Test Environment
1. Windows 11 Pro 21H2
Here will discuss 3 topics:
1. Create a hidden text file
2. Create an embedded hidden executable file
3. Run the hidden executable file
Create a hidden text file
Below command create a normal text file
C:\temp>echo This is Normal Text. > normal.txt
C:\temp>type normal.txt
This is Normal Text.
Below command create hidden text using stream
C:\temp>echo This is hidden text. > normal.txt:hidden.txt
C:\temp>type normal.txt
This is Normal Text.
Type command cannot show the hidden text
C:\temp>type normal.txt:hidden.txt
The filename, directory name, or volume label syntax is incorrect.
Dir command won’t show the hidden file
C:\temp>dir
Volume in drive C has no label.
Volume Serial Number is 64AD-2FC5
Directory of C:\temp
10/18/2022 02:14 PM <DIR> .
10/18/2022 02:14 PM 23 normal.txt
1 File(s) 23 bytes
1 Dir(s) 56,873,701,376 bytes free
Use “dir /R” to show the hidden file
/R Display alternate data streams of the file.
C:\temp>dir /R
Volume in drive C has no label.
Volume Serial Number is 64AD-2FC5
Directory of C:\temp
10/18/2022 02:14 PM <DIR> .
10/18/2022 02:14 PM 23 normal.txt
23 normal.txt:hidden.txt:$DATA
1 File(s) 23 bytes
1 Dir(s) 56,873,701,376 bytes free
Use notepad to show the hidden text
C:\temp>notepad normal.txt:hidden.txt
Delete the normal.txt will delete the hidden file
C:\temp>dir /R
Volume in drive C has no label.
Volume Serial Number is 64AD-2FC5
Directory of C:\temp
10/18/2022 02:14 PM <DIR> .
10/18/2022 02:14 PM 23 normal.txt
23 normal.txt:hidden.txt:$DATA
1 File(s) 23 bytes
1 Dir(s) 56,873,533,440 bytes free
C:\temp>del normal.txt
C:\temp>dir /R
Volume in drive C has no label.
Volume Serial Number is 64AD-2FC5
Directory of C:\temp
10/18/2022 02:17 PM <DIR> .
0 File(s) 0 bytes
1 Dir(s) 56,873,533,440 bytes free
Hide Calculator
Create a normal text fle
C:\temp>echo This is Normal Text. > normal.txt
Find the location of the Calculator app
C:\temp>where calc.exe
C:\Windows\System32\calc.exe
Hide the Calculator App into the normal text file
C:\temp>type C:\Windows\System32\calc.exe > normal.txt:calc.exe
“dir” comman won’t show the embedded file
C:\temp>dir
Volume in drive C has no label.
Volume Serial Number is 64AD-2FC5
Directory of C:\temp
10/18/2022 02:21 PM <DIR> .
10/18/2022 02:23 PM 23 normal.txt
1 File(s) 23 bytes
1 Dir(s) 56,876,064,768 bytes free
Use “dir /R” to show the file
C:\temp>dir /R
Volume in drive C has no label.
Volume Serial Number is 64AD-2FC5
Directory of C:\temp
10/18/2022 02:21 PM <DIR> .
10/18/2022 02:23 PM 23 normal.txt
27,648 normal.txt:calc.exe:$DATA
1 File(s) 23 bytes
1 Dir(s) 56,877,633,536 bytes free
Run the embedded Calculator App
For old windows like XP, win 7, use “start” command.
C:\temp>start normal.txt:calc.exe
In Windows 10 and 11, using “start” command will pop up the “Look for app” window
The correct command to run the embedded file is “forfiles”
C:\temp>forfiles /P c:\Windows\System32 /m notepad.exe /c "c:\temp\normal.txt:calc.exe"
