Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   how to hide a file (https://forum.exetools.com/showthread.php?t=4979)

taos 08-14-2004 01:11
how to hide a file
 
Hi

It's simple but runs. When I have to hide a file (EXE,audio,etc...) even a EXE that's running I use a system API hook.

I've tried several methods but I use the Validtec Windows API Hook SDK.

The demo is totally functional (if you pay you get source code only).
You need 3 DLL's from his package, APIHOOKxp.dll or APIHOOK9x.dll, HOOKSETUP.DLL and your hooked func in a DLL (HOOKFUNC.DLL)
In hookfunc.dll I hook FindNextFileW(HANDLE,LPWIN32_FIND_DATAW) and
FindNextFileA(HANDLE,LPWIN32_FIND_DATAA)

My hooked func are:
BOOL WINAPI cFindNextFileW(HANDLE hFindFile, LPWIN32_FIND_DATAW lpFindFileData)
{


unsigned short CHideFileW [MAX_PATH] = L"nameofthefile.exe";

DWORD result;
for (;;) {
result = FindNextFileW(hFindFile, lpFindFileData);
// if FindNextFile returns our to-be-hidden file we simply call it again
// no problem here, since there's no enumeration index anywhere
if ((!result) || (lstrcmpiW(lpFindFileData->cFileName, CHideFileW))) break;
}
return result;



}

BOOL WINAPI cFindNextFileA(HANDLE hFindFile, LPWIN32_FIND_DATAA lpFindFileData)
{

char CHideFileA [MAX_PATH] = "nameofthefile.exe";

DWORD result;
for (;;) {
result = FindNextFileA(hFindFile, lpFindFileData);
// if FindNextFile returns our to-be-hidden file we simply call it again
// no problem here, since there's no enumeration index anywhere
if ((!result) || (lstrcmpiA(lpFindFileData->cFileName, CHideFileA))) break;
}
return result;



}

And from my EXE program I use: In Visual Basic for example :
Public Declare Function InitAPIHook Lib "hooksetup.dll" () As Integer
Public Declare Function HookAllProcesses Lib "hooksetup.dll" () As Integer
Public Declare Function UnhookAllProcesses Lib "hooksetup.dll" () As Integer

and
InitAPIHook()
HookAllProcesses()
then all the system API's are redirected to my hook func.
If you open a dos BOX or the windows explorer or uses the search program,etc.. nameofthefile.exe IS HIDDEN!!! :eek:
only when you unhook, is visible. :)

Regards

jov 08-18-2004 04:41
I think that for real hooking you will need to write ring0 driver. This ring3 hooking with dll injection is not enough releable technique.

thewhiz 08-18-2004 12:06
Phrack to the rescue perhaps?
 
hxxp://www.phrack.org/show.php?p=62&a=6

Dig through that, it will give you some rather interesting ideas
at the very least.

Sky 08-19-2004 01:04
I think use FolderGuard...
 
For some years I've use FolderGuard to hide or restrict access to some my files and folders at home.:cool: This product uses own driver to restrict access. You can see him in Device Manager when turn on "Show hidden devices" in node "Non-Plug and Play Devices". I realy didn't check can hi restrict access when I use some recover tools. You may test it. It's beter use version 5.5 or higher, becouse lower versions have some trubles in work - like BSD (Blue Screen of Death). About this bugs I mailed to Product Company, and in later versions they fix them :D .

drocon 08-19-2004 13:16
Quote:
Originally Posted by jov
I think that for real hooking you will need to write ring0 driver. This ring3 hooking with dll injection is not enough releable technique.
it's reliable enough, and KMDs are NT-only (and if you combine some sort of VXD/KMD stuff in one app, it will look ugly :/ ). IAT-hooking is sufficient for the average job, but you need to watch out for some annoying pitfalls, like patching LoadLibrary()/GetProcAddress(), but even then an app could dynamically obtain API address by enumerating EATs, so that's where EAT-hooking comes in.

As for reliability, it's simply best to allocate a buffer of say, 20 bytes of nops, and a jmp , use a LDE, scan the first few instructions, until the length you have scanned exceeds 6 (push dword / retn, it must be direct, not relative, so it can be hooked again), copy those instructions into your empty buffer, patch the entrypoint, repair the empty jump in the buffer, and that shall act as a stub your hooking procedure calls to return to the original function. I, personally, think this is the most reliable way out there.

as for dll-injection, open a process, retreive its threads, use OpenThread() to convert dwThreadID to hThread, SuspendThread(), GetThreadContext(), alter eip, SetThreadContext(), and inject a CreateThread() call, then resume the thread.

OpenThread() is "officially" only avaliable on NT, but there are plenty of undocummented ways to achieve the same.

ok just my 2 cents.

homersux 08-20-2004 10:09
It looks like toas is running a pre-NT windows OS. I don't see why the described method would work on NT4.0+.

taos 08-20-2004 14:33
Quote:
Originally Posted by homersux
It looks like toas is running a pre-NT windows OS. I don't see why the described method would work on NT4.0+.

Quote from Validtec:
"APIHookxp.dll: Win32 API Hook DLL for WINNT/2000/XP
APIHook9x.dll: Win32 API Hook DLL for WIN9X/WINME"

It's valid for different OS. You only need to distribute the right dlll or both.
:)

xixiaolou 08-26-2004 18:31
For hide file on HardDisc, maybe you should learn some stealth techniq from phrack.

For hide pe file on running, you can coding to change own PEB; hook some api, and even inject own into other process


All times are GMT +8. The time now is 14:39.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX