NTFS Security
#1
Posted 06 May 2010 - 10:27 AM
Have a nativeEx_barebone project on a NTFS formatted drive.
Download
http://livexp.boot-l...derunEx_x86.exe
http://livexp.boot-l...derunEx_x64.exe
to any NTFS folder.
Copy the two files to %Tools%\nativeEx\x86 / x64 resp.
Build the project with Finish > 2 Create Image > Boot from RAM checked.
When booting, you'll see about 10 times the popup:
(unless you uncheck 'show again')
Next part of test:
Copy the downloaded files to any NON NTFS folder, and copy from there to %Tools%.
Rebuild the project.
The PE boots without any popup.
Result: Anywhere in the file's NTFS attributes there is the information that the file is downloaded from a non - secure place in the Internet. This attribute is lost by copying to non NTFS folder.
My question to the community:
Is there a way to remove the NTFS attributes programmatically? Not every user has a non-NTFS drive to 'clean' the downloaded files.
Peter
#2
Posted 06 May 2010 - 11:28 AM
RegHiveLoad,WB-DEFAULT,%target_sys%\CONFIG\DEFAULT RegWrite,HKLM,0x1,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,CheckExeSignatures,no RegWrite,HKLM,0x4,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,RunInvalidSignatures,1 RegHiveUnLoad,WB-DEFAULT
Regards,
Galapo.
#3
Posted 06 May 2010 - 11:33 AM
Thanks, Galapo, but that I already tried, and it did not help.Hmmm, I'm not sure how to remove the attributes. But in the meantime, try adding these entries somewhere in your project:
RegHiveLoad,WB-DEFAULT,%target_sys%\CONFIG\DEFAULT RegWrite,HKLM,0x1,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,CheckExeSignatures,no RegWrite,HKLM,0x4,WB-DEFAULT\Software\Microsoft\Internet#$sExplorer\Download,RunInvalidSignatures,1 RegHiveUnLoad,WB-DEFAULT
Regards,
Galapo.
(I finally copied everything suitable of my host's registry, including the internet zones, to the PE).
Currently the only way for me seems really to be 'strip the NTFS attributes'
Peter
#5
Posted 06 May 2010 - 12:18 PM
Thanks,
Galapo.
#6
Posted 06 May 2010 - 12:49 PM
From the command line, try:
echo.>foo.exe:Zone.IdentifierOr simply look into using Microsoft's SysInternals' Streams.exe or look at the MS articles concerning NTFS streams. While the command I gave doesn't delete the stream, it empties it.
To re-block a file, you could do:
echo [ZoneTransfer]>foo.exe:Zone.Identifier echo ZoneId=3 >> foo.exe:Zone.IdentifierPay attention to the space before >>.
Another alternative is to copy the file's primary data with:
ren foo.exe foo.orig type foo.orig > foo.exe
#7
Posted 06 May 2010 - 12:59 PM
doq's links lead to something I could use.
@Sha0: I just unblocked hiderun.exe with
echo "" > "\\?\V:\wb\wb debug !\Projects\Tools\nativeEx\x86\hiderunEx_x86.exe:Zone.Identifier"(before reading your post, So this solution is at least 'double-based')
Peter
#8
Posted 06 May 2010 - 01:51 PM
http://www.boot-land...?showtopic=7594
Wonko
#9
Posted 06 May 2010 - 01:54 PM
Any difference to the post #4 by doq?Just for the record, talks about NTFS ALTERNATE DATA STREAMS are here:
http://www.boot-land...?showtopic=7594
Wonko
Peter
#10
Posted 06 May 2010 - 05:57 PM
Any difference to the post #4 by doq?
Possible reasons:
- More explicit reference?
- More dependable source for the link?
- Wonko getting older and failing to notice the link by dog?
I would vote for #3
Wonko
#11
Posted 06 May 2010 - 11:51 PM
That is, do I need to do something to the files before uploading, or does a project need to do something after downloading?
Thanks,
Galapo.
#12
Posted 07 May 2010 - 06:39 AM
No need to do anything before upload.So is the issue with the uploaded files themselves, or with them once they are downloaded.
That is, do I need to do something to the files before uploading, or does a project need to do something after downloading?
Thanks,
Galapo.
And to do something after download can also be skipped.
There are only some rare cases like here:
- The file to be copied to %TargetDir% is downloaded
- The %TargetDir% is formatted NTFS
Peter
#13
Posted 07 May 2010 - 08:36 AM
The presence of a stream can be detected calling a Windows API:
http://www.codeproje...torarticle.aspx
(maybe useful)
nirsoft has a tool to check for them:
http://www.nirsoft.n...ta_streams.html
Wonko
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users