Fixing hidden files using Delphi

We all know about malwares. each malware is destined to do something; such as stealing data, credit information, personal details, user credentials.. the list goes on..
This post is not about malwares or how they work. This is about how to repair the damage caused by the malware after the removal of the threat.
More specifically, some malwares which spreads via usb drives causes a lot of potential risk.
Apart from data stealing, these malwares alters the file system to hide itself. Some of them changes the attributes of all the folders inside an infected usb drive into “System – Hidden”. Note the attribute, “+System, +Hidden”!
After this, the malware creates *.LNK shortcut files for every folders, with the same name and the icon of the target folder. Suppose, there is a folder named “My Data” in a removable drive and the path is something like this.

 "g:\My Data"

If the machine is infected by any of the above malwares, it will change the folder in to a System-Hidden directory and creates a *.LNK shortcut file with the same name and icon.

 "g:\My Data.lnk"

The *.LNK file itself is a malware or it may execute the malware file hidden within the usb disk. The hidden folders may not be visible for the normal users. If they executes any of the *.lnk files, it will open up the target folder in windows explorer and infects the system. The chain of infection continues like this.
Even after the Anti-virus solution can clean up the mess, the “System – Hidden” files remains the same. We cannot change the System – Hidden attributes from a folder that much easily. The owner of the infected usb drive have to change the view options in windows explorer, so that they could view the hidden folders. If they need the data back, they will have to move the data from the hidden folder to a normal one manually. This process is easy if the target pen drive has a few folders. What if it has more than 10-15 folders with data on it?? It will be a big mess and time consuming. right? Yes, we know!
We have been receiving lots of queries from our customers regarding this issue. Its a small thing, but bad enough to ruin a day. So we thought about creating a small solution. It didnt take more than 15 minutes to create this program. It was written using Delphi Xe3.
Pic 1 : Open up Delphi Xe3 IDE an create a new project
1
It shows a form creation window. But for this project we dont actually need a GUI. So just right click on the project name from the project manager console and select view source.
Pic 2 : view source
3
pic 4 : the code will be shown like this.
4

program Project1;
uses
 Vcl.Forms,
 dir in 'dir.pas' {Form1};
{$R *.res}
begin
 Application.Initialize;
 Application.MainFormOnTaskbar := True;
 // We are marking these two statements as comments. So, the form will not shown at the time of execution.
 //Application.CreateForm(TForm1, Form1);
 //Application.Run;
 end.

 
Now the actual coding part begins.
Just double click on the form1 to get the code editing console. This is how it may look.
Pic 5:
5
and we are going to add a few lines to the above code.

 unit dir;
interface
uses
 Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
 Vcl.Controls, Vcl.Forms, Vcl.Dialogs;
type
 TForm1 = class(TForm)
 // procedure FormCreate(Sender: TObject);
 private
 { Private declarations }
 public
 { Public declarations }
 end;
var
 //Form1: TForm1;
 searchResult : TSearchRec;
 Attributes : integer;
 Curr : string;
 implementation
{$R *.dfm}
 begin
 // Try to find directories above the current directory
 SetCurrentDir('.');
 if FindFirst('*.*', faDirectory or faHidden or faSysFile, searchResult) = 0 then
 // searching for directories with attributes Sytem and hidden
 begin
 repeat
 Curr := GetCurrentDir();
 // current Directory name = +Curr+searchResult.Name
 Attributes := FileGetAttr(searchResult.Name) ;
 FileSetAttr(Curr+searchResult.Name,faHidden xor faHidden)
// changing attributes for the folders as no system and no hidden.
 until FindNext(searchResult) <> 0;
// Must free up resources used by these successful finds
 FindClose(searchResult);
 end;
end.

 
6
Now just save the project and execute the program from the “Run” menu. We can copy the resultant executable file from the Delphi project folder.
Pic 6 ;
7
Insert the Project1.exe into the usb drive you want to repair and execute it. It will take only a few seconds. 🙂
(Remember, this program is only for changing attributes of folders from System+Hidden to normal. It doesn’t offer any malware removal capabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *