Gonzalez Posted August 24, 2007 Report Posted August 24, 2007 Thought you guys might enjoy this, I've considered using it in past projects, but opted against it in the end.By: kevscodeI know this is not rootkit related, but it is an very simple method of "hiding" files in user-land. You can basically cause any folder to behave exactly like the Recycle Bin, Control Panel, or other Shell Extensions.his is an old technique which exploits Microsoft's seldom used idea of customising individual folders in the Windows Shell.What you can do:Disguise any folder as:- The Recycle Bin- The Control Panel- Internet Explorer- My Computer- My Documents- Folder Settings- Start Menu settings- History- Temp Internet Files- Briefcase- Network Connections- Etc.Basically you can cause any given folder to behave as almost any buit-in Explorer Extension.How? Simply create a "Desktop.ini" file in the folder of choice and set it's CLASSID to the Extension you wish to mimic.You also need to set the folder attributes as System.Sample Desktop.ini [from c:\recycled\...]------------[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}------------Another one....------------[.ShellClassInfo]CLSID= {00021401-0000-0000-C000-000000000046}------------This GUID turns the folder into an 'unknown' file type icon, clicking it does absolutely nothing. Right clicking only gives the created date.Check SHLGUID.H for some other common guidsNOTE: Back when I was intially playing with this idea, I stumbled across a windows GUID which consistently caused Explorer to crash. Unfortunately, It's been so long ago that i don't recall the GUID. But something to look into further. There may be some vulnerabilities in there.NOTE: this "hiding" technique does not affect cmd.exe Quote
