Responsibility for consequences of using this application remains with the user; I'm not responsible for how you use it.
It's a simple tool that steals a drive's data when it is plugged into your PC.
It's currently programmed to steal removable drive (USB flash drives, external hard disks, ...) or CD\DVD data only, but can be easily modified to steal data from these drives as well, by simply modifying the if clause
if (newDrive.DriveType == DriveType.Removable || ...) of the TMRwaitForDrive_Tick(...) function.
You'll need two things:
-
The .NET Framework
I wrote USB Drive Data Stealer in C# for .NET Frameowrk 4.5 using Visual Studio 2019 so, in order to run it, you must have that version of the framework (or a later one) installed.
If it isn't already installed on your OS, you can download it here. -
USBDriveDataStealer.exe
You can download it directly from here.
If you want to compile it or modify its source code, you can download the zipped project here and recompile it.
Here you can verify that it isn't a malicious software (at least from the point of view of those who run it 😁). When someone plugs a USB drive into our PC, we don't know how long they will leave it plugged in.
Suppose, for example, someone asks you to copy some files to their USB drive. Probably the copying of the files will not last very long... Will USB Drive Data Stealer be able to steal all the contents of the USB drive in time?
To solve this possible problem I implemented three different modes of operation:
-
Steal all device files
The entire contents of the drive will be copied to your PC.
If it contains large files and the data transfer rate is low, the probability of not being able to copy all the data before the drive is unplugged increases. -
Steal all files smaller or equal than a specified size
Only files smaller or equal than the size you specified (in megabytes) via the GUI will be copied to your PC.
This solves the problem explained in the previous point discarding the larger files and, consequently, decreasing the time needed to copy the others. -
Steal only files with specific extensions
Only files with an extension among those you have listed via the GUI will be copied to your PC.
If you are interested in copying only some particular types of files (e.g. PDF, images, audio, ...), this mode of operation is for you.
Since all types of files with extensions other than those allowed will not be copied, even in this case, the time required for copying will be shorter.
BTNwait ("Wait for USB Drive connection") button, USB Drive Data Stealer will be minimized to the Windows traybar, store the list of all drives currently connected to the PC (let's call it L1) and wait for a drive to be plugged into the PC.Detecting the connection of a new drive to the PC is done by the
TMRwaitForDrive timer. It compares, every five seconds, the list of drives currently connected to the PC (let's call it L2) with L1. If L2 contains more drives than those listed in L1, the last drive listed in L2 is considered the target drive to steal files from, according to the user-specified mode of operation.At this point, the subfolder
YYYY-MM-DD_hh.mm.ss (e.g., 2024-06-24_15.31.22) is created in the folder specified by the user via the GUI, the copying process begins, and the files from the target drive are copied to the newly created subfolder.Copying of files and folders is done recursively, maintaining the hierarchical file system structure. There're three functions used to copy files (
copyAllFiles, copySmallFiles and copySpecificFiles), but only the one related to the mode of operation specified by the user via the GUI will be executed.If an error occurs during the copy process (e.g., the target drive is removed), its description will be stored in the
_CrashReport.txt log file, which will be saved in the folder initially specified by the user.Whether the copy process ends successfully or abnormally, USB Drive Data Stealer will remove itself from the Windows traybar and self-terminate.
This demonstration shows the execution of USB Drive Data Stealer, set to run in the first mode of operation ("Steal all device files").
-
Instead of using a Timer to detect the arrival\removal of a new drive, you can use the ManagementEventWatcher class associated with the
SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2WqlEventQuery where, according to the properties of the Win32_VolumeChangeEvent class, 2 = Device Arrival and 3 = Device Removal.
-
Considering the last L2 drive as the target drive from which to steal files is an idea that probably works in the vast majority of cases, but it may not always work.
The drives listed in L2 are listed with letters that follow an ascending order. Usually the first drive is C (where the OS is installed), if the hard drive has two partitions the second drive will be D, and if a USB flash drive is plugged in, it will probably be named with the letter E.
So far so good but... What would happen if the user inserted two floppy disks (hey! Who the hell still uses floppy disks?! 😨) instead of a USB flash drive?? According to the common drive letter assignments, the first floppy would be assigned the letter A and the second would be assigned the letter B. Then the algorithm would choose hard disk partition D (the last L2 drive) as the target drive from which to copy the data, failing miserably 🤦😂 - If multiple drives were plugged in, USB Drive Data Stealer would steal files only from the last one (because, as mentioned before, only the last drive listed in L2 is considered the target drive to steal files from).
-
If USB Drive Data Stealer finishes copying the files of one drive and, later, another drive (or more than one) is plugged in, no more files will be copied because, as mentioned before, the application self-terminates at the end of the copying process.
This means that the user must re-run the program before another drive is plugged in, if they want to copy its files as well. - USB Drive Data Stealer isn't displayed in the Windows taskbar and in the list of active processes shown by the Windows Task Manager, in order to avoid possible suspicion by the user connecting the drive to the PC.
-
The
YYYY-MM-DD_hh.mm.ssformat of the subdirectory described above, prevents the overwriting of data stolen from different drives on the same day.
As you can read, there are several changes and improvements that can be applied to USB Drive Data Stealer. For example:
- Solve the problem indicated in step 2 by checking what is actually the new connected drive that makes the L2 list different from L1.
- Solve the problem indicated in step 3 by managing simultaneous copies of files (e.g., using threads) from all drives connected to the PC.
- Solve the problem indicated in step 4 by putting USB Drive Data Stealer back to wait for a drive to be plugged into the PC.
- Implement keyboard shortcuts (such as, Ctrl+Alt+R, Ctrl+Alt+X, ...) to pause, start, restart, terminate or put in background\foreground USB Drive Data Stealer.
- Prevent safe removal of the drive if USB Drive Data Stealer hasn't finished copying the files to the PC yet.
I developed this project quickly, in my spare time; there're other things that could be done if there was time...
Feel free to fork, edit, improve, and share this project without any problems 😊
-
Make yourself aware that by plugging an USB drive into a device, you are always exposing its data to a potential risk.
This is true even if the device belongs to a person you know and trust; it may have been infected by a malware that, among other malicious actions, could do exactly what USB Drive Data Stealer does, sending the collected data to the attacker.
You could solve the problem by using a USB drive containing nonconfidential files whose theft and/or publication wouldn't be a problem for you. - Show, by means of an engaging program (imo), the basics of C# and event-driven programming, and the ease with which a Windows GUI application can be built using this language.
- Show, for teaching purposes, an example of simple malware.
- Talking about cybersecurity.
Here you can download the Visual Studio 2019 zipped project.
Here you can download the main source code of the entire project. Here you can visit my website 🌐
Here you can buy me a unicorn 🦄