EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-01-2016, 05:37
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 72
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 12
Thanks Rcvd at 54 Times in 24 Posts
Insid3Code Reputation: 60
[C++/NATIVE] inaccessible folder

Inaccessible folder inspired from "WinMend Folder Hidden" work.

PHP Code:
#include <windows.h>
#include <ntdll.h>

#ifdef _WIN64
char *captionMsg "64-bit Application";
#else
char *captionMsg "32-bit Application";
#endif

char *statusMsg "FAILED!";

#define MAIN_FOLDER L"\\??\\C:\\Winmend~Folder~Hidden"

wchar_t *folders[] = {
    
MAIN_FOLDER,
    
MAIN_FOLDER L"\\..." ,
    
MAIN_FOLDER L"\\...\\cn"
};

void Report(NTSTATUS NtStatuschar *msgwchar_t *path) {
    
char buffer[256] = {0};

    if (
NtStatus == 0)
        
statusMsg "SUCCESS";

    
sprintf(buffer,
            
"Task:\t%s\nPath:\t%S\nStatus:\t0x%X (%s)",
            
msg,
            
path,
            
NtStatus,
            
statusMsg);

    if (
NtStatus == 0)
        
MessageBoxA(NULL,
                    
buffer,
                    
captionMsg,
                    
MB_ICONINFORMATION);
    else
        
MessageBoxA(NULL,
                    
buffer,
                    
captionMsg,
                    
MB_ICONERROR);
}

int main() {

    
NTSTATUS NtStatus;
    
HANDLE hTarget;
    
UNICODE_STRING ObjectName;
    
OBJECT_ATTRIBUTES ObjectAttributes;
    
IO_STATUS_BLOCK IoStatusBlock;

    for (
int x 03x++) {
        
RtlInitUnicodeString(&ObjectNamefolders[x]);
        
InitializeObjectAttributes(&ObjectAttributes,
                                   &
ObjectName,
                                   
OBJ_CASE_INSENSITIVE,
                                   
NULL,
                                   
NULL);

        
NtStatus NtCreateFile(&hTarget,
                                
FILE_READ_DATA FILE_WRITE_DATA,
                                &
ObjectAttributes,
                                &
IoStatusBlock,
                                
NULL,
                                
FILE_ATTRIBUTE_HIDDEN,
                                
FILE_SHARE_READ FILE_SHARE_WRITE,
                                
FILE_CREATE,
                                
FILE_DIRECTORY_FILE,
                                
NULL,
                                
0);

        
Report(NtStatus"Creating folder..."folders[x]);
        
NtClose(hTarget);
    }

    for (
int x 2>= 0x--) {
        
RtlInitUnicodeString(&ObjectNamefolders[x]);

        
InitializeObjectAttributes(&ObjectAttributes,
                                   &
ObjectName,
                                   
OBJ_CASE_INSENSITIVE,
                                   
NULL,
                                   
NULL);

        
NtStatus NtDeleteFile(&ObjectAttributes);
        
Report(NtStatus"Deleting folder..."folders[x]);
    }

    return 
0;

Binary and source attached.
Attached Files
File Type: rar inaccessible_folder.rar (2.8 KB, 18 views)
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
alephz (10-04-2016)
  #2  
Old 10-02-2016, 05:31
chants chants is offline
Friend
 
Join Date: Jul 2016
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 6 Posts
Thanks Given: 56
Thanks Rcvd at 74 Times in 38 Posts
chants Reputation: 8
What if one recreates the first two folders, wouldn't the folder be accessible again?

What is the simplest and fastest and most practical (even using ACL and command line tools) to delete or bring about access to it again?
Reply With Quote
  #3  
Old 10-02-2016, 22:53
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 77
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
gigaman Reputation: 3
The access is "prevented" just by the weird name (...) which many tools don't support. You don't have to use Native API - you can use the ordinary Win32 API, but you need to use the \\?\ prefix with the path.
You can even use the usual command line tools, e.g.
Code:
mkdir \\?\C:\\Winmend~Folder~Hidden\...\cn
or
Code:
rmdir \\?\C:\\Winmend~Folder~Hidden\...\cn
Code:
rmdir \\?\C:\\Winmend~Folder~Hidden\...
Reply With Quote
  #4  
Old 10-03-2016, 03:00
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 72
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 12
Thanks Rcvd at 54 Times in 24 Posts
Insid3Code Reputation: 60
Thanks guys!

Yes, this protection used by WinMend Folder Hidden tool can be bypassed by using WinRAR and other tools to explore the inaccessible folder (already known ways) and get the password stored as plaintext also extract hidden files.

