Using alternative data streams to hide files on NTFS
Results 1 to 7 of 7

Thread: Using alternative data streams to hide files on NTFS

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Using alternative data streams to hide files on NTFS

    After doing a search for “alternative data streams” in the forums and seeing little information I was thinking of writing a tutorial on using them to hide files on an NTFS partition. Then I found H. Carvey’s article about it at http://patriot.net/~carvdawg/docs/dark_side.html and I’m not sure there’s anything I can add. Worth a look for those interested in this little used feature of NTFS. I may still write a tutorial about it, but I doubt it will be as in depth as this guys.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi Irongeek,

    I remember messing with that about 5 years ago..............I was booting NT4.0 SP3 at the time, so I guess it must be that long

    I was looking at potential security problems, like could it be used to transmit malware?............I only messed with it for a little while, but felt that although I could hide and transmit viruses, I couldn't figure out how to get them to run. I am no programming whiz or anything, but I do not recall anything that exploits this feature?

    From a positive security viewpoint I have used Scramdisk..............a nice "obscure" utility that is unlikely to be targetted

    Cheers

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I'm not sure it could be used to transmit malware, but once it's on a system it can make it easy to hide it. Here is an example:

    First we make our file to hide behind
    C:\WINDOWS>echo Test>test.txt
    Next we put an EXE behind is, I'm just using notepad.exe because it is convenient.
    C:\WINDOWS>type notepad.exe>test.txt:note.exe
    Next we confirm what is in the text file when some one tries to open it.
    C:\WINDOWS>type test.txt
    Test
    Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase it.
    [quote]

    C:\WINDOWS>dir test.txt
    Volume in drive C has no label.
    Volume Serial Number is 007E-2E3C

    Directory of C:\WINDOWS

    09/19/2004 08:37 AM 6 test.txt
    1 File(s) 6 bytes
    0 Dir(s) 19,734,708,224 bytes free
    [quote]

    Now we can run it. Notice the “.\” in from of the file name, this is necessary because start needs to know the path.
    [quote]
    C:\WINDOWS>start .\test.txt:note.exe

    C:\WINDOWS>
    [quote]

    You should be able to had just about any other EXE file if you wish.

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Have You checked in on this thread?

    http://www.antionline.com/showthread...hreadid=243467
    Alternate Data Stream - Hidden Files in NTFS

    And Merjin has a toool to assist in tracking Parasite software that uses ADS..

    info here: http://www.wilderssecurity.com/archi...p/t-46188.html

    direct d/l (24 KB) : http://www.richardthelionhearted.com...les/adsspy.zip

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    When I did my search of the forums I looked for "alternative data streams" not "alternate data streams", that's why I missed it. Thanks for pointing it out to me.

  6. #6
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    This thread was rank #4 in Google while searching for alternative data stream

    Good Job guy!
    -Simon \"SDK\"

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    a little something i noticed while experimemting with ADS. if you zip a file that contains a stream the stream itself isn't archived. so if you archive a streamed file then overwrite it with the archived version you wind up with a clean file
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •