[NTFS] Creating and reading ADS's

[Joe]

Start with an empty folder, in this example:

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>dir
Volume in drive C has no label.
Volume Serial Number is FC4F-FAEA

Directory of C:\Documents and Settings\Administrator\Desktop\ADS

07/30/2006  04:54 PM    <DIR>          .
07/30/2006  04:54 PM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  97,243,013,120 bytes free

Create the file that the (soon to be) hidden file will be put in, as well as the file we're going to hide.

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a test file." > file.txt

C:\Documents and Settings\Administrator\Desktop\ADS>echo "This is a hidden test file." > hiddenfile.txt

Make sure they're there..

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>type file.txt
"This is a test file."

C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."

Put the second file into the first:

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt > file.txt:hiddenfile.txt

Delete the second file, because there's now a copy of it in the first file's ADS:

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>del hiddenfile.txt

The first file is still there, and the ADS for the second is nowhere to be seen:

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>dir
Volume in drive C has no label.
Volume Serial Number is FC4F-FAEA

Directory of C:\Documents and Settings\Administrator\Desktop\ADS

07/30/2006  04:56 PM    <DIR>          .
07/30/2006  04:56 PM    <DIR>          ..
07/30/2006  04:56 PM                25 file.txt
               1 File(s)             25 bytes
               2 Dir(s)  97,243,013,120 bytes free

Copy the ADS back to a normal file, by the same name:

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>more < file.txt:hiddenfile.txt > hiddenfile.txt

And there's your stuff!

Code Select Expand

C:\Documents and Settings\Administrator\Desktop\ADS>type hiddenfile.txt
"This is a hidden test file."


Does anyone know how to remove the ADS from the original file?


Modified title for accuracy.

[Sidoh]

We know?

The only way that I'm aware of is to do something like this:

rename f1 f2
type f2 > f1
delete f2

Also, how the hell is this hacking? ...

[Joe]

We know?

He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

The only way that I'm aware of is to do something like this:

rename f1 f2
type f2 > f1
delete f2

Deleting the alternate data stream. :P

Also, how the hell is this hacking? ...

I can't think of any use anyone has for this feature except for doing something destructive.

[Sidoh]

x86] link=topic=6873.msg85024#msg85024 date=1154311979]
He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

::)

x86] link=topic=6873.msg85024#msg85024 date=1154311979]
Deleting the alternate data stream. :P

That does delete the ADS in a somewhat convoluted and indirect way.  After some searching, I didn't see any other way to do it.

x86] link=topic=6873.msg85024#msg85024 date=1154311979]
I can't think of any use anyone has for this feature except for doing something destructive[/url].

File "summaries" use this.  So do thumbnails.  There are plenty of uses; you're just not thinking hard enough.  Regardless of what it can potentially do, though, this is not hacking by any stretch.  You're utilizing a native feature of NTFS.

[MyndFyre]

x86] link=topic=6873.msg85024#msg85024 date=1154311979]
I can't think of any use anyone has for this feature except for doing something destructive.

That doesn't make it accurate. 

For instance, when you download a file from the internet, Windows creates an alternate data stream that specifies that it was.  Whenever you try to execute an executable file that was downloaded (and has that ADS), Windows prompts you with a security dialog.  The security dialog provides an option to "not be asked this every time," and if you decide not to be asked, the ADS is cleared.

There are other situations where Windows does this, including the use of storing file metadata.

[Newby]

x86] link=topic=6873.msg85024#msg85024 date=1154311979]

We know?

He told us how to put a file in and then run the stream, but not how to give the file a name for itself.

It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.

You never gave it an original name. You copied it to a new file. Dumbass.

This has nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.

Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?

[Sidoh]

It doesn't. It takes the original file's name. Try putting calc.exe inside of notepad.exe and running notepad:calc.exe. It'll show up in Task Manager as notepad.exe iirc.

You never gave it an original name. You copied it to a new file. Dumbass.

This has nothing to do with hacking, and barely anything to do with NTFS, and is just basically what iago said except slightly less explained/technical. Please, Joe, be innovative; write something new.

Perhaps write something that will scan for files in alternate data streams? Modify clamwin with a patch that'll do this?

Even that's already been done in fairly intricate detail: http://www.heysoft.de/nt/ep-lads.htm