This can be a rather nifty trick if you have something that you want to keep private
on your computer. Through out my directions I use the
HEX character FF. It isn't displayed by DOS at all. (A third party program that's menu driven
like Norton Change Directory and windoze will by-pass
this trick, even if the directory is hidden). Now, if you want, you
can even use mostly regular ASCII text and add just one inconspicuous
extended ASCII character like an e with a dot over it.
One way to make a directory or file that cannot be accessed from DOS is
to make a BATCHFILE with copy con or edlin or edit and modify it with debug.
That is the hard way to do it. I would only use this method if you
are making a mess in someone's hard drive. (Read between the lines if
you want to know more).
Other wise use this nifty little trick:
Hold down the ALT key and type an ASCII characters DECIMAL value from your keyboards
number pad. You'll get that numbers ASCII value on screen. Remember,
the number MUST come from the number pad, NOT FROM one of the numbers
above the letter keys. After you type the number let off of the ALT
key and you'll get the ASCII character. You can use this with any
combination of commands, which in our case is making a directory
with an extended ASCII character.
Click here to see an ASCII table that converts HEX to ASCII characters.
You need to read
Fun with ALT to do this. It's really simple.
Type the command: CD followed by ALT 255 or whatever EXTENDED ASCII
code you choose. Some control characters wont work though. An average person won't understand how to
get into these directories because they will get the error: "Bad
command or file name". Plus, Windoze `95's Windows Explorer will try to tell you that a directory
with an extended hex character isn't a valid directory and wont let you in. The only way in from
Windoze is through DOS. You could also make a batchfile that will rename that directory, and THEN
you will have access from windoze. Groovy.
Once again, you need to read Fun with
ALT to best understand this. This is just as simple as making a
directory. Type CD ALT 255 or whatever other ASCII character you choose to use. Go back up some
for info on using this trick with windoze 95.
C:\COPY CON RENAMEIT.BAT
Then use debug to change the name the file gets renamed to.
This is probably something that would be used only by the ultra
paranoid person (Like me ;-). It can be fun even if not taken to
the extreme measures that I'll show how to do. First of all, YOU
NEED TO MAKE A BOOT-UP DISK! I probably had to boot my computer off
a disk a dozen times or more while I was experimenting with this.
It's also wise to keep a 'clean' copy of COMMAND.COM in a directory
somewhere in case you screw it up really bad. Now to the fun stuff!
Start DEBUG by typing the following:
DEBUG C:\COMMAND.COM
Now that we have found out where our command is hiding in memory, we must over-write it with
a new one. Use DEBUG's ENTER command as follows:
Here's an ASCII table for you if you need one. To save it to a file and/or print
it, do the following: highlight the table with the mouse and press CTRL+C. Open notepad or the
text editor of your choice, make sure the cursor is blinking in the editor, and press CTRL+V.
The table should be pasted into your editor. Then just save it and/or print it.
Ok, so you want to know how to do things that you shouldn't be
able to with a batch file hum? After renaming a few
simple internal commands like DIR and COPY make batch files
named DIR.BAT and COPY.BAT that an intruder might use to pillage through your PC that will throw them off
track. Here we GOO00oooo...
@ECHO OFF
This is the first half of two batch files. It starts off by
taking the date and time and appending them to end of a file called
INTRDLOG in your "safe" directory. For more on using redirection
goto Using Batch Commands. Next
SUBST is used to make a virtual drive out of the subdirectory
C:\LOCKEMIN.
Then ASSIGN is used to "Put" drive D: on top of drive C:, locking
the user or intruder into our "safe" directory designated LOCKEMIN.
Enter problem 1. After this batch file ASSIGNs C: = D: DOS gives the
error "Batch file missing". The way I fixed this problem was to go
into the command.com file and write over that specific error message
with something else like: Syntax error, Con device bad, or leave it
blank. Something I should mention is that this file should be in your
PATH somewhere. Within our subdirectory LOCKEMIN there should be a
"virtual" replica of your root directory. By this I mean you need to
have your "safe" directory located in the same place within LOCKEMIN
as it is in your "real" hard drive. Example:
C:\>COPY TEST.TXT /B > CON This copies test.txt to the CON
device, which is your monitor. Notice the /B switch used with COPY. It copies everything within
our test.txt file up to the specified file length, regardless of any [End-Of-File] characters it
meets. Look for more on switches COPY will accept on my
DOS Internal Commands page. You can also use an ESCAPE SEQUENCE to hide text from the
screen.
If you want to torment someone inexperienced with computers, you
can give them a disk and tell them to run one of the programs
on it like a cool game or something. But, you rename the main program
something with an extended ASCII character in it like an e with a dot
over it. When they type DIR and look at the disk, they will type the
name of the program but will get the error `Bad command or file name'.
