Target Eye Revealed: Part 6 - File Hiding

Introduction

This article is the sixth and last article in a series about the Target Eye Monitoring System, developed in 2000, and till 2010 when it was discontinued.

1. The first article was about Target Eye's Auto Update mechanism, and how it is capable of checking for updates, downloading them when they are installing them and running them instead of the old version currently running, all of the above, with no end-user intervention.
2. The second article was about the Target Eye's screen capturing mechanism, and how compact JPG files are created combining a reasonable image quality and a small footprint.
3. The third article was about the Shopping List mechanism.
4. The fourth article is about Keyboard capturing.
5. The fifth article deals with the packaging used to let our Secret Agent in. In other words, how Target Eye can be used to wrap it with what we refer to as "cover story".

About this Article

The following article explains how files are hidden and when, along with exposing how to reveal these hidden files. Target Eye uses a simple mechanism to hide files but the trick will work on most Windows users since the option to reveal these hidden files is not part of the default user interface of the Files Explorer, so even if the "Show Hidden Items" is checked, the Target Eye hidden files will not be revealed.

Target Eye's TEHideFile() Function

The TEHideFile() function is used to hide and unhide files as well as to change the size of a given file to a random size, making it harder to sample and detect it.

Usage

By looking at the Target Eye 2005 source code, the function is defined as follows:

BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)

• FileName = the full path and name of the file
• Hide = tells the function whether to hide or reveal the file
• RandomSize = tells the function whether to add "garbage" data to the file (without affecting the way it functions) whilst changing its size to a larger one.

How the Target Eye Files Becomes Hidden

Target Eye uses what seems to be an old fashioned approach. Instead of using Kernel (SSDT manipulation) or user level global hooking, it just creates a similar system file. Such an approach was useful in the old days of Windows XP. However, while testing it under Windows 7 and 8, one might realize that the hidden files are indeed hidden, even when the "Hidden Items" checkbox is checked.

The following screenshot illustrates the "Hidden Items" checkbox:

As you can see, with the Windows 7 and 8 user interface, it is not straight forward to even realize that there are additional system files which are hidden, even after checking the "View Hidden Items". It is common sense to assume that after checking this checkbox, ALL files will be visible.

Well, that is not the case with the Target Eye hidden files. These will not be visible even when this option is checked.

That creates an opportunity to relatively hide files from most of the users without using all sort of hooks and Kernel level manipulations.

How Can These System Files Be Shown After All?

Well, here is exactly how.

1. You need to open the Folder Options dialog, which can be done by finding it. When you use Windows 8 search, you need to search "All" and not only "Files", type "Show Hidden Folders" and press Enter.

   

2. The Folder Options dialog will be shown:

   

You need to uncheck "Hide protected operating system files" and then press "Yes" when the warning below appears.

You will only then be able to see Target Eye hidden files...

The TEHideFile() Source Code

//

// TEHideFile
BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)
{
    HANDLE g_hCapFile;    // Handle to file
    DWORD dwBytes;        // number of bytes read from file
    ULONG FileLen;        // length of the file
    FileLen=GetFileLen(FileName);    // Getting the file length
    if(FileLen==0) return(FALSE);    // If file is empty, quitting
    // Reading file
    g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_READ,NULL,NULL,
               OPEN_ALWAYS,/*FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM*/NULL,NULL);
    if(g_hCapFile==INVALID_HANDLE_VALUE) 
    {
        // Error: file doesn't exist
        return(FALSE);
    }
    // Allocating a buffer to hold the file
    char *buffer=(char *)malloc(FileLen);
    memset(buffer,'\0',FileLen);
    // Read the file into the buffer
    ReadFile(g_hCapFile,buffer,FileLen,&dwBytes,NULL);
    // Closing the file
    CloseHandle(g_hCapFile);
    // Deleting the file
    DeleteFile(FileName);
    // If "Hide" is true, creating a new file using 
    // FILE_ATTRIBUTE_SYSTEM and FILE_ATTRIBUTE_HIDDEN attributes
    if(Hide)
        g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_WRITE,
        FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,
        FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
    // if "Hide" is false, creating a "normal" file
    else
        g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_WRITE,0,
        NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);

    if(g_hCapFile==INVALID_HANDLE_VALUE) 
    {
        // Error: can't create the new file
        return(FALSE);
    }
    // Purging the contents of the buffer into the new file
    if(!(WriteFile(g_hCapFile,buffer,FileLen,&dwBytes,NULL)))
    {
        // Error: can't write to the new file
        free(buffer);
        CloseHandle(g_hCapFile);
        return(FALSE);
    }
    // If RandomSize is true, creating random number of "garbage" bytes to the new file
    if(RandomSize)
    {
        int x;
        char *temp;
        x=(int)((double)rand()/(double )RAND_MAX*8630.0)+3201;    // Creating a random 
                                                   // size which is at least 3201 bytes
        temp=(char *)malloc(x);                    // allocating memory
        
        if(temp)
        {
            int i;
            // Filling the buffer with random ("garbage") date
            for(i=0;i<x;i++) *(temp+i)=(int)((double)rand()/
                    (double )RAND_MAX*((int)'z'-(int)'a'+1))+(int)'a';
            // Appending the buffer to the end of the file
            if(!(WriteFile(g_hCapFile,temp,FileLen,&dwBytes,NULL)))
            {
                free(temp);
                free(buffer);
                CloseHandle(g_hCapFile);
                return(FALSE);
            }
            free(temp);
        }
    }
    free(buffer);
    CloseHandle(g_hCapFile);
    return(TRUE);
}

I have written GetFileLen() to make it easier to measure a size of a given file:

ULONG GetFileLen(CString FileName)
{
    DWORD dwBytes;
    HANDLE g_hCapFile;
    
    if(FileName=="") return(0);
    g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_READ,NULL,
       NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
    if(g_hCapFile==INVALID_HANDLE_VALUE) 
        return(0);
    dwBytes=SetFilePointer(g_hCapFile,0,NULL,FILE_END);
    CloseHandle(g_hCapFile);
    return(dwBytes);
}

What About Global API Hooking?

To learn about Global API Hooking, I recommend reading the excellent article by ApriorIT: Easy way to set up global API hooks. If you are interested in Kernel level hiding, that can be done using Drivers. There are several techniques, among them SSDT/IDT tables manipulation. See this article for example or read this one about the SSDT.

History

• 15^th June, 2014: Initial version

Michael Haephrati, CodeProject MVP 2013

©2000-2010 Target Eye LTD (UK)