[NTFS] Creating and reading ADS's

[Joe]

Start with an empty folder, in this example:

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>dir
 Volume in drive C has no label.
 Volume Serial Number is FC4F-FAEA

 Directory of C:\Documents and Settings\Administrator\Desktop\ADS

07/30/2006  04:54 PM    <DIR>          .
07/30/2006  04:54 PM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  97,243,013,120 bytes free
Create the file that the (soon to be) hidden file will be put in, as well as the file we're going to hide.

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a test file." > file.txt

C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a hidden test file." > hiddenfile.txt
Make sure they're there..

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>type file.txt
"This is a test file."

C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."
Put the second file into the first:

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt > file.txt:hiddenfile.txt
Delete the second file, because there's now a copy of it in the first file's ADS:

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>del hiddenfile.txt
The first file is still there, and the ADS for the second is nowhere to be seen:

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>dir
 Volume in drive C has no label.
 Volume Serial Number is FC4F-FAEA

 Directory of C:\Documents and Settings\Administrator\Desktop\ADS

07/30/2006  04:56 PM    <DIR>          .
07/30/2006  04:56 PM    <DIR>          ..
07/30/2006  04:56 PM                25 file.txt
               1 File(s)             25 bytes
               2 Dir(s)  97,243,013,120 bytes free
Copy the ADS back to a normal file, by the same name:

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>more < file.txt:hiddenfile.txt > hiddenfile.txt
And there's your stuff!

Code: [Select]

C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."

Does anyone know how to remove the ADS from the original file?


Modified title for accuracy.

[Sidoh]

We know?

The only way that I'm aware of is to do something like this:

rename f1 f2
type f2 > f1
delete f2

Also, how the hell is this hacking? ...

[Joe]

We know?

He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

The only way that I'm aware of is to do something like this:

rename f1 f2
type f2 > f1
delete f2

Deleting the alternate data stream.

Also, how the hell is this hacking? ...

I can't think of any use anyone has for this feature except for doing something destructive.

[Sidoh]

He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

Deleting the alternate data stream.

That does delete the ADS in a somewhat convoluted and indirect way.  After some searching, I didn't see any other way to do it.

I can't think of any use anyone has for this feature except for doing something destructive[/url].

File "summaries" use this.  So do thumbnails.  There are plenty of uses; you're just not thinking hard enough.  Regardless of what it can potentially do, though, this is not hacking by any stretch.  You're utilizing a native feature of NTFS.

[MyndFyre]

I can't think of any use anyone has for this feature except for doing something destructive.

That doesn't make it accurate. 

For instance, when you download a file from the internet, Windows creates an alternate data stream that specifies that it was.  Whenever you try to execute an executable file that was downloaded (and has that ADS), Windows prompts you with a security dialog.  The security dialog provides an option to "not be asked this every time," and if you decide not to be asked, the ADS is cleared.

There are other situations where Windows does this, including the use of storing file metadata.

[Newby]

We know?

He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.

You never gave it an original name. You copied it to a new file. Dumbass.

This has nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.

Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?

[Sidoh]

It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.

You never gave it an original name. You copied it to a new file. Dumbass.

This has nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.

Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?

Even that's already been done in fairly intricate detail: http://www.heysoft.de/nt/ep-lads.htm