A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




Practical Guide to Alternative Data Streams in NTFS

Practical Guide to Alternative Data Streams in NTFS


        Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. While this is the intended use (as well as a few Windows internal functions) there or other uses for Alternative Data Streams that should concern system administrators and security professionals. Using Alternative Data Streams a user can easily hide files that can go undetected unless closely inspection. This tutorial will give basic information on how to manipulate and detect Alternative Data Streams.

        (Note about conventions: Alternative Data Streams are also sometimes referred to as Alternate Data Streams or ADS. Since Alternative Data Streams is so long, an ADS can be confused with Active Directory Services I will simple call this feature AltDS for short.)

Creating an AltDS

        Making an AltDS is fairly simple. I will use command line examples, feel free to follow along. We could hide some data in an AltDS behind an already existing file, but for this example we will create a new base file to hide behind:


C:\>echo Just a plan text file>sample.txt

C:\>type sample.txt
Just a plan text file

C:\>



        Next we will use a colon as the operator to tell our commands to create or use an AltDS:


C:\>echo You can't see me>sample.txt:secret.txt


        Unfortunately, the use of the colon operator is a bit hit or miss in its' implementation and some times does not work as we might expect as seen below:


C:\>type sample.txt:secret.txt
The filename, directory name, or volume label syntax is incorrect.


        Since the "type" command does not understand the colon operator we will have to use notepad to read the file:


C:\>notepad sample.txt:secret.txt


        If all worked well, you should not see a notepad window with the text "You can't see me" in it. Also notice that while the amount of total hard drive space free went down the file size of sample.txt did not increase:


C:\>dir sample.txt
Volume in drive C has no label.
Volume Serial Number is 40CC-B506

Directory of C:\

09/27/2004 01:58 PM 23 sample.txt
1 File(s) 23 bytes
0 Dir(s) 12,658,040,832 bytes free

C:\>


        You can make an AltDS in not only files, but also directories, here is a quick example:


C:\>md stuff

C:\>cd stuff

C:\stuff>echo Hide stuff in stuff>:hide.txt

C:\stuff>dir
Volume in drive C has no label.
Volume Serial Number is 40CC-B506

Directory of C:\stuff

09/28/2004 10:19 AM <DIR> .
09/28/2004 10:19 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 12,253,208,576 bytes free

C:\stuff>notepad :hide.txt


        Hopefully you now see a notepad window with hide.txt's contents. If all one could do with AltDS was hide text files it would not be that impressive, but there's much more that can be done with this useful NTFS feature.

Hiding and running an executable.

        As it turns out, using AltDS to hide executables is not much harder than it is to hide text files. AltDS makes for a great way for malware to hide itself on a system. Here's an example of how and executable can be hidden behind another file:

        First we make our file to hide behind:


C:\WINDOWS>echo Test>test.txt


        Next we put an EXE behind is, I'm just using notepad.exe because it's convenient:


C:\WINDOWS>type notepad.exe>test.txt:note.exe


        Next we confirm the contents of the text file when some one tries to open it.


C:\WINDOWS>type test.txt
Test


        Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase the size of test.txt.


C:\WINDOWS>dir test.txt
Volume in drive C has no label.
Volume Serial Number is 007E-2E3C

Directory of C:\WINDOWS

09/19/2004 08:37 AM 6 test.txt
1 File(s) 6 bytes
0 Dir(s) 19,734,708,224 bytes free


        Now we will attempt to run our hidden exe. Notice the ".\" in front of the file name, this is necessary because the "start" command needs to know the correct path to the file (at least if you are using XP).


C:\WINDOWS>start .\test.txt:note.exe

C:\WINDOWS>


        If all worked well there should now be a notepad window up on your system. You should be able to hide just about any other EXE file this way if you wish.

