Trying to do a Proof of Concept of poisoning 'ls' binary to hide files and folders
Clash Royale CLAN TAG#URR8PPP
I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:
char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;
This code would have to be added after the following line:
while ((d = readdir(dp))) {
We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'
So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.
I need to modify 'ls.c' to really hide files and folders.
linux filesystems ls c
add a comment |
I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:
char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;
This code would have to be added after the following line:
while ((d = readdir(dp))) {
We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'
So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.
I need to modify 'ls.c' to really hide files and folders.
linux filesystems ls c
Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.
– Gerald
Feb 10 at 20:18
2
err, do you mean to hide files with the string "hidden" in their names? Or something else?
– ilkkachu
Feb 10 at 20:37
yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks
– Gerald
Feb 10 at 20:42
add a comment |
I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:
char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;
This code would have to be added after the following line:
while ((d = readdir(dp))) {
We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'
So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.
I need to modify 'ls.c' to really hide files and folders.
linux filesystems ls c
I am currently trying to modify 'ls.c' source file in order to hide files and folders containing the word hidden. After doing some research, I've found that this could be possible by adding this code into 'ls.c' source file:
char attr_command[1024] = "attr -Lqg hidden "; // Oh, dear. That's bad
int attr_code;
strcat(attr_command, d->d_name);
strcat(attr_command, " >/dev/null 2>&1");
attr_code = system(attr_command);
if (!attr_code)
continue;
This code would have to be added after the following line:
while ((d = readdir(dp))) {
We can get the coreutils source files (including ls.c) via 'git clone git://git.suckless.org/sbase'
So after running 'make' with the modified 'ls.c' source file, the file 'hidden' is still showing up.
I need to modify 'ls.c' to really hide files and folders.
linux filesystems ls c
linux filesystems ls c
edited Feb 10 at 20:35
Rui F Ribeiro
41.1k1479137
41.1k1479137
asked Feb 10 at 20:09
GeraldGerald
61
61
Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.
– Gerald
Feb 10 at 20:18
2
err, do you mean to hide files with the string "hidden" in their names? Or something else?
– ilkkachu
Feb 10 at 20:37
yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks
– Gerald
Feb 10 at 20:42
add a comment |
Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.
– Gerald
Feb 10 at 20:18
2
err, do you mean to hide files with the string "hidden" in their names? Or something else?
– ilkkachu
Feb 10 at 20:37
yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks
– Gerald
Feb 10 at 20:42
Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.
– Gerald
Feb 10 at 20:18
Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.
– Gerald
Feb 10 at 20:18
2
2
err, do you mean to hide files with the string "hidden" in their names? Or something else?
– ilkkachu
Feb 10 at 20:37
err, do you mean to hide files with the string "hidden" in their names? Or something else?
– ilkkachu
Feb 10 at 20:37
yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks
– Gerald
Feb 10 at 20:42
yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks
– Gerald
Feb 10 at 20:42
add a comment |
2 Answers
2
active
oldest
votes
The attr
command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr
and setfattr
are meant for general, filesystem-independent use.)
That is to say, attr -Lqg hidden "$filename"
doesn't check anything about the file's name, but it checks if an extended attribute called hidden
is set on the file.
If you want to check if the file name contains a particular string, you should probably use the strstr()
function.
Since d->d_name
contains the name of the file being processed, something like this might work.
if (strstr(d->d_name, "hidden") == 0) { ...
That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system()
forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.
Also, note that modifying ls
will do nothing to other programs that can also give a file listing. They may be as simple as find
, or printf "%sn" *
.
I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks
– Gerald
Feb 10 at 21:51
add a comment |
Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):
if (strstr(d->d_name, "HIDDEN") == 0)
return 0;
Probably not the best solution but hey it works :)
If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !
Thanks
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499812%2ftrying-to-do-a-proof-of-concept-of-poisoning-ls-binary-to-hide-files-and-folde%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The attr
command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr
and setfattr
are meant for general, filesystem-independent use.)
That is to say, attr -Lqg hidden "$filename"
doesn't check anything about the file's name, but it checks if an extended attribute called hidden
is set on the file.
If you want to check if the file name contains a particular string, you should probably use the strstr()
function.
Since d->d_name
contains the name of the file being processed, something like this might work.
if (strstr(d->d_name, "hidden") == 0) { ...
That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system()
forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.
