rss

Alternate Data Streams

Friday, April 9, 2010

Ever since Windows 2000, the NTFS file system in Windows has supported Alternate Data Streams, which allow you to store data “behind” a filename with the use of a stream name.

This isn't a well known feature and was included, primarily, to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called :$DATA.

Windows Explorer doesn't provide a way of seeing what alternate data streams are in a file but they can be created and accessed easily. Because they are difficult to find they are often used by hackers to hide files on machines that they've compromised (perhaps files for a root-kit). Executables in alternate data streams can be executed from the command line and they will not show up in Windows Explorer (or the Console).

How to write data to hidden streams

You can add data to a hidden stream by using any command that can pipe input or output and accept the standard FileName:StreamName syntax. You may also use some text editors such as Notepad.

Here, the StreamName can be seen as a secret word. If you plan to use notepad remember that StreamName must have the extension on the end, e.g. secretword.txt, secretword.exe.

For instance, let's use the echo command and use the data stream name todo.txt for compatibility with notepad.
echo Important - Kiss the girl next door tomorrow 
> library.txt:todo.txt
You can add whatever other information to this file that you’d like.
If you prefer to use notepad you can use the following command:
notepad.exe library.txt:todo.txt
Remember that if you didn’t specify the extension on the end, Notepad will automatically add it, and ask if you want to create a new file, even if library.txt already existed, this because todo.txt doesn’t exist.

You can use the command line again to add a second hidden “compartment” with a different name:
echo think-techie.com is really cool > library.txt:secrets.txt
If you check your filesystem you will find only one empty file called library.txt with zero bytes (because the file is empty and the file size corresponds always to this default data stream, :$DATA). You can even open up the file by double-clicking on it, and add whatever data you want to make the file look normal.

You can even do something more cool like this:
C:\> type C:\windows\system32\notepad.exe > c:\windows\system32\calc.exe:notepad.exe
C:\> start c:\windows\system32\calc.exe:notepad.exe
With similar commands you can hide also applications.

Notes:
  1. None of these hidden files will affect the other, or change the main file.
  2. You have to use the command line to access the hidden data.
  3. You can’t copy your file to another location and access the streams over there.

Reading a Stream

You can read data from the stream by piping data into the more command or by using notepad, with the following syntax:
more < FileName:StreamName
or
notepad.exe FileName:StreamName
For instance,
notepad.exe library.txt:todo.txt
Of course these files aren’t completely hidden because you can use a small command line application called Streams.exe to detect files that have streams, including their names and sizes. As alternative you can use the DIR command, if you are using Vista.

For instance, in my scenario we’d use the following syntax:
streams.exe library.txt
and the result would be:
C:\>streams.exe library.txt

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\>library.txt:
     :secrets.txt:$DATA 34
        :todo.txt:$DATA 46

Conclusion

This isn’t a secure way to hide data. It’s just one of those things that can be used for fun or be handy here or there.


3 comments:


Stefano said...

For people who are experienced with scripting, the JSWare component jsSys3.dll may be of interest. It provides access to Windows API functionality that script cannot use directly. In the latest update of jsSys3 a number of functions have been added for enumerating, reading and deleting hidden ADS files. An included sample script demonstrates how to hunt down and delete all ADS files on a PC quickly and easily.



Bruno Simões said...

Thank you Stefano for sharing with us that information.



Anonymous said...

Very usefull