Anyone know how to find them? Creating them is easy enough but finding them? All I've found is that sysinternals uses "an undocumented feature".
Seems easy to find if you know the stream name but if you don't?
I was thinking how Windows (IE, not sure about others) will tag a downloaded file with a "zone" stream, that's where you get the property "this file came from another computer".
Would it be a good idea to put the download url there? Be nice to know which website malware comes from.
AlternateStreamView - View/Copy/Delete NTFS Alternate Data Streams :
http://www.nirsoft.net/utils/alternate_data_streams.html
Sorry Vortex, I should have specified "which API can I use to write my own program".
It seems (seemed?) to be a bit of a security hole so there's not much information about *how* to find them.
FindFirstStreamW :
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364424%28v=vs.85%29.aspx
QuoteMinimum supported client
Windows Vista [desktop apps only]
Minimum supported server
Windows Server 2003 [desktop apps only]
Some info from ms:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364404%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/bb540537(v=vs.85).aspx
and found this as well, which seems to cover a bit more info along with some command line tools and usage examples:
http://www.flexhex.com/docs/articles/alternate-streams.phtml
Quote from: sinsi on August 07, 2013, 05:42:44 PM
Anyone know how to find them? Creating them is easy enough but finding them? All I've found is that sysinternals uses "an undocumented feature".
Hi , sinsi
You're right "streams" utility (http://technet.microsoft.com/en-us/sysinternals/bb897440) from Sysinternals suite does this job.
Also Windows 7 features new "DIR" 's command line parameter /r
http://stackoverflow.com/questions/16333782/how-to-display-only-files-that-have-alternate-data-streams-in-command-prompt (http://stackoverflow.com/questions/16333782/how-to-display-only-files-that-have-alternate-data-streams-in-command-prompt)
P.S. : This's a very nice topic for discussion :t
Someone help me write a program to create one.
I will do a search for it. I lost a lot of search code when I had to reinstall XP.
I know it only works on NTFS and it's lost if you copy it to a pen drive.
http://www.irongeek.com/i.php?page=security/altds
Vortex: that's what I was looking for, can't believe I missed it :t
fearless: nice links, msdn is a bit lacking
vertograd: yes, wonder if vista has it?
Magnum: it's an ntfs thing, if a pen drive is fat then streams aren't supported by the file system.
Simple to create one, interestingly there can be more than one stream associated with a file.
include \masm32\include\masm32rt.inc
.data
count dd ?
fname db 'testfile.txt'
sname db 0,'noseeum'
db 0
.code
start:
invoke CreateFile,offset fname,GENERIC_WRITE,FILE_SHARE_WRITE,0,OPEN_ALWAYS,0,0
cmp eax,INVALID_HANDLE_VALUE
jz create1fail
mov ebx,eax
invoke WriteFile,ebx,offset fname,sizeof fname,offset count,0
invoke CloseHandle,ebx
mov sname,':'
invoke CreateFile,offset fname,GENERIC_WRITE,FILE_SHARE_WRITE,0,OPEN_ALWAYS,0,0
cmp eax,INVALID_HANDLE_VALUE
jz create2fail
mov ebx,eax
invoke WriteFile,ebx,offset sname,sizeof sname,offset count,0
invoke CloseHandle,ebx
invoke ExitProcess,0
create1fail:
print "Create file failed", 13, 10
inkey
invoke ExitProcess,1
create2fail:
print "Create stream failed", 13, 10
inkey
invoke ExitProcess,2
end start
How many uses can you think for this? Unfortunately, I can think of more dodgy things than beneficial things...
well - when you download a file from the internet, it typically has an alternate stream that says it was from some other machine
i have wanted to write a little app that would "clear" all these off in a specified folder and subfolders
Hi sinsi,
QuoteHow many uses can you think for this? Unfortunately, I can think of more dodgy things than beneficial things...
You could need to manage the NTFS alternate data streams to write a file-level backup utility.
Sinsi,
I have to agree with you.
Since it hides files and size changes, it is very suspect at best.
I am curious if doing a directory listing and noting the number of bytes and then
doing another listing after an alternate data stream has been made and seeing if there is a difference.
Andy
Quote from: sinsi on August 09, 2013, 06:18:57 PM
vertograd: yes, wonder if vista has it?
Ok ... Vista does have it . Sorry, I was wrong
It's interesting how many streams are allowed for a single file and are there any restrictions in size of hidden data?
I saw that someone added on a movie, so it must be large.
Windows actually treats the file itself as an unnamed stream, so the size limit should be the normal NTFS limits.
As far as malicious goes, my antivirus (MSE) picked up a stream containing the standard virus tester (eicar?).
Doing a "dir/r" and comparing with "dir" shows the stream and its size but doesn't add it to the total file sizes.
WinRAR has an option to include streams when adding files too.