Also, note that modifying ls
will do nothing to other programs that can also give a file listing. They may be as simple as find
, or printf "%sn" *
.
I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks
– Gerald
Feb 10 at 21:51
add a comment |
The attr
command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr
and setfattr
are meant for general, filesystem-independent use.)
That is to say, attr -Lqg hidden "$filename"
doesn't check anything about the file's name, but it checks if an extended attribute called hidden
is set on the file.
If you want to check if the file name contains a particular string, you should probably use the strstr()
function.
Since d->d_name
contains the name of the file being processed, something like this might work.
if (strstr(d->d_name, "hidden") == 0) { ...
That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system()
forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.
Also, note that modifying ls
will do nothing to other programs that can also give a file listing. They may be as simple as find
, or printf "%sn" *
.
I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks
– Gerald
Feb 10 at 21:51
add a comment |
The attr
command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr
and setfattr
are meant for general, filesystem-independent use.)
That is to say, attr -Lqg hidden "$filename"
doesn't check anything about the file's name, but it checks if an extended attribute called hidden
is set on the file.
If you want to check if the file name contains a particular string, you should probably use the strstr()
function.
Since d->d_name
contains the name of the file being processed, something like this might work.
if (strstr(d->d_name, "hidden") == 0) { ...
That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system()
forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.
Also, note that modifying ls
will do nothing to other programs that can also give a file listing. They may be as simple as find
, or printf "%sn" *
.
The attr
command deals with extended attributes, particularly in relation to the XFS filesystem. (It also works with ext4, but I suppose getfattr
and setfattr
are meant for general, filesystem-independent use.)
That is to say, attr -Lqg hidden "$filename"
doesn't check anything about the file's name, but it checks if an extended attribute called hidden
is set on the file.
If you want to check if the file name contains a particular string, you should probably use the strstr()
function.
Since d->d_name
contains the name of the file being processed, something like this might work.
if (strstr(d->d_name, "hidden") == 0) { ...
That doesn't mean you couldn't base file hiding on extended attributes... But even if you do, it might be better to look up the actual system calls used for that. system()
forks off a shell and the external process, and with a long directory listing, that may be noticeably slow.
Also, note that modifying ls
will do nothing to other programs that can also give a file listing. They may be as simple as find
, or printf "%sn" *
.
answered Feb 10 at 20:54
ilkkachuilkkachu
60.2k1098171
60.2k1098171
I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks
– Gerald
Feb 10 at 21:51
add a comment |
I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks
– Gerald
Feb 10 at 21:51
I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks
– Gerald
Feb 10 at 21:51
I've tried adding system("grep -v hidden"); but it doesn't work unfortunately. Do you have an idea of the correct code to add with system() ? Thanks
– Gerald
Feb 10 at 21:51
add a comment |
Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):
if (strstr(d->d_name, "HIDDEN") == 0)
return 0;
Probably not the best solution but hey it works :)
If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !
Thanks
add a comment |
Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):
if (strstr(d->d_name, "HIDDEN") == 0)
return 0;
Probably not the best solution but hey it works :)
If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !
Thanks
add a comment |
Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):
if (strstr(d->d_name, "HIDDEN") == 0)
return 0;
Probably not the best solution but hey it works :)
If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !
Thanks
Allright so I've kinda found a workaround to "hide" a string for 'ls' by adding the following line in 'ls.c' after line 261 (thanks to ilkkachu for his answer below):
if (strstr(d->d_name, "HIDDEN") == 0)
return 0;
Probably not the best solution but hey it works :)
If anyone out there would like to suggest a better option/solution, please do it, I would love to have more options and a better one if possible !
Thanks
answered Feb 11 at 3:51
GeraldGerald
61
61
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499812%2ftrying-to-do-a-proof-of-concept-of-poisoning-ls-binary-to-hide-files-and-folde%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Thank you for your quick reply. I am actually using the freshly built 'ls' I've built with 'make' by doing ./ls. And no I do not use the original 'ls' binary that was originally built with my Ubuntu for testing if file 'hidden' is really hidden or not.
– Gerald
Feb 10 at 20:18
2
err, do you mean to hide files with the string "hidden" in their names? Or something else?
– ilkkachu
Feb 10 at 20:37
yes this is exactly what I'm trying to do; hide files with the string 'hidden'. Thanks
– Gerald
Feb 10 at 20:42