In my
blog I posted a quick script that will hide archives in jpeg images.
Well here I am going to show you how to abuse the NTFS and hide files alongside an executable. As the file system and binary implies, this is Windows based.
The feature we will be abusing is the Alternate Data Stream (ADS). ADS was created back in the Windows NT 3.1 days so the file system could communicate with Apple Hierarchical File System (HFS).
This comes in handy for us in several ways. We can store DLL's we want to inject in the binary itself, use it to store txt data for backdoor redirects, create a encoder/decoder to hid files in itself for better protection and transportation, etc.
We do this almost like you would in the blog post about hiding archives in jpeg's. We will open both files, and append the read file.
#Include file extensions
hide = raw_input("File to hide: ")
visible = raw_input("Visible file: ")
file_to_hide = open( hide_file, "rb")
file_content = file_to_hide.read()
file_to_hide.close()
print "File size: %d" % len(file_content)
visible_file = open("%s:%s" % (visible, hide), "wb")
visible_file.write(file_content)
visible_file.close()
As you can see, about the only difference is the ":" when opening the binary. We do this to flag the file system so that the read file will be along side the binary.
I learned this technique in "Grey Hat Python", great book.
