Re: can't view directory created by hacker...

From: Agustin (agustinchernitskyNOSPAM_at_hotmail.com)
Date: 03/09/04 

Date: Tue, 9 Mar 2004 14:54:59 -0300

Hi Joe,

Sorry I am following up this so late. I have time now to expermient on this.
I am using dskprobe on a test server... I am trying to rename a file, but I
canīt seem to make it work.

I created a "test file.txt", and using dskprobe, I found 2 strings matching
in sector 19646 & 36714. Both beggin with the FILE attribute.

I tried renaming the file in both sectors (instead of "test file.txt" to
"ttst file.txt"), wrote the sector, quit dskprobe and ran chkdsk Still, I
can see the original directory name, like nothing changed.

Am I missing something? Looks like I am....

Any help would really be apreciated!

Cheers!

"Joe Griffin [MSFT]" <joegr@online.microsoft.com> wrote in message
news:58NSsia6DHA.3496@cpmsftngxa07.phx.gbl...
> Hello,
> There may be some easier ways of doing this, such as using posix commands
and maybe even the MS-DOS RD command. However, you should be able to
> use diskprobe and search for the file name using a UNICODE search. You
can speed the search up if you knew the offset to be looking for and don't
forget
> about the short filename. I don't remember the offsets for the file name.
It may be 0F2 for long filenames and 016A for short filenames. Oh, also
select ignore
> case while doing the search.
>
> When you find the file name, change it or remove some of the name so that
it has white spaces. Or even better, removed most of the information on
that sector.
> Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you
should be able to delete it.
>
> Joe Griffin [MS]
> Windows 2000 Server Setup Team
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>

Loading