September 19th, 2004, 04:55 AM
Using alternative data streams to hide files on NTFS
After doing a search for “alternative data streams” in the forums and seeing little information I was thinking of writing a tutorial on using them to hide files on an NTFS partition. Then I found H. Carvey’s article about it at http://patriot.net/~carvdawg/docs/dark_side.html and I’m not sure there’s anything I can add. Worth a look for those interested in this little used feature of NTFS. I may still write a tutorial about it, but I doubt it will be as in depth as this guys.
September 19th, 2004, 01:01 PM
I remember messing with that about 5 years ago..............I was booting NT4.0 SP3 at the time, so I guess it must be that long
I was looking at potential security problems, like could it be used to transmit malware?............I only messed with it for a little while, but felt that although I could hide and transmit viruses, I couldn't figure out how to get them to run. I am no programming whiz or anything, but I do not recall anything that exploits this feature?
From a positive security viewpoint I have used Scramdisk..............a nice "obscure" utility that is unlikely to be targetted
September 19th, 2004, 01:42 PM
I'm not sure it could be used to transmit malware, but once it's on a system it can make it easy to hide it. Here is an example:
First we make our file to hide behind
Next we put an EXE behind is, I'm just using notepad.exe because it is convenient.
Next we confirm what is in the text file when some one tries to open it.
Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase it.
Volume in drive C has no label.
Volume Serial Number is 007E-2E3C
Directory of C:\WINDOWS
09/19/2004 08:37 AM 6 test.txt
1 File(s) 6 bytes
0 Dir(s) 19,734,708,224 bytes free
Now we can run it. Notice the “.\” in from of the file name, this is necessary because start needs to know the path.
You should be able to had just about any other EXE file if you wish.
September 19th, 2004, 01:57 PM
Have You checked in on this thread?
Alternate Data Stream - Hidden Files in NTFS
And Merjin has a toool to assist in tracking Parasite software that uses ADS..
info here: http://www.wilderssecurity.com/archi...p/t-46188.html
direct d/l (24 KB) : http://www.richardthelionhearted.com...les/adsspy.zip
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
September 19th, 2004, 02:01 PM
When I did my search of the forums I looked for "alternative data streams" not "alternate data streams", that's why I missed it. Thanks for pointing it out to me.
October 22nd, 2004, 07:52 PM
This thread was rank #4 in Google while searching for alternative data stream
Good Job guy!
October 23rd, 2004, 12:46 AM
a little something i noticed while experimemting with ADS. if you zip a file that contains a stream the stream itself isn't archived. so if you archive a streamed file then overwrite it with the archived version you wind up with a clean file
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”