You have gained access to the target and uploaded some tools, but you want to hide them from the system Administrator. It's pretty simple actually, all you need to do is to hide it in a Alternative Data Stream (or ADS for short).
As an example I'll show you how to hide notepad.exe in the file hello.txt. First we create the file "hello.txt":
then let's see what we got:
Ok, the file is 13 bytes in size. Let's hide notepad.exe inside it:
and see what changed:
Notice that the file size has not been updated but the available space on the drive has. The last modification time has however been updated.
To run notepad.exe from inside hello.txt you execute:
The problem with ADS is that Windows can't detect it, so you would need 3rd party software to find files with ADS in it. There is also no standard Windows tool to remove ADS from a file, which means that you either need to copy it to a FAT partition and back again, overwriting the original copy, or delete and restore it from backup. Another interesting thing about ADS is that it also works on directories, and not only files. If you attach an ADS to the \WINDOWS (or \WINNT) directory the only easy way to get rid of it safely is to re-install the OS(!).
How To >