Click here to Skip to main content
15,999,258 members
Articles / Programming Languages / C++
Article

Target Eye Revealed: Part 6 - File Hiding

Rate me:
Please Sign up or sign in to vote.
4.89/5 (27 votes)
15 Jun 2014BSD4 min read 38.3K   29   16
Target Eye uses an outdated approach for hiding files and yet it is recently becoming practical
This article explains how files are hidden and when, along with exposing how to reveal these hidden files. Target Eye uses a simple mechanism to hide files but the trick will work on most Windows users since the option to reveal these hidden files is not part of the default user interface of the Files Explorer, so even if the "Show Hidden Items" is checked, the Target Eye hidden files will not be revealed.

Introduction

This article is the sixth and last article in a series about the Target Eye Monitoring System, developed in 2000, and till 2010 when it was discontinued.

  1. The first article was about Target Eye's Auto Update mechanism, and how it is capable of checking for updates, downloading them when they are installing them and running them instead of the old version currently running, all of the above, with no end-user intervention.
  2. The second article was about the Target Eye's screen capturing mechanism, and how compact JPG files are created combining a reasonable image quality and a small footprint.
  3. The third article was about the Shopping List mechanism.
  4. The fourth article is about Keyboard capturing.
  5. The fifth article deals with the packaging used to let our Secret Agent in. In other words, how Target Eye can be used to wrap it with what we refer to as "cover story".

About this Article

The following article explains how files are hidden and when, along with exposing how to reveal these hidden files. Target Eye uses a simple mechanism to hide files but the trick will work on most Windows users since the option to reveal these hidden files is not part of the default user interface of the Files Explorer, so even if the "Show Hidden Items" is checked, the Target Eye hidden files will not be revealed.

Target Eye's TEHideFile() Function

The TEHideFile() function is used to hide and unhide files as well as to change the size of a given file to a random size, making it harder to sample and detect it.

Usage

By looking at the Target Eye 2005 source code, the function is defined as follows:

C++
BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)
  • FileName = the full path and name of the file
  • Hide = tells the function whether to hide or reveal the file
  • RandomSize = tells the function whether to add "garbage" data to the file (without affecting the way it functions) whilst changing its size to a larger one.

How the Target Eye Files Becomes Hidden

Target Eye uses what seems to be an old fashioned approach. Instead of using Kernel (SSDT manipulation) or user level global hooking, it just creates a similar system file. Such an approach was useful in the old days of Windows XP. However, while testing it under Windows 7 and 8, one might realize that the hidden files are indeed hidden, even when the "Hidden Items" checkbox is checked.

The following screenshot illustrates the "Hidden Items" checkbox:

Image 1

As you can see, with the Windows 7 and 8 user interface, it is not straight forward to even realize that there are additional system files which are hidden, even after checking the "View Hidden Items". It is common sense to assume that after checking this checkbox, ALL files will be visible.

Well, that is not the case with the Target Eye hidden files. These will not be visible even when this option is checked.

That creates an opportunity to relatively hide files from most of the users without using all sort of hooks and Kernel level manipulations.

How Can These System Files Be Shown After All?

Well, here is exactly how.

  1. You need to open the Folder Options dialog, which can be done by finding it. When you use Windows 8 search, you need to search "All" and not only "Files", type "Show Hidden Folders" and press Enter.

    Image 2

  2. The Folder Options dialog will be shown:

    Image 3

You need to uncheck "Hide protected operating system files" and then press "Yes" when the warning below appears.

You will only then be able to see Target Eye hidden files...

The TEHideFile() Source Code

C++
//

// TEHideFile
BOOL TEHideFile(CString FileName,BOOL Hide,BOOL RandomSize)
{
    HANDLE g_hCapFile;    // Handle to file
    DWORD dwBytes;        // number of bytes read from file
    ULONG FileLen;        // length of the file
    FileLen=GetFileLen(FileName);    // Getting the file length
    if(FileLen==0) return(FALSE);    // If file is empty, quitting
    // Reading file
    g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_READ,NULL,NULL,
               OPEN_ALWAYS,/*FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM*/NULL,NULL);
    if(g_hCapFile==INVALID_HANDLE_VALUE) 
    {
        // Error: file doesn't exist
        return(FALSE);
    }
    // Allocating a buffer to hold the file
    char *buffer=(char *)malloc(FileLen);
    memset(buffer,'\0',FileLen);
    // Read the file into the buffer
    ReadFile(g_hCapFile,buffer,FileLen,&dwBytes,NULL);
    // Closing the file
    CloseHandle(g_hCapFile);
    // Deleting the file
    DeleteFile(FileName);
    // If "Hide" is true, creating a new file using 
    // FILE_ATTRIBUTE_SYSTEM and FILE_ATTRIBUTE_HIDDEN attributes
    if(Hide)
        g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_WRITE,
        FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,
        FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
    // if "Hide" is false, creating a "normal" file
    else
        g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_WRITE,0,
        NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);