Coding this example (C++/Native) is a personel choice as I already tested another ways to access or remove created folders.
__________________
Computer Forensics
Reply With Quote
  #5  
Old 10-03-2016, 13:27
ontryit ontryit is offline
Friend
 
Join Date: Nov 2011
Posts: 134
Rept. Given: 128
Rept. Rcvd 17 Times in 14 Posts
Thanks Given: 217
Thanks Rcvd at 16 Times in 12 Posts
ontryit Reputation: 17
Question

Quote:
Originally Posted by Insid3Code View Post
Inaccessible folder inspired from "WinMend Folder Hidden" work.

PHP Code:
#include <windows.h>
#include <ntdll.h>

#ifdef _WIN64
char *captionMsg "64-bit Application";
#else
char *captionMsg "32-bit Application";
#endif

char *statusMsg "FAILED!";

#define MAIN_FOLDER L"\\??\\C:\\Winmend~Folder~Hidden"

wchar_t *folders[] = {
    
MAIN_FOLDER,
    
MAIN_FOLDER L"\\..." ,
    
MAIN_FOLDER L"\\...\\cn"
};

void Report(NTSTATUS NtStatuschar *msgwchar_t *path) {
    
char buffer[256] = {0};

    if (
NtStatus == 0)
        
statusMsg "SUCCESS";

    
sprintf(buffer,
            
"Task:\t%s\nPath:\t%S\nStatus:\t0x%X (%s)",
            
msg,
            
path,
            
NtStatus,
            
statusMsg);

    if (
NtStatus == 0)
        
MessageBoxA(NULL,
                    
buffer,
                    
captionMsg,
                    
MB_ICONINFORMATION);
    else
        
MessageBoxA(NULL,
                    
buffer,
                    
captionMsg,
                    
MB_ICONERROR);
}

int main() {

    
NTSTATUS NtStatus;
    
HANDLE hTarget;
    
UNICODE_STRING ObjectName;
    
OBJECT_ATTRIBUTES ObjectAttributes;
    
IO_STATUS_BLOCK IoStatusBlock;

    for (
int x 03x++) {
        
RtlInitUnicodeString(&ObjectNamefolders[x]);
        
InitializeObjectAttributes(&ObjectAttributes,
                                   &
ObjectName,
                                   
OBJ_CASE_INSENSITIVE,
                                   
NULL,
                                   
NULL);

        
NtStatus NtCreateFile(&hTarget,
                                
FILE_READ_DATA FILE_WRITE_DATA,
                                &
ObjectAttributes,
                                &
IoStatusBlock,
                                
NULL,
                                
FILE_ATTRIBUTE_HIDDEN,
                                
FILE_SHARE_READ FILE_SHARE_WRITE,
                                
FILE_CREATE,
                                
FILE_DIRECTORY_FILE,
                                
NULL,
                                
0);

        
Report(NtStatus"Creating folder..."folders[x]);
        
NtClose(hTarget);
    }

    for (
int x 2>= 0x--) {
        
RtlInitUnicodeString(&ObjectNamefolders[x]);

        
InitializeObjectAttributes(&ObjectAttributes,
                                   &
ObjectName,
                                   
OBJ_CASE_INSENSITIVE,
                                   
NULL,
                                   
NULL);

        
NtStatus NtDeleteFile(&ObjectAttributes);
        
Report(NtStatus"Deleting folder..."folders[x]);
    }

    return 
0;

Binary and source attached.
Bro, can you translate the code in Delphi language?
Also create mirror outside, i can't download from the attachment.
THx

//ontryit
Reply With Quote
  #6  
Old 10-04-2016, 04:59
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 72
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 12
Thanks Rcvd at 54 Times in 24 Posts
Insid3Code Reputation: 60
@ontryit

Attached "main32.dpr" (NATIVE ) you can build it with Delphi7 or modern Delphi...

Alternative link (Delphi snippet):
PHP Code:
http://www.mediafire.com/file/c87ck5a8htrbc87/inaccessible_folder_delphi.rar 
Alternative link (C++ snippet and binary):
PHP Code:
http://www.mediafire.com/file/9wwiembfz3vbacn/inaccessible_folder.rar 
Attached Files
File Type: rar inaccessible_folder_delphi.rar (1.4 KB, 16 views)
__________________
Computer Forensics
Reply With Quote
The Following 2 Users Say Thank You to Insid3Code For This Useful Post:
alephz (10-21-2016), niculaita (10-04-2016)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Track Folder Changes TheDutchJewel General Discussion 0 02-11-2017 02:44
folder security settings... MrCape General Discussion 5 08-23-2002 14:29


All times are GMT +8. The time now is 04:34.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX