-
September 28th, 2004, 07:36 PM
#1
Practical Guide to Alternative Data Streams in NTFS
Practical Guide to Alternative Data Streams in NTFS
Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. While this is the intended use (as well as a few Windows internal functions) there or other uses for Alternative Data Streams that should concern system administrators and security professionals. Using Alternative Data Streams a user can easily hide files that can go undetected unless closely inspection. This tutorial will give basic information on how to manipulate and detect Alternative Data Streams.
(Note about conventions: Alternative Data Streams are also sometimes referred to as Alternate Data Streams or ADS. Since Alternative Data Streams is so long, an ADS can be confused with Active Directory Services I will simple call this feature AltDS for short.)
Creating an AltDS
Making an AltDS is fairly simple. I will use command line examples, feel free to follow along. We could hide some data in an AltDS behind an already existing file, but for this example we will create a new base file to hide behind:
Code:
C:\>echo Just a plan text file>sample.txt
C:\>type sample.txt
Just a plan text file
C:\>
Next we will use a colon as the operator to tell our commands to create or use an AltDS:
Code:
C:\>echo You can't see me>sample.txt:secret.txt
Unfortunately, the use of the colon operator is a bit hit or miss in its’ implementation and some times does not work as we might expect as seen below:
Code:
C:\>type sample.txt:secret.txt
The filename, directory name, or volume label syntax is incorrect.
Since the “type” command does not understand the colon operator we will have to use notepad to read the file:
Code:
C:\>notepad sample.txt:secret.txt
If all worked well, you should not see a notepad window with the text “You can't see me” in it. Also notice that while the amount of total hard drive space free went down the file size of sample.txt did not increase:
Code:
C:\>dir sample.txt
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:\
09/27/2004 01:58 PM 23 sample.txt
1 File(s) 23 bytes
0 Dir(s) 12,658,040,832 bytes free
C:\>
You can make an AltDS in not only files, but also directories, here is a quick example:
Code:
C:\>md stuff
C:\>cd stuff
C:\stuff>echo Hide stuff in stuff>:hide.txt
C:\stuff>dir
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:\stuff
09/28/2004 10:19 AM <DIR> .
09/28/2004 10:19 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 12,253,208,576 bytes free
C:\stuff>notepad :hide.txt
Hopefully you now see a notepad window with hide.txt’s contents. If all one could do with AltDS was hide text files it would not be that impressive, but there’s much more that can be done with this useful NTFS feature.
Hiding and running an executable.
As it turns out, using AltDS to hide executables is not much harder than it is to hide text files. AltDS makes for a great way for malware to hide itself on a system. Here’s an example of how and executable can be hidden behind another file:
First we make our file to hide behind:
Code:
C:\WINDOWS>echo Test>test.txt
Next we put an EXE behind is, I'm just using notepad.exe because it’s convenient:
Code:
C:\WINDOWS>type notepad.exe>test.txt:note.exe
Next we confirm the contents of the text file when some one tries to open it.
Code:
C:\WINDOWS>type test.txt
Test
Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase the size of test.txt.
Code:
C:\WINDOWS>dir test.txt
Volume in drive C has no label.
Volume Serial Number is 007E-2E3C
Directory of C:\WINDOWS
09/19/2004 08:37 AM 6 test.txt
1 File(s) 6 bytes
0 Dir(s) 19,734,708,224 bytes free
Now we will attempt to run our hidden exe. Notice the “.\” in front of the file name, this is necessary because the “start” command needs to know the correct path to the file (at least if you are using XP).
Code:
C:\WINDOWS>start .\test.txt:note.exe
C:\WINDOWS>
If all worked well there should now be a notepad window up on your system. You should be able to hide just about any other EXE file this way if you wish.
