methods to hide file from explorer

Hi ,

While analyzing a malware behavior I found that my app. is able to detect that (able to see with FindFirstFile) but when I go to explorer to see that file it was hidden same was true with cmd.exe.(obviously show hidden file is on).

At first it seems that it is just hiding itself from specific OS processes. To find this I check the system and to my surprise it found no hooking in the system. Neither user mode, nor kernel mode (In fact it does not load any driver).

After verifying all this I need some more clue to check, There must exist some other way to hide it with out doing any type of hooking, or without a filter driver, just want to know what it could be.

Any suggestions?

Thanks
Aditya

Please see inlines

On Fri, Feb 6, 2009 at 12:38 PM, wrote:

> Hi ,
>
> While analyzing a malware behavior I found that my app. is able to detect
> that (able to see with FindFirstFile) but when I go to explorer to see that
> file it was hidden same was true with cmd.exe.(obviously show hidden file is
> on).
>
> At first it seems that it is just hiding itself from specific OS processes.
> To find this I check the system and to my surprise it found no hooking in
> the system. Neither user mode, nor kernel mode (In fact it does not load any
> driver).
>

You mean not even any ntdll API.
Which tool did use to verify that system wasn’t compromised (or hooked)?
Just to be sure, try renaming your own app as “explorer.exe” and then run
it.
Can you see that file with other tools (like IceSword/Gmer)?

> After verifying all this I need some more clue to check, There must exist
> some other way to hide it with out doing any type of hooking, or without a
> filter driver, just want to know what it could be.
>
> Any suggestions?
>
> Thanks
> Aditya
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

GMER also not able to find that file as hidden, not checked with IceSword.

rootkit detective from McAfee is showing that as hidden along with few other tools.

>Just to be sure, try renaming your own app as “explorer.exe” and then run it.
Ok I’ll try.

>>You mean not even any ntdll API. Which tool did use to verify that system wasn’t compromised (or hooked)?

yes not even NTDLL, i checked it with many tools including icesword.

What about renaming your own app as valid well known application (like
explorer, gmer)?

On Fri, Feb 6, 2009 at 3:41 PM, wrote:

> >>You mean not even any ntdll API. Which tool did use to verify that system
> wasn’t compromised (or hooked)?
>
> yes not even NTDLL, i checked it with many tools including icesword.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Might be some sort of DKOM happening

The OS is fairly important here - what is it?

A common method would be to unlink the process from the linked list of
EPROCESS(es), this would render the process “invisible” to certain APIs, and
can easily be done from UM or KM on XP, it’s harder on Vista because the
FLINK and BLINK pointers in this list are XOR’ed to specifically try and
prevent this.

Full explanation here:

http://www.symantec.com/avcenter/reference/when.malware.meets.rootkits.pdf

It’s interesting that FindFirstFile finds it though.

There are also methods of hooking and JMP’ing that attempt to cloak
themselves, what are you using to check for hooks?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: 06 February 2009 07:09
To: Windows System Software Devs Interest List
Subject: [ntdev] methods to hide file from explorer

Hi ,

While analyzing a malware behavior I found that my app. is able to detect
that (able to see with FindFirstFile) but when I go to explorer to see that
file it was hidden same was true with cmd.exe.(obviously show hidden file is
on).

At first it seems that it is just hiding itself from specific OS processes.
To find this I check the system and to my surprise it found no hooking in
the system. Neither user mode, nor kernel mode (In fact it does not load any
driver).

After verifying all this I need some more clue to check, There must exist
some other way to hide it with out doing any type of hooking, or without a
filter driver, just want to know what it could be.

Any suggestions?

Thanks
Aditya

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3832 (20090206) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3832 (20090206) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

I guess OP is talking about files and not process.
Moreover the DKOM tech that you mentioned is fairly old and is detected by
almost all the tools these days.

Possible causes can be

1. Malware is using doing hooking which is not detectable by the common
   tools.
   Generally tools check for IATs and EATs and first of few instructions of
   actual code implementation.

2. Malware has replaced kernel32.dll with his own version of kernel32.dll
   and hence not hooking but still acheiving his purpose.

Regards
Deepak

On Fri, Feb 6, 2009 at 5:01 PM, Crispin Wright wrote:

> Might be some sort of DKOM happening
>
> The OS is fairly important here - what is it?
>
> A common method would be to unlink the process from the linked list of
> EPROCESS(es), this would render the process “invisible” to certain APIs,
> and
> can easily be done from UM or KM on XP, it’s harder on Vista because the
> FLINK and BLINK pointers in this list are XOR’ed to specifically try and
> prevent this.
>
> Full explanation here:
>
> http://www.symantec.com/avcenter/reference/when.malware.meets.rootkits.pdf
>
>
> It’s interesting that FindFirstFile finds it though.
>
> There are also methods of hooking and JMP’ing that attempt to cloak
> themselves, what are you using to check for hooks?
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: 06 February 2009 07:09
> To: Windows System Software Devs Interest List
> Subject: [ntdev] methods to hide file from explorer
>
> Hi ,
>
> While analyzing a malware behavior I found that my app. is able to detect
> that (able to see with FindFirstFile) but when I go to explorer to see that
> file it was hidden same was true with cmd.exe.(obviously show hidden file
> is
> on).
>
> At first it seems that it is just hiding itself from specific OS processes.
> To find this I check the system and to my surprise it found no hooking in
> the system. Neither user mode, nor kernel mode (In fact it does not load
> any
> driver).
>
> After verifying all this I need some more clue to check, There must exist
> some other way to hide it with out doing any type of hooking, or without a
> filter driver, just want to know what it could be.
>
> Any suggestions?
>
> Thanks
> Aditya
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> Information from ESET NOD32 Antivirus, version of virus
> signature
> database 3832 (20090206)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature
> database 3832 (20090206)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

>>>The OS is fairly important here - what is it?

