|
|
 |
|
|
Thread Tools | Display Modes |
Jun 15th, 2005, 9:00 PM
|
#1 |
|
Unverified User
Join Date: Jun 2005
Location: NJ
Posts: 23
Rep Power: 0
 |
utility i wrote to maul index.dat files on root partition
sup folks, 30 mins to ny mets game which ill be watching, but i figured id post this before it starts..
i wrote a program which i have dubbed "index.die", that searches for index.dat files on the root partition and attempts to overwrite these files via starting up thru the runonce key in the registry.. the program can be run from cmdline in safe mode to to guarantee all index.dat files are terminated. basically just looking for any advice regarding the code i have so far, stupid errors, security flaws, anything you see that you dont like.. or do like lol.. for those of u who dont know about index.dat files, its basically a cache file for IE that are usually hard to rid of due to the operating system having access to them . they can contain sensitive data even if you dont use internet explorer, since many other apps interface w/ IE, like real player, win media player. etc... the code is not commented yet, but i will gladly take time to add thorough comments if anyone wants this.. however, i will try to explain what the source code does in general, in a brief but not too brief explanation... when executed with NO cmd line arguments, my prog searches the root partition for any file named index.dat... then it adds the full file path for each index.dat to a C:\deathrow.txt file,assuming you have windows installed on C:\... then the program exits, without doing anything other than adding references to these index.dat's too deathrow.txt... a reference is added to the hkey local machine , runonce section of the registry so my program starts on the next reboot... note: the program adds a command line arg of "x" to the registry.... when my prog is executed with ANY cmdline args, it attempts to read from deathrow.txt, and shred any index.dat files.... currently i am using a really farty method to overwrite the files 256 times, alternating with bitwise complements , with the last pass being 0xff, 0x00, and then truncating file, renaming it to "00000000", and finally deleting it... this is really all there is to the program... so basically anytime u want to search for new index.dats, you just run the prog normally... and anytime u want to kill them, u need to pass at least 1 arguments to cmdline...of course its pointless doing this most of time while system is running..but sometimes u can get some old/accessible index.dat's nevertheless... so here is a link to the code: http://poolghost.com/indexdie.htm again, not commented yet, but will GLADLY comment it if anyone wants me too before reviewing it.. perfect timing for mets game as its 9;59 lol,peace guys,ill be back later on... adios
__________________
DeepTide The way is shut. It was made by those who are dead and the Dead keep it. The way is shut. |
|
|
|
Jun 15th, 2005, 9:09 PM
|
#2 |
|
Unverified User
Join Date: Jun 2005
Location: NJ
Posts: 23
Rep Power: 0
|
NOTE: i just think i found something really dumb i did in the statement
if(strcmp(indexdat,&f[fpathlen-10])==0) in the function fileMod.... since if the strlen is only like 3 or 5 or whatever, it would be looking at data below the index of f... e.g. negative array lol... im not sure if this is actually a security flaw, but my gut tells me it CANT be good lol...trying to compare with junk on the stack probably... im going to watch game now but just thought id mention this as it immediatly caught my eye when just glancing at the file before posting it... will be back later,peace,--c0ld
__________________
DeepTide The way is shut. It was made by those who are dead and the Dead keep it. The way is shut. |
|
|
|
|
Jun 15th, 2005, 9:59 PM
|
#3 |
|
PFO God In Training
 
Join Date: Jun 2005
Location: near St Louis, MO. (USA)
Posts: 547
Rep Power: 4
|
Why do you want to screw up those files? I used Windows Explorer (xp pro) to search for index.dat and found quite a few of them -- mostly in Documents & Settings and \Windows directories.
|
|
|
|
Jun 15th, 2005, 11:58 PM
|
#4 |
|
Unverified User
Join Date: Jun 2005
Location: NJ
Posts: 23
Rep Power: 0
|
they are perfectly safe to delete, and many people hate them, as they contain tons of web browsing info even after clearing the IE cache. they can contain a shit load of information that you wouldnt want others seeing... just open in hex editor or...
