|
-
September 19th, 2004, 04:55 AM
#1
Using alternative data streams to hide files on NTFS
After doing a search for “alternative data streams” in the forums and seeing little information I was thinking of writing a tutorial on using them to hide files on an NTFS partition. Then I found H. Carvey’s article about it at http://patriot.net/~carvdawg/docs/dark_side.html and I’m not sure there’s anything I can add. Worth a look for those interested in this little used feature of NTFS. I may still write a tutorial about it, but I doubt it will be as in depth as this guys.
-
September 19th, 2004, 01:01 PM
#2
Hi Irongeek,
I remember messing with that about 5 years ago..............I was booting NT4.0 SP3 at the time, so I guess it must be that long 
I was looking at potential security problems, like could it be used to transmit malware?............I only messed with it for a little while, but felt that although I could hide and transmit viruses, I couldn't figure out how to get them to run. I am no programming whiz or anything, but I do not recall anything that exploits this feature?
From a positive security viewpoint I have used Scramdisk..............a nice "obscure" utility that is unlikely to be targetted 
Cheers
-
September 19th, 2004, 01:42 PM
#3
I'm not sure it could be used to transmit malware, but once it's on a system it can make it easy to hide it. Here is an example:
First we make our file to hide behind
C:\WINDOWS>echo Test>test.txt
Next we put an EXE behind is, I'm just using notepad.exe because it is convenient.
C:\WINDOWS>type notepad.exe>test.txt:note.exe
Next we confirm what is in the text file when some one tries to open it.
C:\WINDOWS>type test.txt
Test
Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase it.
[quote]
C:\WINDOWS>dir test.txt
Volume in drive C has no label.
Volume Serial Number is 007E-2E3C
Directory of C:\WINDOWS
09/19/2004 08:37 AM 6 test.txt
1 File(s) 6 bytes
0 Dir(s) 19,734,708,224 bytes free
[quote]
Now we can run it. Notice the “.\” in from of the file name, this is necessary because start needs to know the path.
[quote]
C:\WINDOWS>start .\test.txt:note.exe
C:\WINDOWS>
[quote]
You should be able to had just about any other EXE file if you wish.
-
September 19th, 2004, 01:57 PM
#4
Have You checked in on this thread?
http://www.antionline.com/showthread...hreadid=243467
Alternate Data Stream - Hidden Files in NTFS
And Merjin has a toool to assist in tracking Parasite software that uses ADS..
info here: http://www.wilderssecurity.com/archi...p/t-46188.html
direct d/l (24 KB) : http://www.richardthelionhearted.com...les/adsspy.zip
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
September 19th, 2004, 02:01 PM
#5
When I did my search of the forums I looked for "alternative data streams" not "alternate data streams", that's why I missed it. Thanks for pointing it out to me.
-
October 22nd, 2004, 07:52 PM
#6
This thread was rank #4 in Google while searching for alternative data stream
Good Job guy! 
-
October 23rd, 2004, 12:46 AM
#7
a little something i noticed while experimemting with ADS. if you zip a file that contains a stream the stream itself isn't archived. so if you archive a streamed file then overwrite it with the archived version you wind up with a clean file
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
