Trying to do a Proof of Concept of poisoning 'ls' binary to hide files and folders

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:



 char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;


This code would have to be added after the following line:



while ((d = readdir(dp))) {


We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'



So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.



I need to modify 'ls.c' to really hide files and folders.










share|improve this question
























  • Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.

    – Gerald
    Feb 10 at 20:18






  • 2





    err, do you mean to hide files with the string "hidden" in their names? Or something else?

    – ilkkachu
    Feb 10 at 20:37












  • yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks

    – Gerald
    Feb 10 at 20:42















0















I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:



 char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;


This code would have to be added after the following line:



while ((d = readdir(dp))) {


We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'



So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.



I need to modify 'ls.c' to really hide files and folders.










share|improve this question
























  • Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.

    – Gerald
    Feb 10 at 20:18






  • 2





    err, do you mean to hide files with the string "hidden" in their names? Or something else?

    – ilkkachu
    Feb 10 at 20:37












  • yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks

    – Gerald
    Feb 10 at 20:42













0












0








0








I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:



 char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;


This code would have to be added after the following line:



while ((d = readdir(dp))) {


We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'



So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.



I need to modify 'ls.c' to really hide files and folders.










share|improve this question
















I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:



 char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;


This code would have to be added after the following line:



while ((d = readdir(dp))) {


We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'



So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.



I need to modify 'ls.c' to really hide files and folders.







linux filesystems ls c






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 10 at 20:35









Rui F Ribeiro

41.1k1479137




41.1k1479137










asked Feb 10 at 20:09









GeraldGerald

61




61












  • Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.

    – Gerald
    Feb 10 at 20:18






  • 2





    err, do you mean to hide files with the string "hidden" in their names? Or something else?

    – ilkkachu
    Feb 10 at 20:37












  • yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks

    – Gerald
    Feb 10 at 20:42

















  • Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.

    – Gerald
    Feb 10 at 20:18






  • 2





    err, do you mean to hide files with the string "hidden" in their names? Or something else?

    – ilkkachu
    Feb 10 at 20:37












  • yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks

    – Gerald
    Feb 10 at 20:42
















Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.

– Gerald
Feb 10 at 20:18





Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.

– Gerald
Feb 10 at 20:18




2




2





err, do you mean to hide files with the string "hidden" in their names? Or something else?

– ilkkachu
Feb 10 at 20:37






err, do you mean to hide files with the string "hidden" in their names? Or something else?

– ilkkachu
Feb 10 at 20:37














yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks

– Gerald
Feb 10 at 20:42





yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks

– Gerald
Feb 10 at 20:42










2 Answers
2






active

oldest

votes


















0














The attr command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr and setfattr are meant for general, filesystem-independent use.)



That is to say, attr -Lqg hidden "$filename" doesn't check anything about the file's name, but it checks if an extended attribute called hidden is set on the file.



If you want to check if the file name contains a particular string, you should probably use the strstr() function.



Since d->d_name contains the name of the file being processed, something like this might work.



if (strstr(d->d_name, "hidden") == 0) { ... 


That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system() forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.



Also, note that modifying ls will do nothing to other programs that can also give a file listing. They may be as simple as find, or printf "%sn" *.






share|improve this answer























  • I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks

    – Gerald
    Feb 10 at 21:51


















0














Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):



 if (strstr(d->d_name, "HIDDEN") == 0)
return 0;


Probably not the best solution but hey it works :)



If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !



Thanks






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499812%2ftrying-to-do-a-proof-of-concept-of-poisoning-ls-binary-to-hide-files-and-folde%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    The attr command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr and setfattr are meant for general, filesystem-independent use.)



    That is to say, attr -Lqg hidden "$filename" doesn't check anything about the file's name, but it checks if an extended attribute called hidden is set on the file.



    If you want to check if the file name contains a particular string, you should probably use the strstr() function.



    Since d->d_name contains the name of the file being processed, something like this might work.



    if (strstr(d->d_name, "hidden") == 0) { ... 


    That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system() forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.



    Also, note that modifying ls will do nothing to other programs that can also give a file listing. They may be as simple as find, or printf "%sn" *.






    share|improve this answer























    • I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks

      – Gerald
      Feb 10 at 21:51















    0














    The attr command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr and setfattr are meant for general, filesystem-independent use.)



    That is to say, attr -Lqg hidden "$filename" doesn't check anything about the file's name, but it checks if an extended attribute called hidden is set on the file.



    If you want to check if the file name contains a particular string, you should probably use the strstr() function.



    Since d->d_name contains the name of the file being processed, something like this might work.



    if (strstr(d->d_name, "hidden") == 0) { ... 


    That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system() forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.



    Also, note that modifying ls will do nothing to other programs that can also give a file listing. They may be as simple as find, or printf "%sn" *.






    share|improve this answer























    • I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks

      – Gerald
      Feb 10 at 21:51













    0












    0








    0







    The attr command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr and setfattr are meant for general, filesystem-independent use.)



    That is to say, attr -Lqg hidden "$filename" doesn't check anything about the file's name, but it checks if an extended attribute called hidden is set on the file.



    If you want to check if the file name contains a particular string, you should probably use the strstr() function.



    Since d->d_name contains the name of the file being processed, something like this might work.



    if (strstr(d->d_name, "hidden") == 0) { ... 


    That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system() forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.



    Also, note that modifying ls will do nothing to other programs that can also give a file listing. They may be as simple as find, or printf "%sn" *.






    share|improve this answer













    The attr command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr and setfattr are meant for general, filesystem-independent use.)



    That is to say, attr -Lqg hidden "$filename" doesn't check anything about the file's name, but it checks if an extended attribute called hidden is set on the file.



    If you want to check if the file name contains a particular string, you should probably use the strstr() function.



    Since d->d_name contains the name of the file being processed, something like this might work.



    if (strstr(d->d_name, "hidden") == 0) { ... 


    That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system() forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.



    Also, note that modifying ls will do nothing to other programs that can also give a file listing. They may be as simple as find, or printf "%sn" *.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Feb 10 at 20:54









    ilkkachuilkkachu

    60.2k1098171




    60.2k1098171












    • I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks

      – Gerald
      Feb 10 at 21:51

















    • I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks

      – Gerald
      Feb 10 at 21:51
















    I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks

    – Gerald
    Feb 10 at 21:51





    I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks

    – Gerald
    Feb 10 at 21:51













    0














    Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):



     if (strstr(d->d_name, "HIDDEN") == 0)
    return 0;


    Probably not the best solution but hey it works :)



    If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !



    Thanks






    share|improve this answer



























      0














      Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):



       if (strstr(d->d_name, "HIDDEN") == 0)
      return 0;


      Probably not the best solution but hey it works :)



      If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !



      Thanks






      share|improve this answer

























        0












        0








        0







        Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):



         if (strstr(d->d_name, "HIDDEN") == 0)
        return 0;


        Probably not the best solution but hey it works :)



        If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !



        Thanks






        share|improve this answer













        Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):



         if (strstr(d->d_name, "HIDDEN") == 0)
        return 0;


        Probably not the best solution but hey it works :)



        If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !



        Thanks







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 11 at 3:51









        GeraldGerald

        61




        61



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499812%2ftrying-to-do-a-proof-of-concept-of-poisoning-ls-binary-to-hide-files-and-folde%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?