Alternate data streams using NTFS.

[digip]

Based on the "Hak.5 Forums  |  Talk:  |  Questions  |  Make a invisible folder" thread, I was wondering about NTFS Alternate Data Streams.

If you didn't know, there is a way to hide files using notepad in an alternate data stream, but what I really wanted to know is how to detect them.

Open notepad and put some text in it. Say, "Test 1 2 3". Save it somewhere, like "c:test.txt"

Now from a Start/Run  prompt, type "notepad c:test.txt:hidden.txt"

It will ask you to create a new file because it does not exist. Type soemthing in like "Hello world" and just click save. Notice anything? It doesn't ask you where to save the file. And it also doesn't show up anywhere in the folder you saved it to. Move the test.txt file to the desktop. Now, moving the file also moves the hidden file. To see what your hidden file was, go back to the start/run prompt and type in the name of the file with the full path. EX:

"c:documents and settingsownerdesktoptest.txt:hidden.txt" and it should open the file.

Delete test.txt and the hidden file is deleted as well. The file size of test.txt never changes(so long as you do not edit the test.txt file itself, its file size stays the same and does nto reflect whatever is in hidden.txt) so no matter how large hidden.txt is test.txt stays the same size.

Note, moving the test.txt to a file system other than NTFS removed the file and when copied back to an NTFS system, the file will be gone. So you can't put it on a webpage or system that isn't windows NTFS based.

How do you detect these files with alternate data streams and will a virus scanner be able to detect them if say a virus attached itself to a text file in this manner? (Of course, it would probably need some secondary file to execute from the txt file thus probably exposing its whereabouts in the process).

[soulbleed]

Here's how I've done it. It doesn't use alternate data streams, but works very well.

http://antitrust.mistrustauthority.org/?p=1

[digip]

PC mag had a program to read the files but it was not free.

Found one that scans for ADS files and lists their file sizes and ADS names attached to the files: http://www.heysoft.de/nt/lads.zip

I have also just figured out how to get the file back out of it. If you use the command "expand somefile.txt:somefile.exe targetfile.exe" it takes the file out of the txt file. Lads is a nice tool, but at least I now know how to get the orginal file back now, so if by any chance I do come across any stream files I can detect and remove them.

edit: the expand command does not seperate the two files. It only extracts the ADS file. To remove the file from the normal file, copy it to a thumb drive or alternate partition with fat32 and then copy it back to an NTFS file system and the file will be deleted. Since FAT32 can not store ADS files, it removes it when you try to copy it over.

[moonlit]

I didn't know NTFS could do that, you learn something every day. Thanks for the info.

[anyedie]

Yea, I've herd of this but never really tried it, nice post.

[digip]

Found some more about ADS files and how windows xp sp2 adds a zone identifier to files downlaoded form the internet. It apparently assigns files downlaoded form the internet a zone level of 3, but files in the trusted zone an identifier of 2. So it looks liek windows would block the file from running unless the user unblocks it(I have only seen this on a few files before though and it never seemed to stop a file from running). I wonder if there is some sort of exploit in their waiting to happen, like someone randomly assigning "zone.identifier" profiles to legit files and causing them to be blocked from running.

http://64.233.169.104/search?q=cache:wFAxG...&lr=lang_en