• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

You're gonna love this....

Create a new application, put ShellAPI in the uses clause, and put 3 buttons on the form.  Do these properties...

    Button1.Caption:='Create';
    Button2.Caption:='Notepad';
    Button3.Caption:='Calc';

...and then add this code to the click events of the buttons.

procedure TForm1.Button1Click(Sender: TObject);
var
     NewFile          :     TFileStream;
  OldFile          :     TFileStream;
begin
  NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\notepad.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
     NewFile:=TFileStream.Create('c:\temp\notepad.exe:calc.exe', fmCreate);
  OldFile:=TFileStream.Create('c:\windows\system32\calc.exe', fmShareDenyNone);
  NewFile.CopyFrom(OldFile, OldFile.Size);
  FreeAndNil(OldFile);
  FreeAndNil(NewFile);
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe', nil, nil, SW_SHOW);
end;

procedure TForm1.Button3Click(Sender: TObject);
begin
     ShellExecute(0, 'OPEN', 'c:\temp\newfile.exe:calc.exe', nil, nil, SW_SHOW);
end;

As you can see, the create button creates a file called "c:\temp\notepad.exe" and another file called "c:\temp\notepad.exe:calc.exe"

If you look in the temp directory after running the create procedure you will see notepad, but no calc.

Try executing the programs with buttons 2 & 3.  You'll see that you can indeed run calculator, even though it's not visibly there.

It seems that the windows OS does not stop you using colons in filenames, just DOS and explorer stop you.

Just thought others should know of this idiocy.  There could be files hidden within files all over the place.

I've found that you can copy the file and the "added" files go with it, but you can't email it and keep the "added" files - they just disappear.  So far I've not been able to corrupt the secondary file(s) that I added to an original one.  It seems that the FAT or NTFS does actually know the file is there and doesn't overwrite it with other stuff.  It's just the OS that can't see it.

Applications for this?  Maybe storing files within a file, in total secret.  Unless you actually know the :Name of the secondary added files, you'll never be able to access them.

Thoughts and comments are definately wanted on this.

I'd like to see what others think about it.

John.
0
Jaymol
Asked:
Jaymol
1 Solution
 
robert_marquardtCommented:
Does this really work with FAT?
For NTFS it could be setting another file stream.
Each NTFS file can have more than one data part.
0
 
JaymolAuthor Commented:
Not tried on FAT actually - apologies for mentioning it.

John.
0
 
JaymolAuthor Commented:
Actually - I just tried it and no, it doesn't work on FAT, just NTFS.

John.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
kotanCommented:
In your code, you created "newfile.exe" not "notepad.exe". Is it wrong typing?

>NewFile:=TFileStream.Create('c:\temp\newfile.exe', fmCreate);
0
 
JaymolAuthor Commented:
Sorry Kotan - made changes now.  Newfile, not notepad, is what the file is, but obviously it doesn't matter as long as you use the same name in all instances.

Thanks,

John.
0
 
geobulCommented:
Yes, it should be
NewFile:=TFileStream.Create('c:\temp\notepad.exe', fmCreate);
to see the Jaymol's code in its full beauty.

Nice, nice... I like it, Jaymol.

Regards, Geo
0
 
JaymolAuthor Commented:
Thanks Geo.
0
 
kotanCommented:
Please refer this, it talk much about stream

http://www.microsoft.com/msj/1198/ntfs/ntfs.htm
0
 
JaymolAuthor Commented:
So it's a "feature", not a bug.  Still definately worth being aware of it as I assume most are not.

Thanks Kotan.
0
 
robert_marquardtCommented:
This is a feature of the NTFS file system even virus checkers often forget about.
A file can have more than one stream of data assigned.
0
 
raidosCommented:
That is a very nasty NTFS "bug" ?

Goddamn, it would be too damn easy to exploit it, i guess!

I wonder how many viruses use this ability to Use diskspace without it ever getting noticed...

Anybody find a way of listing the files inside the file ?

i tried with FindFirst('C:\Temp\NewFile.exe:*.*', faAnyfilem SR), that didn't yield any results...

Regards
//raidos
0
 
JaymolAuthor Commented:
I tried that myself raidos, but to no avail.  I don't know how to do a search for these types of file.  I bet if you could find out, it would be worth something.

John.
0
 
raidosCommented:
This site describes 2 ways of enumerating Multiple streams.
Haven't read it to hard. And it includes C Source code.

Should be a breeze to port. =))

http://www.mvps.org/win32/ntfs/streams.html

Regards
//raidos
0
 
TOndrejCommented:
Alternate streams are a known feature of NTFS.
Have a look at http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams (source code included).
0
 
ginsonicCommented:
listening
0
 
DelFreakCommented:
Very interesting. Why won't it work on FAT though?
0
 
TOndrejCommented:
> Why won't it work on FAT though?
Simply because FAT does not support alternate streams.
0
 
GwenaCommented:
:-)
0
 
Wim ten BrinkCommented:
Cool! Another person who discovers alternate streams on NTFS... :-)
Cool feature, isn't it? It allows you to hide sensitive information from the average user. A good was to put your password-files a bit safer. Not only encrypt those files but put them in an alternate stream!

For the die-hard DOS-prompt fans, try this on ?NTFS:
On the prompt C:> type
  dir >Test:test

This results in a file of 0 bytes. Cool, isn't it? Now type:
  more <Test.test

And there's your information that you've safely stored in an alternate stream.
And yes, it could be abused by virusses and hackers but the thing is, these files don't copy well from one medium to the other. Simply copy the file to a FAT/FAT32/floppy disk and back and you've destroyed the alternate stream. Try to send it as an attachment and the alternate stream is gone...
It isn't as unsafe as it seems...
0
 
CleanupPingCommented:
Jaymol:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
knightmadCommented:
Wow, Its been a long time since this comment have been visited!

Jaymol,
No comment has been added lately (19 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: PAQ/No Refund

-- Please DO NOT accept this comment as an answer ! --

Thanks,

knightmad
EE Cleanup Volunteer

Remember you (all) can object this recommendation if you disagree, just leave a post here explaining why are you objecting and what should be done instead.
Within 7 days probably this thread will be closed, so, hurry up! : )
0
 
YensidModCommented:
This question is PAQed and no points refunded (of 0)

YensidMod
Community Support Moderator
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now