Alternate Data Streams

I sent this to some of my coworkers.  You might find this interesting too..

One of the members of a technical forum to which I belong had a virus detected in a dll that he could not find anywhere on his computer.  In the end, it was discovered that the file was embedded as Alternate Data Stream (ADS) attached to his System32 directory.  The full path to the file was something simlar to c:\windows\system32:dhht.dll.

I was not familiar with using streams in this manner; so I looked it up.  In short, any file or directory on an NTFS drive can any number of files piggy-backed onto it without affecting its reported file size.  These files remain intact through normal file copying and renaming actions as long as the file remains on an NTFS drive (or compatible archiver).

I’ve never come across this before and thought I would share.

Summary/Demo….    (adjust paths as necessary)
1. Create a directory off the root called test
2. From the command prompt in your test directory type:
   Echo a>test.txt
   That will create a nice 3 byte text file.
3. Now type:
   type c:\Windows\system32\notepad.exe>test.txt:notepad.exe
4. Get another directory listing and notice that the size of test.txt remains 3 bytes though an additional ~70kb has been added to it.  The time has changed but that could be set back.
5. Now, from the command prompt in your test directory, execute the hidden stream:
   start \test\test.txt:Notepad.exe
   (You must use include the path to test.txt)

You are now running an exe that was hidden in 3 byte text file.

Windows supplies no tools to display this.  The attached zip file, also referenced in this article, includes an exe that does.

The Task Manager shows the running proces in different ways depending upon your Windows version.  In SP2, the executable is listed as test.txt:Notepad.exe. However, in earlier versions of windows, only the host file is listed.  So, if you’d embeded Notepad.exe in calc.exe, calc.exe would be in the task list even though you’d be running Notepad.  Nifty huh?

Of course, you’ll have to find a transport/archiver that supports these streams, if you want to distribute them.  Outlook and WinZip do not seem to do so.

Apparently ADS are there for backwards compatibility with a Macintosh file system (HFS).  I’m not sure why we’d want/need that…

Add a Comment

Your email address will not be published. Required fields are marked *