Endpoint/Device Security, SIEM, Vulnerability Management

Windows 7 symbolic links and hidden files

Window 7 Symbolic file and directory links are pretty cool. Although the most common use of symbolic links is to make a folder or directory appear to exist someplace it does not, symbolic links can be used to take complex paths and filenames and make them simpler to understand. That’s good because some of our applications aren’t smart enough to understand complex paths. For example, lots of applications do not understand Alternate Data Streams. If you are not familiar with ADS then check out this article by Brian Wilson. http://www.ethicalhacker.net/content/view/115/24/
Try this experiment: Create an Alternate Data Stream and attempt to open it with Microsoft Word.

C:temp>echo tst > mainfile.txt
C:temp>echo ads > mainfile.txt:ads.txt

Now try to open c:tempmainfile.txt:ads.txt with Word. It doesn’t work. Word doesn’t recognize the alternate data stream. Now create a symbolic link to the ads.txt alternate data stream like this:

C:temp>mklink txtfile c:tempmainfile.txt:ads.txt
symbolic link created for txtfile <<===>> c:tempmainfile.txt:ads.txt

Open c:temptxtfile with Word. No problem. It works great. Symbolic links make Alternate Data Streams accessible to applications that don’t support streams.
Try putting a copy of Netcat in an alternate datastream and running it. You can run executables from alternate data stream using “start” or “wmic processs call create” but symbolic links can make it really simple. By using symbolic links to access alternate data streams you no longer have to jump through hoops to create and run backdoors in your alternate datastreams. Putting netcat into an ADS and executing it as simple as this:

C:temp>mklink backdoor.exe c:tempmainfile.txt:nc.exe

symbolic link created for backdoor.exe <<===>> c:tempmainfile.txt:nc.exe
C:temp>copy z:nc.exe backdoor.exe
1 file(s) copied.
C:temp>backdoor.exe -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere: nc [-options] hostname port[s] [ports] …
listen for inbound: nc -l -p port [options] [hostname] [port]
-d detach from console, background mode
-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, …
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

You can remove file based symbolic links with “del” and directory based symbolic links with “rmdir”. When you’re done with the netcat backdoor you “del backdoor.exe”. That will remove the symbolic links, but the alternate data stream will remain.
You can also create symbolic links to windows device objects and System Volumes. Have you ever seen your systems boot partition? You can make copies of it or edit it with BCDEDIT.EXE, but what is really in there? You want to see it? Try this.
WARNING: If you mess up your boot partition it is going to be a long day. Proceed with caution.

C:temp>mklink /D root \?GLOBALROOTDeviceHarddiskVolume1

C:temp>cd root
C:temp>dir /a

Here is what it looks like.

Note the “/D” to create a link to a directory rather than a file. Your boot volume is now accessible through the “root” directory. All the files on the partition have the HIDDEN, SYSTEM and READ ONLY attributes set so you’ll need to tell explorer.exe to show hidden files and system files. Now you can use normal file utilities to manipulate the boot partition. You can also hide files in your boot partition by simply copying them to the directory. After removing the symbolic link explorer.exe will not find those files when you search for them. In my limited testing files seem to be completely invisible to the OS and the antivirus software until you recreate the symbolic link. You can also create data streams and symbolic links in the boot partition. In short, there are a variety of ways for attackers to use the boot partition to hide information. If an attacker is putting malware in there will you recognize it? Check out your boot partition. Know thy system.
Join me for SANS 504 Hacker Techniques, Exploits and Incident handling in San Antonio November 15th! REGISTER TODAY BY CLICKING HERE!!!

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.