Start with an empty folder, in this example:
C:\Documents and Settings\Administrator\Desktop\ADS>dir
Volume in drive C has no label.
Volume Serial Number is FC4F-FAEA
Directory of C:\Documents and Settings\Administrator\Desktop\ADS
07/30/2006 04:54 PM <DIR> .
07/30/2006 04:54 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 97,243,013,120 bytes free
Create the file that the (soon to be) hidden file will be put in, as well as the file we're going to hide.
C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a test file." > file.txt
C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a hidden test file." > hiddenfile.txt
Make sure they're there..
C:\Documents and Settings\Administrator\Desktop\ADS>type file.txt
"This is a test file."
C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."
Put the second file into the first:
C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt > file.txt:hiddenfile.txt
Delete the second file, because there's now a copy of it in the first file's ADS:
C:\Documents and Settings\Administrator\Desktop\ADS>del hiddenfile.txt
The first file is still there, and the ADS for the second is nowhere to be seen:
C:\Documents and Settings\Administrator\Desktop\ADS>dir
Volume in drive C has no label.
Volume Serial Number is FC4F-FAEA
Directory of C:\Documents and Settings\Administrator\Desktop\ADS
07/30/2006 04:56 PM <DIR> .
07/30/2006 04:56 PM <DIR> ..
07/30/2006 04:56 PM 25 file.txt
1 File(s) 25 bytes
2 Dir(s) 97,243,013,120 bytes free
Copy the ADS back to a normal file, by the same name:
C:\Documents and Settings\Administrator\Desktop\ADS>more < file.txt:hiddenfile.txt > hiddenfile.txt
And there's your stuff!
C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."
Does anyone know how to remove the ADS from the original file?
Modified title for accuracy.
We know (http://www.x86labs.org/forum/index.php/topic,22.0.html)?
The only way that I'm aware of is to do something like this:
rename f1 f2
type f2 > f1
delete f2
Also, how the hell is this hacking? ...
Quote from: Sidoh on July 30, 2006, 06:23:17 PM
We know (http://www.x86labs.org/forum/index.php/topic,22.0.html)?
He told us how to put a file in and then run the stream, but not how to give the file a name for itself.
Quote from: Sidoh on July 30, 2006, 06:23:17 PM
The only way that I'm aware of is to do something like this:
rename f1 f2
type f2 > f1
delete f2
Deleting the
alternate data stream. :P
Quote from: Sidoh on July 30, 2006, 06:23:17 PM
Also, how the hell is this hacking? ...
I can't think of any use anyone has for this feature except for doing something destructive (http://www.x86labs.org:81/forum/index.php?topic=6649.msg85005#new).
Quote from: Joex86] link=topic=6873.msg85024#msg85024 date=1154311979]
He told us how to put a file in and then run the stream, but not how to give the file a name for itself.
::)
Quote from: Joex86] link=topic=6873.msg85024#msg85024 date=1154311979]
Deleting the alternate data stream. :P
That
does delete the ADS in a somewhat convoluted and indirect way. After some searching, I didn't see any other way to do it.
Quote from: Joex86] link=topic=6873.msg85024#msg85024 date=1154311979]
I can't think of any use anyone has for this feature except for doing something destructive[/url].
File "summaries" use this. So do thumbnails. There are plenty of uses; you're just not thinking hard enough. Regardless of what it can potentially do, though, this is not hacking by any stretch. You're utilizing a native feature of NTFS.
Quote from: Joex86] link=topic=6873.msg85024#msg85024 date=1154311979]
I can't think of any use anyone has for this feature except for doing something destructive (http://www.x86labs.org:81/forum/index.php?topic=6649.msg85005#new).
That doesn't make it accurate.
For instance, when you download a file from the internet, Windows creates an alternate data stream that specifies that it was. Whenever you try to execute an executable file that was downloaded (and has that ADS), Windows prompts you with a security dialog. The security dialog provides an option to "not be asked this every time," and if you decide not to be asked, the ADS is cleared.
There are other situations where Windows does this, including the use of storing file metadata.
Quote from: Joex86] link=topic=6873.msg85024#msg85024 date=1154311979]
Quote from: Sidoh on July 30, 2006, 06:23:17 PM
We know (http://www.x86labs.org/forum/index.php/topic,22.0.html)?
He told us how to put a file in and then run the stream, but not how to give the file a name for itself.
It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.
You never gave it an original name. You copied it to a new file. Dumbass.
This has
nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.
Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?
Quote from: Newby on July 31, 2006, 12:08:28 AM
It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.
You never gave it an original name. You copied it to a new file. Dumbass.
This has nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.
Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?
Even that's already been done in fairly intricate detail: http://www.heysoft.de/nt/ep-lads.htm