IIS and Alternative Data Streams

        While I was a Taco Bell recently I was thinking about what I could do in this tutorial that would make it a little different from other essays on Alternative Data Streams, which brought to mind a question: Does Microsoft's Internet Information Server work with Alternative Data Streams? As it happens, it does (at least IIS 6 at the time of this writing). I did the following commands to test it out:



W:\>echo the text file>t.txt

W:\>type xx.php >t.txt:x.php


xx.php being an php file with the following code:


<HTML>
<BODY>
<PRE>
<?
echo "If I see this I know it worked"
?>

</BODY>
</HTML>


        If you are following along try and see if you can read the text file off your server. If you don't have an IIS server just look at the file on my student site (assuming the link is not dead by the time you read this tutorial).

http://testiis/t.txt

        That worked as expected. Next try to see if IIS parses out the colon and then interprets the PHP file in the Alternative Data Stream:

http://testiis/t.txt:x.php


        What do you know, it works! I could think of a few things that users might want hide it a web pages like this (moves, porn, scripts and such).

Hiding Videos

        One can also hide videos in Alternative Data Streams, but depending on how you put them in the streams they can be hard to play. For my examples I will use a video with spaces in the name just to complicate maters and show that it can be done. First let us create an AltDS behind the sample.txt file we made earlier, notice the use of quotation marks to compensate for the spaces in the file names:


C:\>type "Naughty Linux Girls.avi" >"sample.txt:Naughty Linux Women.avi"


        Give the above command some time, subjectively it seems that AltDS is a little slow to work its' magic. After the above command finishes we will attempt to open the video stream, I'll use Windows Media Player in my example since most of you should have it on your box and I know it works with AltDS:


C:\>"C:\Program Files\Windows Media Player\wmplayer.exe" "c:\sample.txt:Naughty Linux Women.avi"


        If all worked well the video should not be playing. Pretty cool huh?

Retreiving a file form an Alternative Data Stream

        Since support for AltDS is hit and miss in Windows we need to get an extra tool to suck data back out of an AltDS and put it back in a regular file. For this we will use a Windows port of the *nix tool "cat" (download it and other tools from http://unxutils.sourceforge.net/ ). Retrieving the original file is simple:


C:\>cat "sample.txt:Naughty Linux Women.avi">"Naughty Linux Women.avi"


        If all works well "Naughty Linux Women.avi" should contain all the original data of the video we put into the stream.

Finding AltDS

        Some anti-malware tools understand how to search Alternate Data Streams for malware. I know Adaware SE Buld 1.05 can recognize know spyware in AltDSes (See http://www.lavasoftsupport.com/index.php?showtopic=40692 for more details). I've had a devil of a time finding out if other tools like Spybot or Symantec Antivirus look at AltDS, the vendors website give little information on it. If you know email me and I will update this tutorial.

        Now I will show you a few tools you can use to find Alternate Data Streams. First there's LADS by Frank Heyne (see the tools section at the bottom of this tutorial for where to download LADS and other apps). LADS seems to work quite well for finding the streams we created above:


C:\>lads c:\

LADS - Freeware version 4.00
(C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!

Scanning directory C:\

size ADS in file
---------- ---------------------------------
Error 32 opening C:\pagefile.sys
368146432 C:\sample.txt:Naughty Linux Women.avi
18 C:\sample.txt:secret.txt
21 C:\stuff\:hide.txt

The following summary might be incorrect because there was at least one error!

368146471 bytes in 3 ADS listed

C:\>


        As you can see it found both of the files I hid. To find out more about what LADS can run it with the "/?" parameter:


C:\>lads /?

LADS - Freeware version 4.00
(C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!

Usage: LADS [Directory] [/S] [/D] [/A] [/Xname]
Directory: directory to scan, current if ommitted
/S include Subdirectories
/D Debug LADS ;-)
/V Verbose error reports
/A give a summary of All bytes used in the scanned directories
(All files and directories are considered as uncompressed
and all security decriptions are skipped
for calculating this number!)
/Xname eXclude any ADS "name"
/Pfile read Parameters from "file"

C:\>


        Pay special attention to the "/S" parameter, you can use it to search entire hard drives and directory structures for AltDS.