XP SP2

>>>A common method would be to unlink the process from the linked list of EPROCESS(es), this would render the process “invisible” to certain APIs, and can easily be done from UM or KM on XP,

probably I my statement was not clear, the process is not hidden in any such way, in fact we got it from all methods.(including the one you mentioned). the on disk file of this process is hidden from explorer and cmd.exe.

>There are also methods of hooking and JMP’ing that attempt to cloak themselves, what are you using to check for hooks?

We have our code to detect this but apart from that i tried GMER, icesword, mcAfee tools and found no user/kernel mode hooking.

@Deepak,

>What about renaming your own app as valid well known application (like explorer, gmer)?
Tried but no successs, in fact i killed windows explorer first and than execute my app with explorer name, but still it is not hidden from me.

>>2) Malware has replaced kernel32.dll with his own version of kernel32.dll and hence not hooking but still acheiving his purpose.

This is new for us, so can any one point out what top level APIs explorer used to retrieve folder list. As probably it hides from those API only and not for FindXXXXAPIs.

Just assuming that explorer is not using these APIs directly . Do we have alternate APIs for FindXXXXFile in win32?

Thanks
Aditya

On Fri, Feb 6, 2009 at 5:19 PM, wrote:

> >>2) Malware has replaced kernel32.dll with his own version of kernel32.dll
> and hence not hooking but still acheiving his purpose.
>
> This is new for us, so can any one point out what top level APIs explorer
> used to retrieve folder list. As probably it hides from those API only and
> not for FindXXXXAPIs.
>
> Just assuming that explorer is not using these APIs directly . Do we
> have alternate APIs for FindXXXXFile in win32?
>

Try using PEBrowser/PEView or other PE viewing tools to check imports of
explorer.exe

I have seen it on my system several times, explorer imports FinXXXXFile
win32 api’s and not any wrapper.

It is strange to me about how is that malware hiding itself (Are you very
much sure that is not using any driver component)

> Thanks
> Aditya
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

When the OP said this “At first it seems that it is just hiding itself from
specific OS processes”, this makes me think process not file - “hiding
itself”.

I would be interested to know how a non PE file can “hide itself” unless it
has been hidden, or is “being hidden” by either a resident PE, or actions
carried out by a PE at some point.

Yes, granted the DKOM tech is old, but I still surprisingly see tools that
miss this method, so I disagree with your statement that this method is
detected by “almost all”.

Would the file integrity feature not “typically” (i.e. unless it has been
circumvented as well) prevent the replacement of kernel32.dll?

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Deepak Gupta
Sent: 06 February 2009 11:41
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] methods to hide file from explorer

I guess OP is talking about files and not process.
Moreover the DKOM tech that you mentioned is fairly old and is detected by
almost all the tools these days.

Possible causes can be

1. Malware is using doing hooking which is not detectable by the common
   tools.
   Generally tools check for IATs and EATs and first of few instructions of
   actual code implementation.

2. Malware has replaced kernel32.dll with his own version of kernel32.dll
   and hence not hooking but still acheiving his purpose.

Regards
Deepak

On Fri, Feb 6, 2009 at 5:01 PM, Crispin Wright
wrote:

Might be some sort of DKOM happening

The OS is fairly important here - what is it?

A common method would be to unlink the process from the linked list of
EPROCESS(es), this would render the process “invisible” to certain APIs, and
can easily be done from UM or KM on XP, it’s harder on Vista because the
FLINK and BLINK pointers in this list are XOR’ed to specifically try and
prevent this.

Full explanation here:

http://www.symantec.com/avcenter/reference/when.malware.meets.rootkits.pdf

It’s interesting that FindFirstFile finds it though.

There are also methods of hooking and JMP’ing that attempt to cloak
themselves, what are you using to check for hooks?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: 06 February 2009 07:09
To: Windows System Software Devs Interest List
Subject: [ntdev] methods to hide file from explorer

Hi ,

While analyzing a malware behavior I found that my app. is able to detect
that (able to see with FindFirstFile) but when I go to explorer to see that
file it was hidden same was true with cmd.exe.(obviously show hidden file is
on).

At first it seems that it is just hiding itself from specific OS processes.
To find this I check the system and to my surprise it found no hooking in
the system. Neither user mode, nor kernel mode (In fact it does not load any
driver).

After verifying all this I need some more clue to check, There must exist
some other way to hide it with out doing any type of hooking, or without a
filter driver, just want to know what it could be.

Any suggestions?

Thanks
Aditya

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Information from ESET NOD32 Antivirus, version of virus signature
database 3832 (20090206)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Information from ESET NOD32 Antivirus, version of virus signature
database 3832 (20090206)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

xxxxx@gmail.com wrote:

While analyzing a malware behavior I found that my app. is able to detect that (able to see with FindFirstFile) but when I go to explorer to see that file it was hidden same was true with cmd.exe.(obviously show hidden file is on).

Continuing with the obvious, do you have “show system files” turned on?
In a DOS box, are you able to see it with “dir /a”? What do you see if
you type “attrib cmd.exe”?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>>do you have “show system files” turned on?

yes it is already on with show hidden files.

I know some rootkits that show or hide files based on the name of the process to fool differencing rootkit detectors. Did you try playing with the process name?

Thanks,
Alex.

Yes I did try and following is relevant text from message 8.

> >>What about renaming your own app as valid well known application (like explorer, gmer)?

> Tried but no successs, in fact i killed windows explorer first and than execute my app with explorer name, but still it is not hidden from me.

Thanks
Aditya