Deceptive NTFS short file names

Are you aware of DLL hijacking? If yes, let’s suppose there is a program that executes the following line of code:

LoadLibrary('riched32.dll');

Its executable has the following name: “i_use_riched32.exe” (just as an example).

Now, take a look at the following contents of a directory containing this executable, the screenshots were taken of three tools: Explorer, FTK Imager Lite, The Sleuth Kit (each one points to the same directory).

svl-explorer
Explorer
svl-ftki
FTK Imager Lite
svl-tsk
The Sleuth Kit

Is the “riched32.dll” library hijacked for the “i_use_riched32.exe” executable? Let’s assume that no attempts to hijack the library have been made outside of the directory shown above.

In this particular example, the library has been hijacked. You don’t see a file called “riched32.dll“, but it’s there! What happened?

Take a look at this output for the “looks_good.dll” file (The Sleuth Kit):

$ istat -o 2048 ntfs-short-vs-long.raw 45-128-1

MFT Entry Header Values:
Entry: 45        Sequence: 1
$LogFile Sequence Number: 100681841
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 268  (S-1-5-21-1625344160-3855802753-2267751170-1001)
Created:	2020-05-17 15:50:46.192252900 (MSK)
File Modified:	2020-05-17 18:43:11.938789000 (MSK)
MFT Modified:	2020-05-17 15:51:40.118530600 (MSK)
Accessed:	2020-05-17 16:10:22.049613700 (MSK)

$FILE_NAME Attribute Values:
Flags: Archive
Name: looks_good.dll
Parent MFT Entry: 39 	Sequence: 1
Allocated Size: 61440   	Actual Size: 0
Created:	2020-05-17 15:50:46.192252900 (MSK)
File Modified:	2020-05-17 15:50:46.192252900 (MSK)
MFT Modified:	2020-05-17 15:50:46.192252900 (MSK)
Accessed:	2020-05-17 15:50:46.192252900 (MSK)

$FILE_NAME Attribute Values:
Flags: Archive
Name: RICHED32.DLL
Parent MFT Entry: 39 	Sequence: 1
Allocated Size: 61440   	Actual Size: 59581
Created:	2020-05-17 15:50:46.192252900 (MSK)
File Modified:	2020-05-17 18:43:11.938789000 (MSK)
MFT Modified:	2020-05-17 15:49:48.952348000 (MSK)
Accessed:	2020-05-17 15:50:46.192252900 (MSK)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 94
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $DATA (128-1)   Name: N/A   Non-Resident   size: 59581  init_size: 59581
6320 6321 6322 6323 6324 6325 6326 6327 
6328 6329 6330 6331 6332 6333 6334

As you can see, the file has two names: “looks_good.dll” and “RICHED32.DLL” (in one directory). But only the first one is shown by Explorer and two forensic tools mentioned above.

The second file name isn’t shown because it’s a short one (having the 8.3 format and marked with the DOS name space flag). Multiple forensic tools try to reduce noise in a directory listing by hiding a short file name when there is at least one long file name for the same file (in the same directory). Given that the short file name creation is enabled by default for a system volume (in Windows 10), this looks like a reasonable approach.

The shortcoming of this approach is that a short file name isn’t necessary based on a long file name (like “NEWTEX~1.TXT” which is derived from “New Text Document.txt“), a tool (or a user) can set an arbitrary short file name, even without turning on globally the short file name creation feature (for example, using the “fsutil file setshortname <file name> <short file name>” command).

So, there is a way to create an “invisible” short file name for a file in the same directory. Attackers can use this technique to “hide” a malicious file in a large directory.

 

 

One thought on “Deceptive NTFS short file names

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s