IIS and Alternative Data Streams
While I was a Taco Bell recently I was thinking about what I could do in this tutorial that would make it a little different from other essays on Alternative Data Streams, which brought to mind a question: Does Microsoft’s Internet Information Server work with Alternative Data Streams? As it happens, it does (at least IIS 6 at the time of this writing). I did the following commands to test it out:
Code:
W:\>echo the text file>t.txt
W:\>type xx.php >t.txt:x.php
xx.php being an php file with the following code:
Code:
<HTML>
<BODY>
<PRE>
<?
echo "If I see this I know it worked"
?>
</BODY>
</HTML>
If you are following along try and see if you can read the text file off your server. If you don’t have an IIS server just look at the file on my student site (assuming the link is not dead by the time you read this tutorial).
http://homepages.ius.edu/adrian/t.txt
That worked as expected. Next try to see if IIS parses out the colon and then interprets the PHP file in the Alternative Data Stream:
http://homepages.ius.edu/adrian/t.txt:x.php
What do you know, it works! I could think of a few things that users might want hide it a web pages like this (moves, porn, scripts and such).
Hiding Videos
One can also hide videos in Alternative Data Streams, but depending on how you put them in the streams they can be hard to play. For my examples I will use a video with spaces in the name just to complicate maters and show that it can be done. First let us create an AltDS behind the sample.txt file we made earlier, notice the use of quotation marks to compensate for the spaces in the file names:
Code:
C:\>type "Naughty Linux Girls.avi" >"sample.txt:Naughty Linux Women.avi"
Give the above command some time, subjectively it seems that AltDS is a little slow to work its’ magic. After the above command finishes we will attempt to open the video stream, I’ll use Windows Media Player in my example since most of you should have it on your box and I know it works with AltDS:
Code:
C:\>"C:\Program Files\Windows Media Player\wmplayer.exe" "c:\sample.txt:Naughty Linux Women.avi"
If all worked well the video should not be playing. Pretty cool huh?
Retreiving a file form an Alternative Data Stream
Since support for AltDS is hit and miss in Windows we need to get an extra tool to suck data back out of an AltDS and put it back in a regular file. For this we will use a Windows port of the *nix tool “cat” (download it and other tools from http://unxutils.sourceforge.net/ ). Retrieving the original file is simple:
Code:
C:\>cat "sample.txt:Naughty Linux Women.avi">"Naughty Linux Women.avi"
If all works well "Naughty Linux Women.avi" should contain all the original data of the video we put into the stream.
Finding AltDS
Some anti-malware tools understand how to search Alternate Data Streams for malware. I know Adaware SE Buld 1.05 can recognize know spyware in AltDSes (See http://www.lavasoftsupport.com/index...howtopic=40692 for more details). I’ve had a devil of a time finding out if other tools like Spybot or Symantec Antivirus look at AltDS, the vendors website give little information on it. If you know email me and I will update this tutorial.
Now I will show you a few tools you can use to find Alternate Data Streams. First there’s LADS by Frank Heyne (see the tools section at the bottom of this tutorial for where to download LADS and other apps). LADS seems to work quite well for finding the streams we created above:
Code:
C:\>lads c:\
LADS - Freeware version 4.00
(C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!
Scanning directory C:\
size ADS in file
---------- ---------------------------------
Error 32 opening C:\pagefile.sys
368146432 C:\sample.txt:Naughty Linux Women.avi
18 C:\sample.txt:secret.txt
21 C:\stuff\:hide.txt
The following summary might be incorrect because there was at least one error!
368146471 bytes in 3 ADS listed
C:\>
As you can see it found both of the files I hid. To find out more about what LADS can run it with the “/?” parameter:
Code:
C:\>lads /?
LADS - Freeware version 4.00
(C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!
Usage: LADS [Directory] [/S] [/D] [/A] [/Xname]
Directory: directory to scan, current if ommitted
/S include Subdirectories
/D Debug LADS ;-)
/V Verbose error reports
/A give a summary of All bytes used in the scanned directories
(All files and directories are considered as uncompressed
and all security decriptions are skipped
for calculating this number!)
