:> type
dir >Test:test
This results in a file of 0 bytes. Cool, isn't it? Now type:
more <Test.test
And there's your information that you've safely stored in an alternate stream.
And yes, it could be abused by virusses and hackers but the thing is, these files don't copy well from one medium to the other. Simply copy the file to a FAT/FAT32/floppy disk and back and you've destroyed the alternate stream. Try to send it as an attachment and the alternate stream is gone...
It isn't as unsafe as it seems...
Jaymol:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
Wow, Its been a long time since this comment have been visited!
Jaymol,
No comment has been added lately (19 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:
RECOMMENDATION: PAQ/No Refund
-- Please DO NOT accept this comment as an answer ! --
Thanks,
knightmad
EE Cleanup Volunteer
Remember you (all) can object this recommendation if you disagree, just leave a post here explaining why are you objecting and what should be done instead.
Within 7 days probably this thread will be closed, so, hurry up! : )
Jaymol,
No comment has been added lately (19 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:
RECOMMENDATION: PAQ/No Refund
-- Please DO NOT accept this comment as an answer ! --
Thanks,
knightmad
EE Cleanup Volunteer
Remember you (all) can object this recommendation if you disagree, just leave a post here explaining why are you objecting and what should be done instead.
Within 7 days probably this thread will be closed, so, hurry up! : )
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For NTFS it could be setting another file stream.
Each NTFS file can have more than one data part.