STEALTH: A Method of Hiding and Encrypting Files in NTFS

• Main Authors: Syun-cheng Ou, 歐巡丞
• Other Authors: Fu-hau Hsu
• Format: Others
• Language: en_US
• Published: 2013
• Online Access: http://ndltd.ncl.edu.tw/handle/957w2a

碩士 === 國立中央大學 === 資訊工程學系 === 101 === A rootkit can hide any information such as the files, processes, drivers, and network connections on your computer. With development of operating system, Rootkits have many hidden methods such as the traditional hooking or DKOM (Direct Kernel Object Manipulation). It is difficult to detect DKOM because DKOM only modifies the data structure of the kernel and does not change any program or code. Because not all files on the computer are loaded into memory, DKOM cannot only manipulate data structures of the kernel to hide any file. In this paper, we proposed a new hidden method that modify some information of NTFS (New Technology File System). The method is not like the traditional hooking which is detected by anti-virus software easily. According to our experiments, anti-virus software cannot detect the virus file which is hidden by our system. We want to strengthen the confidentiality of the hidden files. In addition to hide file, our system encrypts the file. We did experiments with data recovery software. The data recovery software can restore the file which is deleted, name broken, size damage and so on. But according to our experiments, data recover software can not restore our encrypted files. Applications cannot read data of files until the files is decrypted by our system.