/Xname eXclude any ADS "name"
/Pfile read Parameters from "file"
C:\>
Pay special attention to the “/S” parameter, you can use it to search entire hard drives and directory structures for AltDS.
Another popular tool is Streams from SysInternals. It works in much the same way as LADS:
Code:
C:\>streams -s c:\
Streams v1.5 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
Failed to open c:\\pagefile.sys:
The process cannot access the file because it is being used by another process
c:\\sample.txt:
:Naughty Linux Women.avi:$DATA 368146432
:secret.txt:$DATA 18
c:\\stuff:
:hide.txt:$DATA 21
...
I had to truncate the results above to save space, since Streams is doing a search of the whole C: drive. Streams also has the parameter “-d” to delete streams, but I don’t recommend that you use it unless you are sure of what you are doing.
For you folks that like to stick to GUIs there are three tools you might want to check out: ADS Spy which is quite slick, Crucial ADS which is also nice and ADS Detector which acts kind of like a plug-in for Explorer that lets you see Alternate Data Streams (unfortunately you have to sign up to download it, and so far I can’t seem to get it to work on my XP box). You can find links to all these tools at the bottom of this tutorial.
Quick answers and Factoids about AltDS
How do I delete AltDSes from a file?
Well, if you delete the file it’s attached to you will delete the AltDS, but I’m imaging you want to leave the base file intact. You can use a tool like Streams (see above) to delete the Alternative Data Streams, or you can rename the file and then use the “type” command to pipe it back to the original file name. Example:
Code:
C:\>ren sample.txt delme.txt
C:\>type delme.txt>sample.txt
C:\>del delme.txt
A third option is to just move the files you want to remove streams from to a Fat32 drive then move them back to the original drive. You will get a windows that pops up that asks you to confirm stream lost, just click yes.
I see a stream called “AFP_AfpInfo” on a lot of my file, should I worry?
Most likely it’s ok, this is usually an Apple file system fork like I mentioned at the beginning of this tutorial. AFP stands for Apple Filing Protocol, this stream should contain information like the icon a Mac would use to show the file. The AFP_AfpInfo stream may have been put there when the file was touched by a Macintosh or if the Windows box it was copied from had Services For Macintosh enabled. It’s possible that a deviant user could name one of their streams AFP_AfpInfo to try and hide it, but it’s not likely because using this name could make in not work as expected when they try to run or open it.
I see a stream called “encryptable” on my Thumb.db files, should I worry?
This is expected behavior for Window, Thum.db hold thumbnails for folders when you choose the thumbnail view in explorer. It’s ok, but if the size of the encryptable stream is over 0 bytes you might want to take a look at it. Same warnings as AFP_AfpInfo apply.
Ok, what about streams called “SummaryInformation”, should I worry?
This is also expected behavior for Window. Windows sometimes stores text information like titles, keywords, and revision numbers here. Same warnings as AFP_AfpInfo apply.
Do streams survive being copied across the network or from one hard drive to another?
Yes, as long as both file system are NTFS. If the destination is Fat32 the steams will be lost.
I hope this tutorial helped you to better understand Alternative Data Streams. Please feel free to email me if you have questions, clarifications or more information.
Further reading:
The best write up I’ve seen on AltDS:
http://patriot.net/~carvdawg/docs/dark_side.html
Great FAQ mby the creator of LADS:
http://www.heysoft.de/nt/ntfs-ads.htm
Good information on AltDS from wr0ck:
http://www.ramsecurity.us/texts/ntfsds.php
Tools:
LADS - List Alternate Data Streams by Frank Heyne
http://www.heysoft.de/Frames/f_sw_la_en.htm
Streams.exe from SysInternals:
http://www.sysinternals.com/ntw2k/so....shtml#streams
ScanADS command line tool:
http://www.kodeit.org/products/scanads/default.htm
ADS Spy GUI Scanner:
http://www.spywareinfo.com/~merijn/downloads.html
Crucial ADS GUI Scanner:
www.crucialsecurity.com/downloads.html
ADS Detector for Explorer:
http://www.codeproject.com/csharp/Cs...torArticle.asp
Windows ports of Unix tools like CAT:
http://unxutils.sourceforge.net/
Side Note: Thanks folks for all your support, it took me two days shy of two months to reach 11 Antipoint dots, most of you have made be feel very welcome. Thanks.