this program at http://www.fsm.nl/ward/ will scan your drive for index.dat 's and extract the data from them for you.. it is a sick program.. if you scan,make sure to do a "complete hard drive" scan, as scanning the windows directory only is pointless since a TON of index.dat usually are within documents and settings\*
__________________
DeepTide The way is shut. It was made by those who are dead and the Dead keep it. The way is shut. |
|
|
|
|
Jun 16th, 2005, 6:11 AM
|
#5 |
|
Programmer
Join Date: Jun 2005
Location: Maryland, USA
Posts: 59
Rep Power: 4
|
I didn't look at your code, but the idea of opening the file and attempting to 'erase' it by overwriting it is problematical. Even 'simple' and 'cheap' drives now a days have caching mechanisms as well as hardware/software controllers betwixt the OS and the actual disk surface and as a consequence, the drive itself (keep in mind that the OS in many cases tries to protect you from yourself by putting writes to different disk locations) may not write to the exact same location where you read from. This is a well-known and pervasive 'security' issue (it is only a security issue if you don't know about it, if you do know about it, you shred the drive and dump the bits in a blast furnace). It is so well known and pervasive that most OSs that meet minimum NSA (or whomsoever sets the them) standards MUST overwrite the disk space allocated to a process before handing it over (overwriting RAM has been part of the standard for years (decades, probably), one of the main reason why buggy code always seems to work the first time it runs). Without dropping to the driver level, it is essentially impossible to guarantee that disk data has been overwritten, and if your drive has a controller, without interfacing with the drive API, the OS has no way of guaranteeing that the data has been overwritten. The moral of this story... if your disk has sensitive information on it, smash and trash it and forget about making $10 on eBay for the silly thing.
Did you know that if you cool your RAM chips (liquid N2 works great) and power off the machine it is possible to snoop the entire contents? Did you know that the EM radiation of many drive controllers reveal what bits are being placed on the platter? Did you know that with sensitive equipment your keystrokes can be detected from as far as 100 feet away (even further if you use a wireless keyboard)? Did you know that CRT screens can often be read as much as 100 yards away with the right equipment? Did you know that if you can place the appropriate receptor inside the computer case you can read exactly what the CPU is doing (great for snooping keys during en/decryption)? Do you know how cheap a hardware keystroke logger is and how innocuous it looks? Do you have one on your machine right now? Study information security and you either can't sleep at night or you learn not to give a damn about these sorts of things because it is so trivial to get the information. That is, unless you want to build a shielded concrete vault in your basement (ever watch ‘Enemy of the State’? Like that.).
__________________
Free code: http://sol-biotech.com/code/. It is not that old programmers are any smarter or code better, it is just that they have made the same stupid mistake so many times that it is second nature to fix it. --Mitakeet The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man. --George Bernard Shaw |
|
|
|
|
Jun 16th, 2005, 11:55 AM
|
#6 |
|
Programming Guru
 
Join Date: Jun 2005
Location: elemental plane
Posts: 1,429
Rep Power: 5
|
You should write that guy that wrote Spider and tell him: "twente is een kutstad, en jij bent een sukkel, ik oon jou", Dizzutch here will know what it means
 .Anyway, I use firefox, so I don't have that problem.
__________________
"Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for." -- Socrates |
|
|
|
|
Jun 16th, 2005, 3:24 PM
|
#7 |
|
Unverified User
Join Date: Jun 2005
Location: NJ
Posts: 23
Rep Power: 0
|
it doesn't matter if you dont use IE.... i hate IE lol and never use, but the index.dat files get filled with traces anyways.. from other programs like media player, aim, real player, ares lite, tons of apps interface with ie... so even if you don't use IE, you will be suprised what traces you can find...
also, the guy wrote the spider 1.16 program before firefox even exisited im pretty sure... the only reason i mentioned that link was to show what traces you can find in your index.dat files even if you dont even use IE... @mitakeet, i am aware overwriting might be pointless, but it will keep most people from being able to view your tracks.. obviously the method sucks overall, but it gets the job done nicely assuming your not trying to cover up from fbi or whatever lol.. later,--c0ld
__________________
DeepTide The way is shut. It was made by those who are dead and the Dead keep it. The way is shut. |
|
|
|
|
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
