2008-03-19T20:47:41-07:00 17378 7009 16230 1 2009-07-30T09:05:16-07:00 2008-03-19T20:47:41-07:00 <div style="text-align: center;">Alternate data streams have been around since the beginning of the NTFS file system.&nbsp; Apparently it was originally created to provide compatibility with HFS. (an old Mac file system.) <br></div><p><br>ADS allows you to fork file data into existing files without affecting their functionality, size, or display.<br>Sexy? I think so! The only thing someone using this covertly has to worry about is timestamps.<br><br>Lets just get right to it:<br>If you wanted to fork A.exe into B.txt it would look like this:<br></p><p>open the command prompt:&nbsp;</p><p><br>type A.exe &gt; B.txt:A.exe<br><br>...and then to execute A.exe:<br><br>start ./ B.txt:A.exe<br><br>Thats all folks. <br>If you arent scared at this point you werent paying attention or you arent a system or network admin.<br><br>Allow me to throw some scenarios for the use of this type of thing:<br><br>1. Hacker Harry gains entry to a network. Harry realizes that further entry may be gained by investigating the network further, but for that Harry needs tools... tools that any admin will notice are sitting on a server.&nbsp; Harry then finds a nice little driver directory and uses the lovely dlls to fork a plethora of tools for further use without changing the drivers functionality, size or raising any eyebrows from the admins.<br><br>2.&nbsp; Johnny malware writer wants his program to hide inside of a target machine and do his evil bidding but doesnt want the user to find and destroy it.&nbsp; Johhny has the evil program hide itself into the system by forking into a known windows application like notepad.&nbsp; Johnny can then call the program from that location.<br><br>3. Slick Adrian decided to make a secret web page, accessable only to him containing sensitive information he wouldnt otherwise trust to be on his server.&nbsp; He made a php page and forked it in a jpg and was able to call it from the web using a url syntax like:<br>http://whatever.org/image.jpg:secret.php<br><br>4. Frisky Tom wanted to hide his porn collection.&nbsp; He forked all his dirty movies into word documents.&nbsp; He could even specify which player to open them:<br>C:\&gt;"C:\Program Files\Windows Media Player\wmplayer.exe" "C:\MY_MATH_HW.doc:UBER_PRON.avi"<br>What a forking perv!<br><br><br>Here are some other things to keep in mind:<br><br>1. Theres no size limit to the streams in ADS.<br><br>2. You can put more than one stream on a normal file.<br><br>3. ADS can also be used with directories. <br>Be aware that if you make one against the root of a drive I believe its impossible to remove (barring a reformat)<br><br>4. A user can only create an ADS where they have write access.<br><br>5. Windows File Protection does not protect from adding streams to system files. <br><br>6. MS has nothing on the OS or resource kits for detecting ADS. You're gonna have to go third party!&nbsp; Lucky you theres some good stuff out there, LADS being a popular one: http://www.heysoft.de/nt/lads.zip<br><br>7. Streams can only be executed if called directly and usually with the full path to the file given. In other words, you dont execute a stream accidentally.<br><br>8. ADS only work on NTFS file systems.&nbsp; If you push a file with a stream on it to a FAT filesystem the stream dies, not the file. <br><br><br>Anyways, have fun with this. I hope Ive opened a whole new world of possibilities for you for better or worse.&nbsp; Please remember this is just a basic intro into ADS, please see the references and do your own research!<br><br>Ive also attached a video so you can see this type of thing in action. Its not very long but it gets the point across.</p><p align="center">&nbsp;</p> 33928 7009 1 17378 1 2009-07-30T09:06:18-07:00 8111 2009-07-30T09:06:27-07:00 33929 7009 3 17378 1 2009-07-30T09:06:27-07:00