BlackHat Windows Security
2004
Data Hiding on a Live System
by Harlan Carvey
keydet89@yahoo.com
Purpose

Present/discuss different techniques for
hiding data on LIVE systems (NTFS)

Address methods of preventing and
detecting this activity

What is NOT covered?

Maintenance tracks, boot sector, file slack, etc.
What is being hidden?
Data


Text

Output of commands (samdump, etc.)
Executables


Programs

Games

Rootkits
Who are we hiding it from?

Other users

Administrators

Investigators/forensics analysts
Altering files
File Changes


Name

Extension


Information regarding extensions and associations is
maintained in the Registry

‘assoc’ command
File Signature (this is NOT a hash)
Altering Names/Extensions
Samdump.log ->
C:\winnt\system32
\MSODBC32.DLL
Altering file signatures

First 20 bytes of the file

Change JFIF/GIF89a in graphics file to
something else

Executables (.exe, .dll, .sys, .ocx, .scr) begin
w/ “MZ”

Sigs.pl performs signature analysis
DOS Attributes

'Attrib' command

Explorer settings

'dir' switch (dir /a[:h])

Perl ignores (opendir/readdir, glob)

hfind.exe (FoundStone)
File Splitting
File Splitting


Almost as old as DOS

Many programs available

Malicious uses
File Splitting
Original File
Arbitrarily sized segments
“touching” files

Alter the creation, last access, last
modification dates

'touch' in Unix

Microsoft SetFileTime() API

Used to hide from search tools

dir /t[:a]

afind.exe (FoundStone)

macmatch.exe (NTSecurity.nu)
File Binding

Elite Wrap

Saran Wrap, Silk Rope
OLE/COM

MS OLE/COM API

“Structured Storage”, “Compound files”

MergeStreams Demo



“File system within a file”
May discover using “strings” or “grep”
wd.exe
NTFS Alternate Data Streams

NTFS4 (NT) and NTFS5 (2K)

Creating

Using

Running executables hidden in ADSs

NTFS4 vs. NTFS5
Creating ADSs
Type command


Type notepad.exe > myfile.txt:np.exe

Cp.exe from Resource Kit

Bind to file or directory listing

Notepad myfile.txt:hidden.txt

Notepad :hidden.txt
Executing ADSs

Running executables hidden in ADSs

Native methods

NTFS4 - ‘start’ (FoundStone)

NTFS5 - several methods
Detecting ADSs

lads.exe, by Frank Heyne (heysoft.de)

sfind.exe (FoundStone)

streams.exe (SysInternals)

ads.pl (Perl)
Encryption

PGP

Fcrypt (ntsecurity.nu)

Perl (Crypt::TripleDES)
Steganography
The art of hiding information


S-Tools4

http://www.citi.umich.edu/u/provos/stego/
Registry

Licensing information

Software installation dates and information

Contains binary and string data types
"Hidden" Functionality
Registry keys


Used by various malware

The ubiquitous "Run" key

Services

ClearPagefileAtShutdown Registry key

StartUp directories
Rootkits

Kernel-mode vs. user-mode

API Hooking/DLL Injection

NTRootkit

HackerDefender (DLL Injection)

AFX Rootkit 2003 (DLL Injection)

Vanquish (DLL Injection)

FU (DKOM)
How to prevent/detect

Configuration Policies/Management

Monitoring

Event Logs

Additional monitoring applications

Scans
Questions?