NTFS alternate data streams

[sinsi]

Anyone know how to find them? Creating them is easy enough but finding them? All I've found is that sysinternals uses "an undocumented feature".
Seems easy to find if you know the stream name but if you don't?

I was thinking how Windows (IE, not sure about others) will tag a downloaded file with a "zone" stream, that's where you get the property "this file came from another computer".
Would it be a good idea to put the download url there? Be nice to know which website malware comes from.

[Vortex]

AlternateStreamView - View/Copy/Delete NTFS Alternate Data Streams :

http://www.nirsoft.net/utils/alternate_data_streams.html

[sinsi]

Sorry Vortex, I should have specified "which API can I use to write my own program".
It seems (seemed?) to be a bit of a security hole so there's not much information about *how* to find them.

[Vortex]

FindFirstStreamW :

http://msdn.microsoft.com/en-us/library/windows/desktop/aa364424%28v=vs.85%29.aspx

Minimum supported client
   Windows Vista [desktop apps only]

Minimum supported server
   Windows Server 2003 [desktop apps only]

[fearless]

Some info from ms:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364404%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/bb540537(v=vs.85).aspx

and found this as well, which seems to cover a bit more info along with some command line tools and usage examples:

http://www.flexhex.com/docs/articles/alternate-streams.phtml

[GoneFishing]

Anyone know how to find them? Creating them is easy enough but finding them? All I've found is that sysinternals uses "an undocumented feature".

Hi , sinsi
You're right "streams" utility from Sysinternals suite does this job.

Also Windows 7 features new "DIR" 's  command line parameter /r
http://stackoverflow.com/questions/16333782/how-to-display-only-files-that-have-alternate-data-streams-in-command-prompt

P.S. : This's a very nice  topic  for discussion  :t

[Magnum]

Someone help me write a program to create one.

I will do a search for it. I lost a lot of search code when I had to reinstall XP.

I know it only works on NTFS and it's lost if you copy it to a pen drive.

[Magnum]

http://www.irongeek.com/i.php?page=security/altds

[sinsi]

Vortex: that's what I was looking for, can't believe I missed it  :t
fearless: nice links, msdn is a bit lacking
vertograd: yes, wonder if vista has it?
Magnum: it's an ntfs thing, if a pen drive is fat then streams aren't supported by the file system.

Simple to create one, interestingly there can be more than one stream associated with a file.

Code Select Expand

include \masm32\include\masm32rt.inc

.data
count dd ?
fname db 'testfile.txt'
sname db 0,'noseeum'
db 0

.code
start:

invoke CreateFile,offset fname,GENERIC_WRITE,FILE_SHARE_WRITE,0,OPEN_ALWAYS,0,0
cmp eax,INVALID_HANDLE_VALUE
jz create1fail
mov ebx,eax

invoke WriteFile,ebx,offset fname,sizeof fname,offset count,0
invoke CloseHandle,ebx

mov sname,':'
invoke CreateFile,offset fname,GENERIC_WRITE,FILE_SHARE_WRITE,0,OPEN_ALWAYS,0,0
cmp eax,INVALID_HANDLE_VALUE
jz create2fail
mov ebx,eax

invoke WriteFile,ebx,offset sname,sizeof sname,offset count,0
invoke CloseHandle,ebx


      invoke ExitProcess,0


create1fail:
    print "Create file failed", 13, 10
    inkey
    invoke ExitProcess,1

create2fail:
    print "Create stream failed", 13, 10
    inkey
    invoke ExitProcess,2

end start


How many uses can you think for this? Unfortunately, I can think of more dodgy things than beneficial things...

[dedndave]

well - when you download a file from the internet, it typically has an alternate stream that says it was from some other machine

i have wanted to write a little app that would "clear" all these off in a specified folder and subfolders

[Vortex]

Hi sinsi,

How many uses can you think for this? Unfortunately, I can think of more dodgy things than beneficial things...

You could need to manage the NTFS alternate data streams to write a file-level backup utility.

[Magnum]

Sinsi,

I have to agree with you.

Since it hides files and size changes, it is very suspect at best.

I am curious if doing a directory listing and noting the number of bytes and then
doing another listing after an alternate data stream has been made and seeing if there is a difference.


Andy

[GoneFishing]

vertograd: yes, wonder if vista has it?

Ok ...  Vista does have it . Sorry, I was wrong

It's interesting how many streams are allowed for a single file and are there any restrictions in size of hidden data?

[Magnum]

I saw that someone added on a movie, so it must be large.

[sinsi]

Windows actually treats the file itself as an unnamed stream, so the size limit should be the normal NTFS limits.
As far as malicious goes, my antivirus (MSE) picked up a stream containing the standard virus tester (eicar?).
Doing a "dir/r" and comparing with "dir" shows the stream and its size but doesn't add it to the total file sizes.
WinRAR has an option to include streams when adding files too.