    if(g_hCapFile==INVALID_HANDLE_VALUE) 
    {
        // Error: can't create the new file
        return(FALSE);
    }
    // Purging the contents of the buffer into the new file
    if(!(WriteFile(g_hCapFile,buffer,FileLen,&dwBytes,NULL)))
    {
        // Error: can't write to the new file
        free(buffer);
        CloseHandle(g_hCapFile);
        return(FALSE);
    }
    // If RandomSize is true, creating random number of "garbage" bytes to the new file
    if(RandomSize)
    {
        int x;
        char *temp;
        x=(int)((double)rand()/(double )RAND_MAX*8630.0)+3201;    // Creating a random 
                                                   // size which is at least 3201 bytes
        temp=(char *)malloc(x);                    // allocating memory
        
        if(temp)
        {
            int i;
            // Filling the buffer with random ("garbage") date
            for(i=0;i<x;i++) *(temp+i)=(int)((double)rand()/
                    (double )RAND_MAX*((int)'z'-(int)'a'+1))+(int)'a';
            // Appending the buffer to the end of the file
            if(!(WriteFile(g_hCapFile,temp,FileLen,&dwBytes,NULL)))
            {
                free(temp);
                free(buffer);
                CloseHandle(g_hCapFile);
                return(FALSE);
            }
            free(temp);
        }
    }
    free(buffer);
    CloseHandle(g_hCapFile);
    return(TRUE);
}

I have written GetFileLen() to make it easier to measure a size of a given file:

C++
ULONG GetFileLen(CString FileName)
{
    DWORD dwBytes;
    HANDLE g_hCapFile;
    
    if(FileName=="") return(0);
    g_hCapFile=CreateFile((char *)FileName.GetBuffer(0),GENERIC_READ,NULL,
       NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
    if(g_hCapFile==INVALID_HANDLE_VALUE) 
        return(0);
    dwBytes=SetFilePointer(g_hCapFile,0,NULL,FILE_END);
    CloseHandle(g_hCapFile);
    return(dwBytes);
}

What About Global API Hooking?

To learn about Global API Hooking, I recommend reading the excellent article by ApriorIT: Easy way to set up global API hooks. If you are interested in Kernel level hiding, that can be done using Drivers. There are several techniques, among them SSDT/IDT tables manipulation. See this article for example or read this one about the SSDT.

History

  • 15th June, 2014: Initial version

Michael Haephrati, CodeProject MVP 2013

©2000-2010 Target Eye LTD (UK)

All materials contained on this article are protected by International copyright law and may not be used, reproduced, distributed, transmitted, displayed, published or broadcast without the prior written permission given by Target Eye LTD (UK). You may not alter or remove any trademark, copyright or other notice from copies of the content.

License

This article, along with any associated source code and files, is licensed under The BSD License


Written By
CEO Secured Globe, Inc.
United States United States
Michael Haephrati is a music composer, an inventor and an expert specializes in software development and information security, who has built a unique perspective which combines technology and the end user experience. He is the author of a the book Learning C++ , which teaches C++ 20, and was published in August 2022.

He is the CEO of Secured Globe, Inc., and also active at Stack Overflow.

Read our Corporate blog or read my Personal blog.





Comments and Discussions

 
QuestionA few things... Pin
CodyDaemon14-Apr-15 6:01
CodyDaemon14-Apr-15 6:01 
AnswerRe: A few things... Pin
Michael Haephrati9-Aug-15 4:34
professionalMichael Haephrati9-Aug-15 4:34 
In my opinion, anything you can read to a harddrive you can read into memory because these days memory is actually harddisk space mapped as RAM.
I agree with point B.
Point C is a good point. Since the purpose is to get the length of existing files, if a file doesn't exist it should not be created.
- Michael Haephrati מיכאל האפרתי

GeneralRe: A few things... Pin
CodyDaemon18-Aug-15 1:30
CodyDaemon18-Aug-15 1:30 
GeneralRe: A few things... Pin
Michael Haephrati18-Aug-15 1:45
professionalMichael Haephrati18-Aug-15 1:45 
QuestionGreat idea Pin
Harry W223-Jul-14 7:01
Harry W223-Jul-14 7:01 
GeneralMy vote of 5 Pin
Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)20-Jul-14 21:29
protectorTadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)20-Jul-14 21:29 
GeneralMy vote of 5 Pin
Ștefan-Mihai MOGA20-Jul-14 4:42
professionalȘtefan-Mihai MOGA20-Jul-14 4:42 
GeneralRe: My vote of 5 Pin
Michael Haephrati20-Jul-14 5:38
professionalMichael Haephrati20-Jul-14 5:38 
QuestionVery nice article Pin
Weissman Shimon23-Jun-14 10:17
Weissman Shimon23-Jun-14 10:17 
QuestionGreat work Pin
kiquenet.com16-Jun-14 9:23
professionalkiquenet.com16-Jun-14 9:23 
AnswerRe: Great work Pin
Michael Haephrati16-Jun-14 9:25
professionalMichael Haephrati16-Jun-14 9:25 
GeneralRe: Great work Pin
kiquenet.com19-Jul-14 9:18
professionalkiquenet.com19-Jul-14 9:18 
GeneralRe: Great work Pin
Michael Haephrati19-Jul-14 9:22
professionalMichael Haephrati19-Jul-14 9:22 
GeneralAmazing! Pin
Member 1023960213-Jun-14 6:51
Member 1023960213-Jun-14 6:51 
GeneralRe: Amazing! Pin
Michael Haephrati14-Jun-14 0:13
professionalMichael Haephrati14-Jun-14 0:13 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.