Hiding a file

Written by: Iron Hulk Published: October 26, 2025 Reading time: Iron Hulk
Back to Blogs

What Does “Hiding a File” Mean?

Hiding a file means making it invisible to normal users or file browsers, even though it still exists on the system. It’s not deleted or protected by a password, it’s simply concealed from view so it doesn’t appear in ordinary folder listings or searches unless special commands or tools are used to reveal it. In Windows, this is usually done by marking a file with the "hidden attribute", preventing it from showing in File Explorer unless "Hide Protected Operating System Files" is unselected. However, more advanced methods go further, hiding the file entirely from the graphical interface, even when that option is turned on.

These deeply hidden files only become visible when using specific command-line tools. For example:

dir /a

dir -force

Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { ($_.Attributes -band [IO.FileAttributes]::Hidden) -and ($_.Attributes -band [IO.FileAttributes]::System) } | Select-Object FullName, Attributes, Length

In this blog, I’ll demonstrate step-by-step how these techniques work, how Windows interprets file attributes, and why hiding files this way can be used for both privacy and security research purposes.


🎯 Why Malware Needs to Hide

Malware developers use hiding techniques to increase infection lifespan and effectiveness. Just like a burglar avoids detection, malware must evade:

  • To stay hidden from users: A visible strange file, icon might alert the victim that something is wrong. By hiding files the malware can operate silently in the background
  • To maintain persistence: Hidden malware can continue running or reactivating itself even after system reboots or user attempts to clean up.
  • To Achieve Persistence: The ability for malware to survive a system reboot. If a malicious file is visible, it can be deleted.

Technical Execution: How Hidden Malware is Triggered

🎯 The Core Problem: Hiding vs. Execution

Simply hiding a file isn't enough, malware needs execution mechanisms to become active. Advanced malware uses trigger mechanisms to activate when needed. This technique uses a legitimate-looking executable for example: calc.exe to trigger a completely hidden malware file malware.exe. The decoy file appears normal while secretly activating the hidden payload.

🔄 Attack Execution Flow

1

File Delivery

Two files delivered to target

malware.exe
calc.exe
2

User Execution

User runs calculator

calc.exe
(Appears normal)
3

Background Trigger

Calculator launches malware

malware.exe
(Runs hidden in background)

📁 Malware.exe - Hidden File

Hiding Technique

File.SetAttributes("malware.exe",
  FileAttributes.Hidden | FileAttributes.System);

File becomes invisible in Windows Explorer even when "Show hidden files" is enabled.


Storage Location

C:\Windows\Temp\malware.exe
C:\Users\Public\Documents\malware.exe
C:\ProgramData\Microsoft\malware.exe

Hidden in legitimate-looking system directories to avoid suspicion.

🖱️ Calc.exe - Trigger File

Execution Method

Process.Start(@"C:\Windows\Temp\malware.exe");
Process.Start("calc.exe");

First launches hidden malware, then opens real calculator to deceive user.


Advanced Techniques

  • Process hollowing (replace calc.exe memory)
  • DLL side-loading (malicious calc.exe)
  • Code injection into legitimate calculator
  • PowerShell hidden execution

💻 Technical Implementation Code

C# Trigger Implementation

// Modified calc.exe code
using System.Diagnostics;
using System.Windows.Forms;
static void Main()
{
  // Start hidden malware first
  Process.Start(@"C:\Windows\Temp\malware.exe");
  // Then start real calculator
  Process.Start("calc.exe");
  // Optional: Self-destruct trigger file
  File.Delete(Application.ExecutablePath);
}

🛡️ Defense Strategies

🔐

Application Whitelisting

Only allow execution of signed, approved calculators from legitimate paths.

👁️

Process Monitoring

Monitor for calc.exe spawning other processes or making network calls.

📊

Behavior Analysis

Detect unusual file attribute changes and hidden process creation.

Endpoint Detection

Use EDR solutions to detect dual-file delivery patterns.


Educational Purpose: This technique demonstrates how attackers use legitimate applications as trojans to trigger hidden malware. Understanding this pattern is crucial for effective detection and defense.