You might also use this to hide programs on your computer. If you re
name a file to something with just the HEX FF character, its name
will be hidden from a directories listing. Beware, its size, date, and
time will still be visible. To do this, just use the same technique
as described in How to make directories inaccessible from the DOS prompt except make the batch file rename the file
to the extended ASCII name that you want. Example:
REN PHILE.DOC $H1L
^Z (Control-F6)
Start by making a copy of COMMAND.COM somewhere other than your root directory. You should
already have an extra copy of it in your DOS directory, but it can't hurt to have extras.
At the end of the DOS command interpreter (COMMAND.COM) is a list of all
internal commands. Just pull COMMAND.COM into DEBUG or the HEX editor of your choice
and do a search for the command you want to change. Then CAREFULLY change the name of
the command to something different. It must be the same length as the original name.
Then write over it and save it to disk. I am going to breakdown and give some very basic
instructions on how to use DEBUG now.
Now you will have a new prompt, "-". Do a search for your
command by typing the following, inserting the command you want to change:
-s 100 ffff "COPY"
Now Debug will give you every memory
location that it found your string:
0E8F:CD16
0E8F:CEC8
-
Ignore the 0E8F:, that is the base address that your free memory starts on (Your base address
will be different). Note locations CD16 and CEC8. Those are the memory
locations where DEBUG found a text string of COPY (DEBUG's search command is CASE SENSITIVE, take note).
Most likely the address you want will be the last one listed (In this case IT IS NOT!.
Read through the next instructions to understand how a memory dump works.
To be sure you have the correct mem address for COPY view every memory location DEBUG gave you
and see that there are other DOS commands along with the one you are looking for. That is the
location you will want. It should make more sense after you read the following).
Write down the other mem locations too, just to be safe. Now do a memory dump to see what DEBUG found:
-d cd4a (You type ONLY this one line)
0E8F:CD10 43 4F-50 59 05 50 41 55 53 45 COPY.PAUSE
0E8F:CD20 04 44 41 54 45 04 54 49-4D 45 03 56 45 52 03 56 .DATE.TIME.VER.V
0E8F:CD30 4F 4C 02 43 44 05 43 48-44 49 52 02 4D 44 05 4D OL.CD.CHDIR.MD.M
0E8F:CD40 4B 44 49 52 02 52 44 05-52 4D 44 49 52 05 42 52 KDIR.RD.RMDIR.BR
0E8F:CD50 45 41 4B 06 56 45 52 49-46 59 03 53 45 54 06 50 EAK.VERIFY.SET.P
0E8F:CD60 52 4F 4D 50 54 04 50 41-54 48 04 45 58 49 54 04 ROMPT.PATH.EXIT.
0E8F:CD70 43 54 54 59 04 45 43 48-4F 04 4C 4F 43 4B 06 55 CTTY.ECHO.LOCK.U
0E8F:CD80 4E 4C 4F 43 4B 04 47 4F-54 4F 05 53 48 49 46 54 NLOCK.GOTO.SHIFT
0E8F:CD90 02 49 46 03 46 4F .IF.FO
-
Lets break down what you now see on your screen. The far left column is the starting address for
each line. The big group of double digit numbers in the middle is a Hexadecimal representation
of everything in the far right column. If you see the command you are wanting to replace as
the first command in the topmost line, every thing is groovy. If not, be sure you typed the
address correctly and then try the other mem locations DEBUG found for you. One of them will
pan out for you.
-e cd16
0E8F:CD10 45.
Now DEBUG is prompting you to enter a value to replace "C". 45 is the ASCII form of a capital C.
You will need to have an ASCII table so you can translate the letters (Or numbers,
symbols, control characters, ect.) that you are going to replace "COPY" with. Look at the end of this
section for an ASCII table. I will use DEWD as
an example. Now enter a new ASCII value (Since D comes after C, 43 gets replaced with
44)
0E8F:CD16 43.44
Now, press the space bar to bring up
the next ASCII value in line, which in our case will be 4F.
0E8F:CD16 43.44 4F.45
Since E's ASCII value is 45, 45 will be entered in.
0E8F:CD16 43.44 4F.45 59.44
OE8F:CD18 50.57 59.
We entered 57 for a W and 44 in
place of 59. Notice that DEBUG jumped down to the next line: just ignore that if it happens.
As long as you have the correct prompt everything is OK.
To get back to a DEBUG prompt press the enter key after you input 44.
Now you might want to check your work. Do a memory dump to see that
everything has gone according to plan.
-d cd16
0E8F:CD10 44 45-57 20 05 50 41 55 53 45 DEWD .PAUSE
0E8F:CD20 04 44 41 54 45 04 54 49-4D 45 03 56 45 52 03 56 .DATE.TIME.VER.V
0E8F:CD30 4F 4C 02 43 44 05 43 48-44 49 52 02 4D 44 05 4D OL.CD.CHDIR.MD.M
0E8F:CD40 4B 44 49 52 02 52 44 05-52 4D 44 49 52 05 42 52 KDIR.RD.RMDIR.BR
0E8F:CD50 45 41 4B 06 56 45 52 49-46 59 03 53 45 54 06 50 EAK.VERIFY.SET.P
0E8F:CD60 52 4F 4D 50 54 04 50 41-54 48 04 45 58 49 54 04 ROMPT.PATH.EXIT.
0E8F:CD70 43 54 54 59 04 45 43 48-4F 04 4C 4F 43 4B 06 55 CTTY.ECHO.LOCK.U
0E8F:CD80 4E 4C 4F 43 4B 04 47 4F-54 4F 05 53 48 49 46 54 NLOCK.GOTO.SHIFT
0E8F:CD90 02 49 46 03 46 4F .IF.FO
-
You can see that DEWD is now in place of COPY. Now you gotta save your work and get outa DEBUG.
-w
Writing 16E74 bytes
-q
Use w to write our changes to disk and q to exit DEBUG. In order to see if your changes worked,
type COMMAND from your root directory (Or the directory that your modified COMMAND.COM is in).
Type COPY and enter, you should get an error message. Now type DEWD. You should get something like
"Required parameter missing". That means It worked. Now try to copy a file. You should be in
business now!
41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A
a b c d e f g h i j k l m n o p q r s t u v w x y z
31 32 33 34 35 36 37 38 39 30 60 7E 21 40 23 24 25 5E 26 2A 28 29 5F 2B 5B
1 2 3 4 5 6 7 8 9 0 ` ~ ! @ # $ % ^ & * ( ) _ + [
5D 7B 7D 2C 2E 2F 3C 3E-3F 3A 22 2D 3D 20 1B 07 27
] { } , . / < > ? : " - = SPACE End-Of-File Marker BELL ESC
Notes: I have successfully used this with DOS versions 3.3 to 6.22. While writing this I
discovered DOS 7 (Windoze 95 DOS) has some problems if you attempt to do this in DEBUG.
I could do it with other HEX editors like Hex Workshop, but DEBUG causes some problems. If any
one knows what the problem is, let me know.
DATE >> C:\DOS\ \INTRDLOG < GO
TIME >> C:\DOS\ \INTRDLOG < GO
SUBST D: C:\LOCKEMIN
ASSIGN C: = D:
Your "real" hard drive C:\DOS\ \DIR.BAT
Your virtual root directory
C:\LOCKEMIN\DOS\ \DIR.BAT
This is so that when the switcharoo takes place, DIR.BAT and/or
COPY.BAT ends up in
the same path location. This way you don't have to change the path
with the DIR.BAT program and so you don't waste space in your path
line (You can NORMALLY only specify 127 characters within your path, but I know how to make it
infinitely long, Ha Ha he he he...).
You also need to
have a mocked up Command.com in there as well as the "same" directory
structure having DOS, WINDOWS, and whatever else you have in general
on your hard drive. Also you need to hide the two directories . and ..
that appear in a subdirectory (Also the directory containing this
batch file). You could write your own program to do this or use
something like Norton Utilities to do the hiding.
Make sure that the Command.com you put in there is nearly identical
to your mocked up version. Remember, an intruder might try to
re-start Command.com and if you have the "real" one in there you
just wasted everything this section is about. You might put one in
there that has all error messages intact (To reduce suspicion) but
has DIR and other commands still changed.
Now you have a couple of choices as to how the second DIR.BAT works.
At this point, an intruder will scratch his (or her) head because
they just got a funny error message after typing DIR. They just
unknowingly launched them self into a subdirectory and will now
probably try the DIR command again. You can make the second batch
file call the true DIR command or go all out with a system
that doesn't reveal the true DIR command (If you're afraid that
someone might discover your batch file and gain the name of the true
DIR command). It will also be more convincing because the directories will "contain" files. The first method is preferred (
unless you have the space to put fake or even real programs into
your LOCKEMIN subdirectory).
Ok, it is possible to hide something within a simple text file. Pull up the text file
in a
HEX editor such as DEBUG or Norton Utilities (Goto the section about renaming internal commands
for usage of DEBUG). At the point you wish to hide text in the file
just insert an [End-Of-File] character. This is "1B" in HEX and "27" in decimal (Use the HEX value
if you use DEBUG to accomplish this). If you use TYPE to view a
file it will end at the [End-Of-File] character. There's a way around this too. Use COPY.