M$ provides no tools (other than low level SDK functions) to even know that these Alternative Data Streams exist. Niether “Explorer”, nor “dir”, nor “attrib”, nor any other resource kit app will help you discover these streams. In fact, to the best of my knowledge, most virus detection programs only scan the primary stream, and not any of the associated alternative streams. In addition, once an ADS has been associated with a file, it copies right along with the file when going from NTFS to NTFS.
To see a non destructive example, drop down to the CMD line and try the following. (Win NT/2k/XP w/ NTFS … no FAT)
First create a basic host file … lets say a text file in the root dir on the c drive
C:>echo Hello World > MyTest.txt
Then attach, your favorite exe (or whatever you want), as an ADS (solitare ?)
C:>type c:WINNTsystem32sol.exe > MyTest.txt:MyProg.Exe
Inspect your file all you want. Even delete the original program if you really want to (sol.exe).
Now run your hidden version of solitare anytime you’d like.
(Look at Task Manager and check out Solitare’s new process name)
Scary … isn’t it? Do you know what’s on your hard drive?
For more info see: http://patriot.net/~carvdawg/docs/dark_side.html
http://www.codeproject.com/csharp/NTFSStreams.asp – C# P-Invoke SDK wrappers
http://www.heysoft.de/Frames/f_sw_la_en.htm – A tool to view ADS via the command line (no source code provided).