Hide File Project

This is a small C# Windows Forms application designed to let a user select any file and mark it as both Hidden and System, making it invisible in File Explorer, even if the “Show hidden files” option is turned on. Such flags are commonly used for legitimate system files, but malware often abuses them to conceal malicious files.

⚙️ What Attributes It Changes: Windows files have attributes, special flags that tell the operating system how to treat a file. Each attribute is part of the FileAttributes enumeration in .NET and the Windows API. This program specifically applies two flags:

  • Hidden: Marks a file as hidden, so the file won’t appear in File Explorer unless the “Show hidden files” option is enabled.
  • System: Marks a file as a protected operating system file so even if “Show hidden files” is enabled, it remains invisible unless the user disables “Hide protected operating system files.”

By combining these two attributes, the file is treated like a protected system component, preventing it from being displayed under normal conditions. This behavior is used legitimately to protect critical Windows files, but it can also be exploited by attackers to hide malware components or payloads from users.

📘 Summary:
The program effectively makes a file invisible by setting both the Hidden and System attributes. This ensures that the file cannot be seen in File Explorer unless advanced view settings are changed or a command like dir /a or dir -Force or Get-ChildItem -Force is used in the command line. 

                
// =============================================================
// Project: Hide File Utility
// Author: Iron Hulk
// Description: A simple C# Windows Forms application that allows
//              the user to select a file and mark it as both 
//              Hidden and System, making it invisible in 
//              File Explorer even when “Show hidden files” is enabled.
// =============================================================

using System;
using System.IO;
using System.Windows.Forms;


internal static class HideFileUtility
{
    [STAThread]
    private static void Main()
    {
        // Initialize Windows Forms application context
        Application.EnableVisualStyles();
        Application.SetCompatibleTextRenderingDefault(false);

        // Create a file selection dialog
        using (var fileDialog = new OpenFileDialog())
        {
            // The text shown on the dialog window
            fileDialog.Title = "Select File to Hide";

            // Restricts which file types are displayed — here it allows all files
            fileDialog.Filter = "All Files (*.*)|*.*";

            // Ensures the file really exists before proceeding
            fileDialog.CheckFileExists = true;

            // Display the dialog and proceed only if a file is chosen
            if (fileDialog.ShowDialog() == DialogResult.OK)
            {
                string selectedPath = fileDialog.FileName;

                try
                {
                    // Retrieve the current attributes
                    FileAttributes currentAttributes = File.GetAttributes(selectedPath);

                    // Combine with Hidden + System flags
                    FileAttributes newAttributes = currentAttributes | (FileAttributes.Hidden | FileAttributes.System);

                    // Apply the new attributes to the file
                    File.SetAttributes(selectedPath, newAttributes);

                    MessageBox.Show(
                        $"✅ The file:\n\n{Path.GetFileName(selectedPath)}\n\nis now hidden and protected as a system file.",
                        "Operation Successful",
                        MessageBoxButtons.OK,
                        MessageBoxIcon.Information
                    );
                }
                catch (Exception ex)
                {
                    MessageBox.Show(
                        "❌ An error occurred while setting attributes:\n\n" + ex.Message,
                        "Error",
                        MessageBoxButtons.OK,
                        MessageBoxIcon.Error
                    );
                }
            }
        }
    }
}

Final Note: Protect Yourself from Hidden Files & Stealthy Malware

Hiding files using attributes or more advanced tricks is a common obfuscation technique. Below are practical, defensive steps you can use to detect, prevent, and recover from files that are being concealed on a Windows machine.

Quick checks

  • File Explorer → View → Options → View: enable Show hidden files, folders, and drives, and only uncheck Hide protected operating system files when you're ready to inspect (be careful).
  • Command line listings: 
    dir /a 
    
dir -force 
    
Get-ChildItem -Force
  • To list Alternate Data Streams (ADS) in CMD: dir /R.

If you suspect hidden/malicious files

  1. Isolate the machine from the network to stop exfiltration or spreading.
  2. Run updated AV/antimalware scans and collect evidence (file hashes, screenshots, process lists).
  3. Dont run the file unless you are sure it wont effect your sytem and run on safe environment.
  4. When unsure, preserve evidence and escalate to IT/security.