Windows Alternate Data Streams

  • February 17, 2004
  • Read 298,284 times
 

Introduction

Anyone who is in the security arena should know about Windows Alternate Data Streams, otherwise known as ADS. Though not highly publicized, lack of this little known attribute of the Windows NTFS file system may affect how you solve a problem in the future.

ADS were introduced into the Windows NTFS file system starting in Windows NT 3.1. This 'feature' was implemented in order to allow compatibility with the Macintosh Hierarchical File System (HFS). In brief, the Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork is used to tell the operating system how to use the data portion. Windows does a similar thing through extensions such as .bat, .exe, .txt, .html. These extensions tell the operating system how to use the particular data found in the files.

For windows to be compatible with the Macintosh file system, they introduced alternate data streams. This hidden stream is used as the resource fork was used; to tell the system how to use the data contained in the file.

Though ADS was created for compatibility with the Mac world, it is not solely used for that purpose. Many applications use ADS to store attributes of a file in them. For example if you make a text document, and right click and go into its properties you will see a summary page. This summary information is attached to the file via ADS. I will show you more on that later and applications to see this information.

In summary, think of ADS as hidden files that are attached to the visible ones. The main reason they are so dangerous is that they are not well known, are generally hidden to the user, and that there are few security programs that can recognize them.

Programs to view ADS

Before I continue I want to mention some, not all, programs that can be used to view ADS. This is so as you read this tutorial, and follow some examples, you can actually see the ADS files that you are creating.

The programs are as follows:

Lads - http://www.heysoft.de/Frames/f_sw_la_en.htm
ADSSpy

How to make an ADS

From a command prompt, the following is an example on how to make an ADS:

C:\test>echo "ADS" > test.txt:hidden.txt

A new ADS has just been created called hidden.txt and attached to the file test.txt. The ADS file is shown after the : , and : must be used when adding an ADS.

If you do a DIR in that directory all you see is the normal file.

Folder ADS

On the other hand if you run LADS, you can see the ADS, hidden.txt 9, attached to the test.txt file

C:\test>lads

LADS - Freeware version 3.21
(C) Copyright 1998-2003 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!

Scanning directory C:\test\

      size  ADS in file
----------  ---------------------------------
         8  C:\test\test.txt:hidden.txt

         8 bytes in 1 ADS listed

If you wanted to view the ADS hidden.txt, or add information to it, just run notepad to open the file.

For example:

C:\test> notepad test.txt:hidden.txt

This will open the file in notepad and allow you to edit it and save it.

You can also use notepad to create an ADS file. Just type:

C:\test>notepad another.txt:ads.txt

Notepad will launch and say this file does not exist and would you like to create it. You would say yes, and then enter the information and save it. This method has just created a new ADS called ads.txt.

ADS files do not have to be attached to a file, but can also be attached a directory. This causes a problem when you create an ADS against a root of a hard drive as it makes it impossible to remove the ADS unless you reformat. If someone knows of a program that can fix this, please let me know.

Here is an example on how to make an ADS against a directory:

C:\test> echo test> :hidden.txt

This command has now attached an ADS to the directory itself. Run LADS to see the ADS attached to the directory.


What is so harmful about this?

What if I told you that ADS can also be used with executable files? Thats right, ADS files that are executable can be attached to any file just like you attached .txt files, and just like the text files, would be hidden from most software.

Here is an example:

C:\test> type c:\windows\notepad.exe > ads.txt:hidden.exe

You have now created an ADS file called hidden.exe and attached it to the text file ads.txt. Once again, if you Dir the directory you will just see ads.txt, and not hidden.exe. Run LADS, and you will see the ADS.

There is a caveat to launching executable files that are ADS files. You must always use the START command to launch the ADS executable and you must always use the full path of the file. Here are some examples of working commands and non-working commands.

I will first make my ADS executable:

C:\test> type c:\windows\notepad.exe > ads.txt:np.exe

Commands that do not launch the np.exe ADS executable:

C:\test>ads.txt:np.exe
The filename, directory name, or volume label syntax is incorrect.

C:\test>c:\test\ads.txt:np.exe
The filename, directory name, or volume label syntax is incorrect.:

C:\test>start ads.txt:np.exe
Access is denied.


The command that will launch the executable:

C:\test>start c:\test\ads.txt:np.exe

As you can see, you must use the full path of the ADS executable file.

How to Delete ADS Files

ADS files are not particularly hard to delete, but they can cause problems. In order to delete an ADS attached to a file, just delete the file. Lets say for example that you have a file called number.txt and there was an ADS attached called hidden.txt. You want to get rid of the hidden.txt file, but keep the info in number.txt, so you just cant delete number.txt.

In order to do this you would do something like the following:

C:\test>ren number.txt temp.txt
C:\test>type temp.txt > number.txt
C:\test>del temp.txt


In order to delete ADS files that are attached to a directory, you need to delete the directory. This can cause a major problem if the ADS is attached to the root of a hard drive. Since you cannot delete the ADS in this way unless you reformat the drive, you can do this to get rid of the unwanted information in the ADS file.

C:\test>echo empty > filler.txt
C:\test>type filler.txt > :badads.txt



Update - 11/11/04

 

 

Since I wrote this tutorial there have been a few malware programs that have been released to infect your machine using Alternate Data Stream files. Due to this there have been improvements in the software available to remove these types of programs from your computer. One program that will search for ADS files on your computer and then provide a list that you can remove is ADSSPY. You can find a link to that program below:

ADSSPY Download Link


Other Uses for ADS

In the beginning I mentioned that there are other uses for ADS files. Certain files in Windows have a summary tab in their properties. One example of this is .txt documents. If you create a new .txt document, and right click on it, and select summary, you can fill in some information.

This information is saved as ADS files attached to the document. For example, we have a file called readme.txt. If I go into the summary section and enter my name into the Title field and press OK, that information will be saved as an ADS.

You can see this as follows:

C:\test>lads

LADS - Freeware version 3.21

Scanning directory C:\test\

size ADS in file
---------- ---------------------------------
11 C:\test\:hidden.txt
120 C:\test\readme.txt:?SummaryInformation
0 C:\test\readme.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

131 bytes in 3 ADS listed


Summary

As you can see ADS can definitely be used for much more than was bargained for when Microsoft introduced them. They have the legitimate uses, but can definitely be used for darker intentions.

In summary here are the reasons why ADS can be considered problematic:

- There are few programs that detect ADS.
- Removing ADS can be difficult.
- Explorer and Dir when determining free space do not calculate the space used by ADS.
- You can hide an executable as an ADS.
 

Users who read this also read:

  • HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware Image
    HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware

    HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis will scan your registry and various other files for entries that are similar to what a Spyware or Hijacker program would leave behind. Interpreting these results can be tricky as there are many legitimate programs that are installed in your operating system in a similar manner that Hijackers get ...

  • Windows Forensics: Have I been Hacked? Image
    Windows Forensics: Have I been Hacked?

    One of the top questions I see on forums is "How do I know if I have been hacked?". When something strange occurs on a computer such as programs shutting down on their own, your mouse moving by itself, or your CD constantly opening and closing on its own, the first thing that people think is that they have been hacked. In the vast majority of cases there is a non-malicious explanation ...

  • Wie HijackThis genutzt wird um Browser Hijacker + Spyware zu entfernen (HijackThis Tutorial in German) Image
    Wie HijackThis genutzt wird um Browser Hijacker + Spyware zu entfernen (HijackThis Tutorial in German)

    HijackThis sollte nur benutzt werden wenn Ihr Browser oder Computer immer noch Probleme aufweist, nach dem Sie Spybot oder andere Spyware/Hijack entferner laufen hatten. HijackThis ist ein Programm für Fortgeschrittene und benötigt daher ein erweitertes Wissen über Windows und Operations Systeme im generellen. Wenn Sie aufgelistete Elemente löschen, ohne zu wissen was Sie sind, ...

  • Tutoriel HijackThis - Comment utiliser HijackThis pour supprimer les pirates de navigateur, les pubs & les espiogiciels Image
    Tutoriel HijackThis - Comment utiliser HijackThis pour supprimer les pirates de navigateur, les pubs & les espiogiciels

    HijackThis ne doit être utilisé que dans le cas où votre navigateur ou votre ordinateur continue à avoir des problèmes après l'exécution de Spybot-S&D ou d'un autre nettoyeur d'Espiogiciels (Spyware)/Pirates (Hijackers). HijackThis est un outil évolué, et par conséquent il requiert des connaissances approfondies ...

  • How to remove a Trojan, Virus, Worm, or other Malware Image
    How to remove a Trojan, Virus, Worm, or other Malware

    If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware.

 

Comments:

blog comments powered by Disqus
search tutorials
ThreatLocker

Login