Hiding data on Windows with illegal file-, foldernames and subsubstreams

First of all if you want to hide or encrypt your data you should rely on tools like TrueCrypt.

This here is only a proof of concept which shows how you can trick Windows and make your files not accessible for persons who are not familiar with this technique.

As some of you might know you can’t create folders or files with names like ” ” or “.” or “COM1” or “CON” or “sysstem.” But there is a trick do create these files and folder anyway (except for the “.” and “..”)

All you need is the command line and this little prefix

\?

With it you can do a lot more than usual.

See the following examples.

mkdir "\?C:sysstem "
mkdir "\?C:sysstem ."
mkdir "\?C:sysstem .."
mkdir "\?C:sysstemsysstem."
mkdir "\?C:sysstem                sysstem              "
mkdir "\?C:sysstemCOM1"
mkdir "\?C:sysstemCON"
mkdir "\?C:sysstemLPT1"

You can create all these folders without a problem. Most of these directories are not accessible from the explorer, but over the commandline.

Next thing you can do is to create a substream on a folder. It’s not possible to just give it the name of a space character because the editor will implicitly add an .txt to it. Just give it a weird extension.

notepad "\?C:sysstem : . -"

Notepad says that the filestream does not exist and if you want to create it. Say yes.

After you have done so you may notice this characters in the the titlebar

脠Ȋ - Editor_2012-12-14_09-38-06

 

if you saved the text the charcaters will change to the following

ୀᄒ - Editor_2012-12-14_09-38-19

Notice that if you copy files with substreams from NTFS to another filesystem, all the substreams will be gone because other filesystems are not able to store these.

It is also possible to fill ones harddiskspace where it is not possible to free up the space. And with the fact that you created ” ..” folders, they are not able to delete these folders or files because explorer will crash or just give errors if you do so.

Try to fool around a little and tell me if you have found more crazy stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *