Author Topic: [NTFS] Creating and reading ADS's  (Read 4410 times)

0 Members and 2 Guests are viewing this topic.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
[NTFS] Creating and reading ADS's
« on: July 30, 2006, 06:03:41 pm »
Start with an empty folder, in this example:

Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>dir
 Volume in drive C has no label.
 Volume Serial Number is FC4F-FAEA

 Directory of C:\Documents and Settings\Administrator\Desktop\ADS

07/30/2006  04:54 PM    <DIR>          .
07/30/2006  04:54 PM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  97,243,013,120 bytes free

Create the file that the (soon to be) hidden file will be put in, as well as the file we're going to hide.
Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a test file." > file.txt

C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a hidden test file." > hiddenfile.txt

Make sure they're there..
Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>type file.txt
"This is a test file."

C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."

Put the second file into the first:
Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt > file.txt:hiddenfile.txt
Delete the second file, because there's now a copy of it in the first file's ADS:
Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>del hiddenfile.txt
The first file is still there, and the ADS for the second is nowhere to be seen:
Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>dir
 Volume in drive C has no label.
 Volume Serial Number is FC4F-FAEA

 Directory of C:\Documents and Settings\Administrator\Desktop\ADS

07/30/2006  04:56 PM    <DIR>          .
07/30/2006  04:56 PM    <DIR>          ..
07/30/2006  04:56 PM                25 file.txt
               1 File(s)             25 bytes
               2 Dir(s)  97,243,013,120 bytes free

Copy the ADS back to a normal file, by the same name:
Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>more < file.txt:hiddenfile.txt > hiddenfile.txt
And there's your stuff!
Code: [Select]
C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."


Does anyone know how to remove the ADS from the original file?


Modified title for accuracy.
« Last Edit: July 30, 2006, 10:37:49 pm by MyndFyre[x86] »
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: [NTFS/Hacking] Creating and reading ADS's
« Reply #1 on: July 30, 2006, 06:23:17 pm »
We know?

The only way that I'm aware of is to do something like this:

rename f1 f2
type f2 > f1
delete f2


Also, how the hell is this hacking? ...

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: [NTFS/Hacking] Creating and reading ADS's
« Reply #2 on: July 30, 2006, 10:12:59 pm »
We know?

He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

The only way that I'm aware of is to do something like this:

rename f1 f2
type f2 > f1
delete f2


Deleting the alternate data stream. :P

Also, how the hell is this hacking? ...

I can't think of any use anyone has for this feature except for doing something destructive.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: [NTFS/Hacking] Creating and reading ADS's
« Reply #3 on: July 30, 2006, 10:30:18 pm »
He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

::)

Deleting the alternate data stream. :P

That does delete the ADS in a somewhat convoluted and indirect way.  After some searching, I didn't see any other way to do it.

I can't think of any use anyone has for this feature except for doing something destructive[/url].

File "summaries" use this.  So do thumbnails.  There are plenty of uses; you're just not thinking hard enough.  Regardless of what it can potentially do, though, this is not hacking by any stretch.  You're utilizing a native feature of NTFS.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: [NTFS/Hacking] Creating and reading ADS's
« Reply #4 on: July 30, 2006, 10:37:04 pm »
I can't think of any use anyone has for this feature except for doing something destructive.
That doesn't make it accurate. 

For instance, when you download a file from the internet, Windows creates an alternate data stream that specifies that it was.  Whenever you try to execute an executable file that was downloaded (and has that ADS), Windows prompts you with a security dialog.  The security dialog provides an option to "not be asked this every time," and if you decide not to be asked, the ADS is cleared.

There are other situations where Windows does this, including the use of storing file metadata.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: [NTFS/Hacking] Creating and reading ADS's
« Reply #5 on: July 31, 2006, 12:08:28 am »
We know?

He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.

You never gave it an original name. You copied it to a new file. Dumbass.

This has nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.

Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: [NTFS/Hacking] Creating and reading ADS's
« Reply #6 on: July 31, 2006, 12:23:50 am »
It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.

You never gave it an original name. You copied it to a new file. Dumbass.

This has nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.

Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?

Even that's already been done in fairly intricate detail: http://www.heysoft.de/nt/ep-lads.htm