Study: Alternative Data Streams

You may be interested to know about another “SECRET” that the boys in Redmond try not to advertise. It is called Alternative Data Streams, and it basically allows you to “hide” files within other files.

M$ provides no tools (other than low level SDK functions) to even know that these Alternative Data Streams exist. Niether “Explorer”, nor “dir”, nor “attrib”, nor any other resource kit app will help you discover these streams. In fact, to the best of my knowledge, most virus detection programs only scan the primary stream, and not any of the associated alternative streams. In addition, once an ADS has been associated with a file, it copies right along with the file when going from NTFS to NTFS.

To see a non destructive example, drop down to the CMD line and try the following. (Win NT/2k/XP w/ NTFS … no FAT)

First create a basic host file … lets say a text file in the root dir on the c drive

C:>echo Hello World > MyTest.txt

Then attach, your favorite exe (or whatever you want), as an ADS (solitare ?)

C:>type c:WINNTsystem32sol.exe > MyTest.txt:MyProg.Exe

Inspect your file all you want. Even delete the original program if you really want to (sol.exe).

Now run your hidden version of solitare anytime you’d like.

C:>start c:MyTest.txt:MyProg.exe

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

(Look at Task Manager and check out Solitare’s new process name)

Scary … isn’t it? Do you know what’s on your hard drive?

For more info see:http://patriot.net/~carvdawg/docs/dark_side.html

http://www.codeproject.com/csharp/NTFSStreams.asp – C# P-Invoke SDK wrappers

http://www.heysoft.de/Frames/f_sw_la_en.htm – A tool to view ADS via the command line (no source code provided).

http://www.winnetmag.com/Articles/Print.cfm?ArticleID=19878

Related posts: