How to make folder uncopyable

Question

I have a program that decrypts a zip file, extracts it to a secret location, and then runs a program in the extracted folder. I would like to ensure that no external program can copy the extract folder to another location (the secret folder is deleted upon program completion).

I have already eliminated Windows Explorer by making my decryption program a "always on top" program that deletes the secret folder if it is killed (by use of another hidden program that the decryption program starts). My concern is that another program could watch the process list, discover the folder location and perform the copy.

Is there a way to prevent programmatic copying of a directory, or if not, of a file?

Someone can attach a debugger to the running program and dump its contents anyway. — Dan, Feb 28 '14 at 17:47
Run your application using a dedicated user account then configure folder permissions on the folder where you are working so that only that user can access it. — Ashigore, Feb 28 '14 at 17:48
It's "Deleted" upon completion. Are the sectors that house that data overwritten seven times with random 1s and 0s? (Serious question). Until that happens (and sometimes, even if that happens), the data can still be recovered. You're fighting a losing battle against determined opponents, so how far are you willing to go? — George Stocker, Feb 28 '14 at 17:49
No, I haven't gone as far as to do the random overwrite. I doubt it makes a difference, but it is actually extracted to a VHD (which is what I then delete). Mostly I'm looking for the easiest/quickest way to make this as secure as possible. — BradleyDotNET, Feb 28 '14 at 17:55

score 3 · Accepted Answer · edited May 23 '17 at 12:23

Look at Directory.CreateDirectory(string,DirectorySecurity)

You'll need to create a DirectorySecurity object that encapsulates the desired permission set. The easiest way is to create a model directory owned by the process' userid with the desired permission sets (e.g., "Only I can traverse this directory or see or even open anything in it."). Once you've done that, use the DirectorySecurity constructor overload DirectorySecurity(String, AccessControlSections) to instantiate a DirectorySecurity object with identical permissions.

Another approach, of course, would be to create the same sort of "model directory" as above and create your "secret" working directory as a subdirectory of that, inheriting the parent's permission set.

As far as securely deleting the contents on disk, look at the question "Shredding files in .NET"

If the information is that sensitive, you should probably be decrypting it into memory rather than disk. But you should be aware that that's not secure either. The recent data breach Target's POS systems suffered was due to custom-designed malware harvesting plain-text credit card and other PCI/sensitive data from process memory.

I decrypt into memory, then extract to disk. Is it possible to start a new process from memory? — BradleyDotNET, Feb 28 '14 at 19:29

score 1 · Answer 2 · answered Feb 28 '14 at 17:47

1

Well for that purpose you need to set share mode. Not sure about C# solution, but as far as I know in C# you are able to use Win32, so you need to open files in that folder using CreateFile and set dwShareMode to zero.

Also if you want to delete all the stuff after program terminates, you can use FILE_FLAG_DELETE_ON_CLOSE flag.

So as I mentioned, not sure if it is easy to do this using C#, but you can always trust C++, it lets do the stuff in lower level.

answered Feb 28 '14 at 17:47

ST3

8,826
3
68
92

I like this idea. If I am understanding what you are suggesting, after starting the process I would open a file handle with dwShareMode to zero to prevent anyone else from accessing it? – BradleyDotNET Feb 28 '14 at 18:08
Yes, you should keep files open and don't share them with someone else. This should work, however, as mentioned in comments, there is no way 100% guarantee it to work, because user may attach debugger, read drive as a physical device and etc. – ST3 Feb 28 '14 at 18:11
+1 Even though its not 100% this is the first solution that I have seen that suggests it is possible to at least make it hard on an attacker to perform the copy. – BradleyDotNET Feb 28 '14 at 18:22

score 0 · Answer 3 · answered Feb 28 '14 at 17:48

0

The file system is always public, when run from a user context.

You could always attempt to extract the 'folder' to a binary stream - and create a raw, binary file on the file system, that would have no obvious meaning - e.g. make your own temporary "file system"

answered Feb 28 '14 at 17:48

Dave Bish

19,263
7
46
63

Could I cause windows to start a process from such a file? – BradleyDotNET Feb 28 '14 at 18:07

score 0 · Answer 4 · answered Feb 28 '14 at 17:49

0

Short answer: you can't.

Do note that hiding a window / displaying a window always on top are very weak protections, it's really easy to change that from another process.
Also do note that you always can suspend processes instead of terminating them, so it's also easy to prevent any logic such as "if you're killed, then I do XXX" to execute

Best thing you could do is create a user account and restrict rights to read your files/directory to only this account. Of course, admin will still have access to it.

answered Feb 28 '14 at 17:49

ken2k

48,145
10
116
176

Unfortunately the account that everything is run on is an admin account, so I'm not sure this would fix much. Thank you for the input though. – BradleyDotNET Feb 28 '14 at 18:06
Could you suggest better protections for the concerns you noted in your answer? Securing a program is a bit new to me. – BradleyDotNET Feb 28 '14 at 18:47

How to make folder uncopyable

4 Answers4

Linked