How to make files really hidden in a directory?

Question

I downloaded a program yesterday, it is for encryption and security. I won't name it here unless someone asks me to but it has a feature to make files inside a specified folder completely invisible.

I have Hidden Files and Folders - Selected and also Hide protected operating system files - Unselected yet the files are gone completely from view and don't show up in a search either. I copied the folder over from VMware Workstation to my main machine and still the files are super hidden! There are zero files in the folder according to Windows.

How is this voodoo magick possible? I want to emulate this using Delphi in my own encryption program. I have not found any way on here and via Google that suggests how it is possible but the actual programs help file says they are still in the folder but do not register with most normal Windows software that process files.

This is one of those questions where I can not give any code to show what I have tried, but rather open to suggestions of what I can try or maybe someone here knows exactly how it is done?

@DavidHeffernan - I have no interest in building a rootkit nor any other form of nasty thing. I just wanted to know how these files are hidden in this way. I am currently looking into the answer from bummi. — Shambhala, Nov 22 '12 at 07:04
@DavidHeffernan - Well I didn't know that and certainly don't want to create one in my software. The files would be hidden by the users choice and made visible again by the user so I don't see how it would be considered as an actual rootkit as it would do nothing malicious. — Shambhala, Nov 22 '12 at 07:27
According to the Wikipedia definition of rootkit, there's no equal sign between "rootkit" and "malware". Your application would be a rootkit even if it's not malicious. — Cosmin Prund, Nov 22 '12 at 07:47
*I copied the folder over from VMware Workstation to my main machine* - maybe there are none? if they were so hidden, then the copying should have probably skipped them and on the end machien there is really empty folder ? PS: i recall HM-something, program for MS-DOS. It hidden files and folders into pseudo-bad sectors. But access was unly possible after "unhide" action. — Arioch 'The, Nov 22 '12 at 07:59
@Arioch'The - yes there were files in the directory but hidden using the program while in VMware because I just wanted to test if they would become unhidden. I have found a way to hide files from the command line: you just cd to directory and type: `attrib +s +h "name of file.txt"` and to unhide `attrib -s -h "name of file.txt"` — Shambhala, Nov 22 '12 at 08:06
@Shambhala, you're marking the files "hidden" and "system" using that command line. There's a setting in Windows Explorer to show hidden and system files, and I'm pretty sure most programmers have that setting activated because it allows one to browse the Windows and Program Files folders with ease. — Cosmin Prund, Nov 22 '12 at 08:12
yes, I realised as soon as posted in comment and then felt like a buffoon! That's what you get for staying up all night... — Shambhala, Nov 22 '12 at 08:18
@CosminPrund Well, i do not check it in explorer, i use file manager for that. Namely i use free unreal Commander (http://x-diesel.com/) but there are lots of such (Total Commander, muCommander, DOS Navigator, ....) and Q-Dir for those liking blending with Windows Explorer — Arioch 'The, Nov 22 '12 at 08:19
Maybe the security program uses some deniable encryption technique to hide the files: http://en.wikipedia.org/wiki/Deniable_encryption — Jens Mühlenhoff, Nov 22 '12 at 08:49
@DavidHeffernan A program that hides files is not a rootkit per se. A rootkit also uses a security hole to obtain privileges. — Jens Mühlenhoff, Nov 22 '12 at 08:52
Using the functionalities of the OS without influencing is no rootkit. A rootkit does influence OS functionalities (and stays resident as a service/driver to do so). Hiding files with OS functionalities is Obfuscation — Sir Rufo, Nov 22 '12 at 09:22
The OS does contain functionality to hide files, using the "hidden" attribute. It doesn't need to hide files better then that, since anything the OS offers needs to be reversible and discoverable by the standard Admin: the hiding feature of the OS is mostly a convenience for the end user, so the end user is not bothered with files that don't concern him. — Cosmin Prund, Nov 22 '12 at 10:16
@SirRufo Indeed. But the question doesn't actually say that it only uses standard OS functionality. — David Heffernan, Nov 22 '12 at 12:55

score 8 · Accepted Answer · answered Nov 22 '12 at 06:48

Since less informa One possebility would be using alternative filestreams on NTFS, which can be added to files and folders. You can just try this by typing "notepad C:\temp:hidden1.txt" at the comandline, new filestream will be created if you aswer with yes. After saving you can reopen it exact the same way. This can also be done from delphi (loading/saving). Will only work if NTFS is used. I don't know if this method is used in described case, finding ADS can be done with following code:

unit u_ListADS;

// 20120928 by Thomas Wassermann
// www.devworx.de
interface

uses
  Windows, Messages, SysUtils, Variants, Classes, StrUtils;

 Procedure GetADS(List: TStrings; const Path, WildCard: String; Recursiv: Boolean = false);

function NtQueryInformationFile(FileHandle: Cardinal; IoStatusBlock: Pointer; FileInformation: Pointer; FileInformationLength: Cardinal;
  FileInformationClass: Cardinal): Cardinal; stdcall; external 'ntdll.dll';

implementation

type
  _FILE_STREAM_INFORMATION = record
    NextEntryOffset: Cardinal;
    StreamNameLength: Cardinal;
    StreamSize: int64;
    StreamAllocationSize: int64;
    StreamName: array [0 .. MAX_PATH] of WideChar;
  end;

  PFILE_STREAM_INFORMATION = ^_FILE_STREAM_INFORMATION;

function GetStreams(aFilename: String): TStringList;
var
  FileHandle: Integer;
  FileName: array [0 .. MAX_PATH] of WideChar;
  StreamName: String;
  InfoBlock: _FILE_STREAM_INFORMATION;
  StatusBlock: record Status: Cardinal;
                      Information: PDWORD;
               end;

  Procedure Analyze;
    begin
      CopyMemory(@FileName, @InfoBlock.StreamName, InfoBlock.StreamNameLength);
      StreamName := Copy(Filename, 1, PosEx(':', Filename, 2) - 1);
      if StreamName <> ':' then Result.Add(StreamName);
    end;
begin
  Result := TStringList.Create;
  FileHandle := FileOpen(aFilename, GENERIC_READ);
  NtQueryInformationFile(FileHandle, @StatusBlock, @InfoBlock, SizeOf(InfoBlock), 22);
  FileClose(FileHandle);
  if InfoBlock.StreamNameLength <> 0 then
    Repeat

      if (InfoBlock.NextEntryOffset <> 0) then
        begin
        InfoBlock := PFILE_STREAM_INFORMATION(PByte(@InfoBlock) + InfoBlock.NextEntryOffset)^;
        Analyze;
        end;
    until InfoBlock.NextEntryOffset = 0
end;

Procedure GetADS(List: TStrings; const Path, WildCard: String; Recursiv: Boolean = false);
  Var
    SR: SysUtils.TSearchRec;
    RES: Integer;
    SP: String;
    StreamList: TStringList;
    i: Integer;
  begin
    if length(Path) = 0 then
      exit;
    if length(WildCard) = 0 then
      exit;
    SP := IncludeTrailingBackSlash(Path) + WildCard;
    RES := FindFirst(IncludeTrailingBackSlash(Path) + '*.*', faDirectory, SR);
    While RES = 0 Do
    Begin
      If (SR.attr And faDirectory) <> 0 Then
        If SR.Name[1] <> '.' Then
          if Recursiv then
            GetADS(List, IncludeTrailingBackSlash(Path) + SR.Name, WildCard, Recursiv);
      RES := FindNext(SR);
    End;
    SysUtils.FindClose(SR);
    RES := FindFirst(SP, $27, SR);
    While RES = 0 Do
    Begin
      StreamList := GetStreams(IncludeTrailingBackSlash(Path) + SR.Name);
      for i := 0 to StreamList.Count - 1 do
        List.Add(IncludeTrailingBackSlash(Path) + SR.Name + StreamList[i]);
      StreamList.Free;
      RES := FindNext(SR);
    End;
    SysUtils.FindClose(SR);
  end;

end.

Call could be e.g.

  GetADS(Listbox1.Items,Directory.Text, WildCards.Text,rekursiv.checked);

This is great! I have been reading a lot about it just now and I have hidden text inside a .txt file. It is a little like Steganography, in a way? — Shambhala, Nov 22 '12 at 09:59
deleting is not as easy, unfortunately I only can provide a german link http://de.wikipedia.org/wiki/Alternativer_Datenstrom, perhaps someone knows an english to — bummi, Nov 22 '12 at 10:20
This has some nice info as well: http://windowssecrets.com/top-story/hide-sensitive-files-with-alternate-data-streams/ — Shambhala, Nov 22 '12 at 11:21
I just downloaded a program called ADS Spy - it is has a gui and can detect Alternate Data Streams. I checked the directory of the hidden files and all of them contain ADS so the program definitely appears to use this method. I am going to accept this as answer and @bummi thank you very much for all help. — Shambhala, Nov 22 '12 at 11:29
The new Windows file system doesn't support alternate file streams. — David Heffernan, Nov 22 '12 at 12:55
there are more things than alternate file stream which are lost under ReFS http://helgeklein.com/blog/2012/01/new-file-system-refs-in-windows-8-quick-facts/ — bummi, Nov 22 '12 at 13:06

How to make files really hidden in a directory?

1 Answers1