gHacks technology news » Alternate Data Streams

Stream Explorer

Martin — Sat, 26 Jul 2008 18:13:18 +0000

Stream Explorer is a handy application for Windows NT, Windows 2000, Windows XP and Windows Vista that displays the amount of streams, or more precisely NTFS Alternate Data Streams, of every subfolder and file of a selected folder. It therefor provides access to a very straightforward and visual way of identifying multiple data streams in files and folders.

The program divides the information into four panes and a header area that provides access to a quick partition browser and program help. The other panes are displaying the directory structure, the files and folders in the currently active directory including the amount of streams of each file and folder, detailed information about each stream and a hex viewer that is displaying the contents of each stream.

The default stream is the one that gets executed when the user (double-)clicks on the file. The main advantage of Stream Explorer is that it displays all information in one window.

Hide Information in Files

Martin — Mon, 30 Jun 2008 19:24:47 +0000

You might have already ready about Windows Alternate Data Streams (also known as System Forks on other operating systems) which are supported by most Windows operating systems that use NTFS (New Technology File System). Alternate Data Streams can contain any kind of information including textual, visual and executable. Malicious users can take advantage of the fact that the size of the additional content is not added to the size of the file in a directory listing. A 10 Kilobyte image will still show a size of 10 Kilobyte if someone else adds a 1 Megabyte executable to it.

Basically anything can be added to an existing file (and directory) which brings up an interesting method of hiding important data on the system. Say you want to keep your passwords on the computer but do not want to use a text document to have them in the open. Using Alternate Data Streams to hide them from prying eyes could be a relative secure method of storing the password list on the computer.

They are detectable if the right software is being used. Windows Vista users can also use the dir *.txt /R which is further explained at Bart De Smet’s on-line blog.

To add textual information to any file in Windows you could use the command notepad filename:name for example notepad image.jpg:secret. This would open up Notepad and a blank text file at the first run. Any text that is added and saved during that session will the shown if the user opens the text document with the same command at a later time.

Executable files or other binary files can be added with the type command like this: type c:\text.exe > hello.txt:text.exe which can be executed with the start command start .\hello.txt:text.exe.

NTFS Alternate Data Streams

Martin — Thu, 24 Jan 2008 16:51:55 +0000

This article is going to explain NTFS Alternate Data Streams: what they are, where they are, how you can detect them, create them and how they are used by hackers. In short, NTFS Alternate Data Streams can be used by hackers to fork file data into existing files without altering the existing file’s function or size. You can guess where this is going, right ? They make it relatively easy to hide malicious code inside them which is much harder to detect.

Creating NTFS Alternate Data Streams is not complicated at all. You can use the “type” command to do that. To fork the file virus.exe into calc.exe you would use the command type virus.exe > calc.exe:virus:exe if they are in the same directory. Add the path if they are not. The size of the calculator does not change, the only indicator is that the file changed stamp is altered.

But executing those files must be harder, right ? Wrong again. To execute virus.exe you use the command “start”, in our example it would be start calc.exe:virus:exe.

A software like Stream Explorer can find those NTFS Alternate Data Streams on your hard drive. An alternative is List Alternate Data Streams