File Name: HideAndProtect (NTFS)
File Submitter: joakim
File Submitted: 27 May 2013
File Updated: 27 May 2013
File Category: Security
This program will turn a regular file into an NTFS system file, by changing it's MFT reference number to one between 12 and 15, which are reserved by the filesystem. By doing this, the file becomes invisible and protected from modification. By invisible it means, no tool explorer or the dir command will see it. However the filesystem regard it as a systemfile, and will thus prevent writing any file to that location with that name. It is like when you try to create a file named $MFT in the root of the volume, which the filesystem will prevent you from doing. The only way to modify this file is by a hex editor writing to physical disk. Alternatively you could extract the file from volume (datarecovery), modify the extracted file, and then lastly use the tool to inject it back into the same MFT reference number as it was.
What can be hidden with this tool?
Basically any file or folder. However a few restrictions apply:
- Target can not have $ATTRIBUTE_LIST in its MFT record (content span across several MFT records).
- Content in subdirectories, except root dir.
- New MFT reference must be between 12 and 15.
That means the file or folder must be located at the root level of the volume.
Example that works:
HideAndProtect.exe C:\file.ext 12 HideAndProtect.exe C:\folder 15
Example that does not work:
HideAndProtect.exe C:\folder\file.ext 14 HideAndProtect.exe C:\file.ext 20
Example using path to source file and target IndexNumber 12:
HideAndProtect C:\bootmgr 12
Example using IndexNumber of source file (33) on volume C: and target IndexNumber 13:
HideAndProtect C:33 13
Example to wipe the record of MFT reference number 14 on volume C:
HideAndProtect C:W 14
What can it be used for?
- Hide a few files, and protect them from modification. Try it on your boot loader, like bootmgr.
- Reserve certain filenames in the root of the volume. For instance autorun.inf on flash sticks.
I have tried this on bootmgr, and Windows booted fine. The point is that when the bootsector is executed there is no NTFS driver or anything present that understand the concept of a file vs folder. It is basically X number of sector loaded into memory, based on a few conditions. Later on in the boot process, Windows will differentiate on it and turn the system file invisible.
We take a copy of the original MFT record and write it to the location of where the record of the new MFT reference number is located. We wipe the original record. Then we modify the backup, change MFT ref and sequence number. Then let chkdsk do the rest of the job to make Windows happy about the new NTFS systemfile (it will correct timestamps in $FILE_NAME attribute, update flags in both $STANDARD_INFORMATION and $FILE_NAME ATTRIBUTE, correct the index in $I30 in the root directory (MFT ref 5), and a few more. These last steps are tricky if done manual, so using chkdsk for it is fine.
Due to the very hacky nature of this application, you must understand that this may corrupt your filesystem, and that I take no responsibility for what this application may cause. Use at own risk! Important to close any open files on the target volume before trying this.
The tool has been tested with success on XP SP2 32-bit and Windows 7 SP1 64-bit. Please be aware of limitations when running on nt6.x
At nt6.x new security measures have been implemented, preventing you from writing directly to sectors inside filesystem. Before doing anything like this, we obtain a lock on the target volume. However, this is not possible to in a few situations (systemdrive, volume where pagefile is on, volume where HideAndProtect is run from, and maybe a ew more). These restrictions do not apply for nt5.x (anything before Vista). In any case there is an absolute restriction of a maximum of 4 files per volume that you can hide.
User DeltaRocked at autoit forums who made me aware of this trick.
Click here to download this file