        Another popular tool is Streams from SysInternals. It works in much the same way as LADS:


C:\>streams -s c:\

Streams v1.5 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

Failed to open c:\\pagefile.sys:
The process cannot access the file because it is being used by another process

c:\\sample.txt:
:Naughty Linux Women.avi:$DATA 368146432
:secret.txt:$DATA 18
c:\\stuff:
:hide.txt:$DATA 21
...


        I had to truncate the results above to save space, since Streams is doing a search of the whole C: drive. Streams also has the parameter "-d" to delete streams, but I don't recommend that you use it unless you are sure of what you are doing.

        For you folks that like to stick to GUIs there are three tools you might want to check out: ADS Spy which is quite slick, Crucial ADS which is also nice and ADS Detector which acts kind of like a plug-in for Explorer that lets you see Alternate Data Streams (unfortunately you have to sign up to download it, Update: to get ADS Detector to work after you have install it open your Explorer window then go to View->Explorer Bar and check "ADS detector". Thanks to David Bishop of Anderson Engineering for pointing out to me how to get ADS Detector to work). You can find links to all these tools at the bottom of this tutorial.

Quick answers and Factoids about AltDS

How do I delete AltDSes from a file?

        Well, if you delete the file it's attached to you will delete the AltDS, but I'm imaging you want to leave the base file intact. You can use a tool like Streams (see above) to delete the Alternative Data Streams, or you can rename the file and then use the "type" command to pipe it back to the original file name. Example:

C:\>ren sample.txt delme.txt

C:\>type delme.txt>sample.txt

C:\>del delme.txt

        A third option is to just move the files you want to remove streams from to a Fat32 drive then move them back to the original drive. You will get a windows that pops up that asks you to confirm stream lost, just click yes.

I see a stream called "AFP_AfpInfo" on a lot of my file, should I worry?

        Most likely it's ok, this is usually an Apple file system fork like I mentioned at the beginning of this tutorial. AFP stands for Apple Filing Protocol, this stream should contain information like the icon a Mac would use to show the file. The AFP_AfpInfo stream may have been put there when the file was touched by a Macintosh or if the Windows box it was copied from had Services For Macintosh enabled. It's possible that a deviant user could name one of their streams AFP_AfpInfo to try and hide it, but it's not likely because using this name could make in not work as expected when they try to run or open it.

I see a stream called "encryptable" on my Thumb.db files, should I worry?

        This is expected behavior for Window, Thum.db hold thumbnails for folders when you choose the thumbnail view in explorer. It's ok, but if the size of the encryptable stream is over 0 bytes you might want to take a look at it. Same warnings as AFP_AfpInfo apply.


Ok, what about streams called "SummaryInformation", should I worry?

        This is also expected behavior for Window. Windows sometimes stores text information like titles, keywords, and revision numbers here. Same warnings as AFP_AfpInfo apply.

Do streams survive being copied across the network or from one hard drive to another?

        Yes, as long as both file system are NTFS. If the destination is Fat32 the steams will be lost.
 


        I hope this tutorial helped you to better understand Alternative Data Streams. Please feel free to email me if you have questions, clarifications or more information.


Further reading:

The best write up I've seen on AltDS:
http://patriot.net/~carvdawg/docs/dark_side.html 

Great FAQ mby the creator of LADS:
http://www.heysoft.de/nt/ntfs-ads.htm 

Good information on AltDS from wr0ck:
http://www.ramsecurity.us/texts/ntfsds.php 


Tools:

LADS - List Alternate Data Streams by Frank Heyne
http://www.heysoft.de/Frames/f_sw_la_en.htm

Streams.exe from SysInternals:
http://www.sysinternals.com/ntw2k/source/misc.shtml#streams

ScanADS command line tool:
http://www.kodeit.org/products/scanads/default.htm 

ADS Spy GUI Scanner:
http://www.spywareinfo.com/~merijn/downloads.html 

Crucial ADS GUI Scanner:
www.crucialsecurity.com/downloads.html 

ADS Detector for Explorer:
http://www.codeproject.com/csharp/CsADSDetectorArticle.asp 

Windows ports of Unix tools like CAT:
http://unxutils.sourceforge.net/ 

 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast