Tag Archives: ADS

A Dotty Salty Directory: A Secret Place in NTFS for Secret Files!

I was playing with “::$Index_allocation” and “:$I30:$Index_Allocation” in an NTFS partition to make a directory which ends with some dot characters (“.”) or just includes some dots!

The result was a bit interesting and scary! I could find a secret place that important data can be hidden in as well as the malwares! I want to share it with you as some malware writers might already know about this. It is actually another Microsoft weird feature!

In order to create a dotty directory and monitor its behavior, follow me:
1- Open the Windows Command Line (cmd.exe).
2- Go to a test directory.
3.0- Now, insert the following commands and hit Enter:
          md ..::$index_allocation –> (Tested in Win XP)
          md …::$index_allocation
          md ….::$index_allocation
          md irsdl
          md irsdl.::$index_allocation
          md irsdl..::$index_allocation
3.1- You can use “echo test > ” instead of “MD” if you have any problem.
4- Now get a directory list from the folder that you are currently in (by using “Dir”)
5- In order to open each of these directories use “CD DirName::$Index_Allocation”.
          cd …::$index_allocation
6- You can create some files inside these directories as well.
7- Now use Windows Explorer to see these directories.

The result in Windows XP:
– The double dot (“..”) directory is hidden and you cannot see it.
– In windows explorer, directories with a single dot at the end show the files which are inside a directory with same name but without any dot. For example: “irsdl.” shows content of “irsdl”. Directories with a double dot at the end show the files which are inside a directory with the same name but with a single dot. For example: “irsdl..” shows content of “irsdl.”. And so on.
– In Windows Explorer, if you modify a directory with some dots at the end, the modification will be applied on a directory with a dot lesser than the modified directory. Therefore, if you delete “irsdl.”, “irsdl” folder will be deleted instead!
– It is not possible to delete these directories by Windows Explorer. (use “del DirName::$Index_Allocation\*.* & RD DirName::$Index_Allocation” instead)

In Windows 7:
– It is very similar to Windows XP. However, if you click on the directories by Windows Explorer, it may show you the content of a specific directory for all the Dotty ones.
– It is not also possible to create a folder with only double dots “..”.
The directories which only contain several dots such as “…”, show the content of their root directory although it is not so real!

Result:
Dotty directories are very good places to hide some files and data! It is not easy to be detected and it is not easy to be deleted! As malwares can use the same technique to hide themselves inside an NTFS partition, we should be very careful about it.

Notes:
Note 0: I might miss some other interesting points. Please let me know when you find one.
Note 1: some of these directories might be accessible by IIS.
Note 2: I experienced a crash in Windows Explorer in Win7 during playing with these directories.
Note 3: Norton Internet Security 2011 in Win 7 could find and delete the EICAR virus inside these folders. It’s not tested on the other things.
Note 4: Windows XP did checkdisk after a restart.
Note 5: You can do the same to create a file by using “echo > …::$Data”. And delete it by “del *.*”.