-
September 28th, 2004, 08:11 PM
#2
Hey Hey,
Nice post... and decent tutorial as always... but generally it's taboo to post something that's been done before... it'll usually get you negged as you already know.. I'm not going to do that.. call it the biased elitism towards fellow addicts/seniors but who cares... Anyways this topic has been covered here many many times.
http://www.antionline.com/showthread...te+Data+Stream
http://www.antionline.com/showthread...te+Data+Stream
http://www.antionline.com/showthread...te+Data+Stream
http://www.antionline.com/showthread...te+Data+Stream
http://www.antionline.com/showthread...te+Data+Stream
http://www.antionline.com/showthread...te+Data+Stream
Anyways well written none-the-less... just next time search first
Peace,
HT
[Edit]
Btw it's the Alternate Data Stream... not Alternative :P
[/Edit]
-
September 28th, 2004, 08:19 PM
#3
but generally it's taboo to post something that's been done before
lol yeah, but got to give him credit for writing nice tuts!
On my quick glance over it I seen one thing that stood out for me::
<HTML>
<BODY>
<PRE>
<?
echo "If I see this I know it worked"
?>
</BODY>
</HTML>
Don't you have to finish your <pre> code? (ie. </pre> .
-
September 28th, 2004, 08:22 PM
#4
I understand where you coming from, but many of those threads are not specifically about Alternative Data Streams (or there are not in the Tutorials section). And as for those that are, I’ve added some more details to mine that might be helpful to those that which to look in just one place for information. For example: Information about IIS, AFP_AfpInfo/encryptable/SummaryInformation streams, using AltDS with Videos and getting files back out of AltDS in their original form.
-
September 28th, 2004, 08:23 PM
#5
Originally posted here by kurt_der_koenig
Don't you have to finish your <pre> code? (ie. </pre> .
It’s considered good form to, guess I forgot.
Originally posted HTRegz
Btw it's the Alternate Data Stream... not Alternative :P
I've seen it both ways, even Micorosft sometimes uses the words "Alternative Data Streams":
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q286797
-
September 28th, 2004, 08:37 PM
#6
yeah, but got to give him credit for writing nice tuts!
I believe he did.
Nice post... and decent tutorial as always...
-
September 28th, 2004, 08:54 PM
#7
I know he did, it wasn't a command or suggestion. nvm
-
September 28th, 2004, 09:06 PM
#8
Nice tutorial! I'd green ya... but I have to spread.
I like how you incorporated the IIS. I wonder if it'll work with other web servers... and I wonder if we've seen that before by scammers/spammers? It'd be a good way for them to hide stuff from their ISP. They'll get reports, look, see nothing and pass it off? Unless they look at the actuall access logs and not just the webroot directory...
Too bad my school server uses linux... or I'd be hiding my movies and mp3s on there....
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
October 1st, 2004, 09:54 PM
#9
Update: to get ADS Detector to work after you have install it open your Explorer window then go to View->Explorer Bar and check "ADS detector". Thanks to David Bishop of Anderson Engineering for pointing out to me how to get ADS Detector to work
-
January 3rd, 2005, 06:25 PM
#10
Can't delete the streamed data
Irongeek,
I've tried to delete the streamed data but it isn't working. I mean the .txt file is getting deleted but it isn't freeing up disk space. I've attached a file along with this post. The disk space isn't increasing after i delete it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|