NTFS-based HARDLINK Attack and Defense

Author:MJ0011

Old technology and old technology ~

NTFS supports a HARDLINK technology that can "Hard connect" two files. In fact, the principle is very simple. Two files share the same fie record, and operations on one file is equivalent to operations on another file, including related attributes. Deleting one of them will retain the original data ~

You can use the system tool fsutil.exe to create a hard connection, or use the APIs and FSCTL provided by windows.

Fsutil hardlink create c: 1.txt c: 2.txt, you can establish a connection to c: 2.txt, c: 1.txt

So what can we do for attack and defense? It's easy to think about it. The users who use file path filtering will be miserable.

Pryrege. sys is a recently popular Trojan program. It contains a file system filter driver. When you delete a file, it pretends to return a successful result, but it actually fails ~ In addition, its driver has a read-only attribute and does not allow you to modify its attributes. Therefore, it cannot be written ~

How did you clear it? Driver on? NONONO, no need, hardlink.

We first use fsutil to create a hardlink, c: 2.txt, 1

You will find that 2.txt also has the read-only attribute. It doesn't matter. Remove the c: 2.txt attribute from the read-only

At this time, the read-only attribute of pryrege. sys is gone, 2

We use NotePad to clear the 2.txt content ~

You will find that pryrege. sys has also become a 0-byte empty file ~~ , 3:

At this point, the trojan author has pushed out a 20-K file filtering driver, which can be completed with just one line of command ~

Of course, hardlink also has two sides: for example, it is used to delete or rewrite Kabbah 7 files ~ Used to read files protected by XX file security island ~ Wait, the technology is a double-edged sword ~ It depends on how you use it.

However, 360 of self-protection takes this into consideration and completely discards the original path filtering method ,~ There is no way to create a hard connection for 360 of the programs. In addition, even if you have successfully created the program, the operation cannot be mapped. How can we do this ~ I will not talk about it because of my professional ethics ~ You can study it yourself ~