0

I want to hide a text file by moving it to $Extend directory (What is this directory?). So I run cmd as Administrator and run the below code :

C:\Windows\system32>copy I:\ToHide.txt I:\$Extend
Access is denied.
        0 file(s) copied.

C:\Windows\system32>

As you see, I couldn't and I received Access Denied error. So I tried to takeown the destination directory ($Extend) and change its ACLs as below :

C:\Windows\system32>takeown /f I:\$Extend

SUCCESS: The file (or folder): "I:\$Extend" now owned by user "Abraham-VAIO\Abra
ham".

C:\Windows\system32>cacls I:\$Extend /G Abraham:F
Are you sure (Y/N)?Y
The system cannot find the file specified.

C:\Windows\system32>

Q1: Why cacls couldn't see this directory, while takeown could!?

After that, I use the below python code :

import win32api
import win32con
import win32security

FILENAME = "I:\\$Extend"
open (FILENAME, "w").close ()

print "I am", win32api.GetUserNameEx (win32con.NameSamCompatible)

sd = win32security.GetFileSecurity (FILENAME, win32security.OWNER_SECURITY_INFORMATION)
owner_sid = sd.GetSecurityDescriptorOwner ()
name, domain, type = win32security.LookupAccountSid (None, owner_sid)

print "File owned by %s\\%s" % (domain, name)

And I receive Access Denied again :

>>> ================================ RESTART ================================
>>> 

Traceback (most recent call last):
  File "C:\Users\Abraham\Desktop\teste.py", line 6, in <module>
    open (FILENAME, "w").close ()
IOError: [Errno 13] Permission denied: 'I:\\$Extend'
>>>

Q2: Is this python code equal to takeown or it is an alternative for cacls?

Q3: Why I receive access denied,while I run idle (and after that python in command-line) as Administrator?

Last questions :

Q4: Why I can't open this directory using Windows Explorer, While I can open it using WinRAR? Does Windows restrict some APIs for Explorer but they are available for other softwares? enter image description here

enter image description here

By the way, Is there any way to I achieve my goal using Python or C++ or ...? (Hiding something in $Extend directory)

Community
  • 1
  • 1
TheGoodUser
  • 1,188
  • 4
  • 26
  • 52
  • IMHO, it is bad practice trying to hide something in a *system* directory unless you exactly know how the system uses it. I would advice you to look at the excellent truecrypt utility and it you really want to hide something at the truecrypt hidden volumes. And that way you will be sure not to break anything. – Serge Ballesta Oct 05 '14 at 09:54
  • Does'nt OS with the new files in the system directories, just like other file and directories? I mean, doesn't OS store the contents of $Extend just like other files? – TheGoodUser Oct 05 '14 at 09:59
  • I do not know, but the only question is do **you** know it ... I only know what is MFT and know it is **very** special. – Serge Ballesta Oct 05 '14 at 10:00
  • I want to do it manually not by any third party software! Maybe I break something! but in my experience it is not important! I just want to copy the files in $Extend – TheGoodUser Oct 05 '14 at 10:02
  • Why do you want to hide your file under $extend specifically? From which user/process do you want to hide it / what is the context of your question? In general, you can hide data in the MFT in all kinds of locations, e.g. you might have some spare unused bits in MFT records which you can use. – tal Nov 03 '14 at 19:51
  • @tal I want to hide my file in this location because this is the last location people think about it!!! So it is hard to find! How I can use those unused bits in MFT? Am I need any special software? – TheGoodUser Nov 03 '14 at 19:58

1 Answers1

1

In general, you can access the MFT directly by opening \.\PhysicalDriveX - which is the underlying physical disk (X is the number of the disk you want to open) - and then parse the disk directly, i.e. find the partition offset from the Master Boot Record, then parse the first NTFS sector and from there find the location of the MFT.

There is a great open source sample of how to parse the MFT in the ntfsfastfind project, see here: http://home.comcast.net/~lang.dennis/console/ntfsfastfind/ntfsfastfind.html

I also recommend that you read about NTFS internals here: http://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx http://ntfs.com/ntfs-mft.htm

tal
  • 111
  • 3