Logo
RSS Feed

๐Ÿบ ADS

Created: 02.06.2023

This is about … .

Alternate data streams. To ensure compatability between NTFS and HFS. Allows hiding files.

C:\type C:\mal.exe > C:\readme.txt:naughty.exe start readme.txt:naughty.exe C:\mklink innocent.exe readme.txt:naughty.exe

to run innocent.exe But dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.

On Windows machines (NTFS file system) itโ€™s possible to โ€œappendโ€ a file to another file in such a way that this files is not visible with standard tools. This notion is called an alternate data stream. There are several problems that arise in this case:

The host fileโ€™s hash is not changed, because technically it is not a part of this file. To check - fciv. The host fileโ€™s size is not changed, again, because technically it is not a part of this file. These files are not visible for the file system and therefore, such tools as cmd, PowerShell, Explorer or others wonโ€™t see them if donโ€™t know the magic ๐Ÿช„ word. Even if you run type filewithlitter.txt you wonโ€™t see the stream fileโ€™s contents, only the original oneโ€™s.

How to create an ADS

type litter.txt > host.txt:litterhidden.txt

How to check a directory for an ADS

streams -s <directory>

How to get a file from a stream

You need to know its name to be able to reference it:

notepad host.txt:litterhidden.txt

If you find a program file with an executable attached, itโ€™s almost always means something malicious is in place. Sometimes, attackers might hide the extension. In this case, the file size might be a good reason to dig deeper.

How to delete the stream

streams -s -d <directory>. Quite dangerous since you might delete something good instead. Some system files are stored as streams for legitimate reasons. Why, btw?