(Note about conventions: Alternative Data Streams are also sometimes referred to as Alternate Data Streams or ADS. Since Alternative Data Streams is so long, an ADS can be confused with Active Directory Services I will simple call this feature AltDS for short.)
Creating an AltDS
Making an AltDS is fairly simple. I will use command line examples, feel free to follow along. We could hide some data in an AltDS behind an already existing file, but for this example we will create a new base file to hide behind:
C:>echo Just a plan text file>sample.txt
C:>type sample.txt
Just a plan text file
C:>
Next we will use a colon as the operator to tell our commands to create or use an AltDS:
C:>echo You can't see me>sample.txt:secret.txt
Unfortunately, the use of the colon operator is a bit hit or miss in its' implementation and some times does not work as we might expect as seen below:
C:>type sample.txt:secret.txt
The filename, directory name, or volume label syntax is incorrect.
Since the "type" command does not understand the colon operator we will have to use notepad to read the file:
C:>notepad sample.txt:secret.txt
If all worked well, you should not see a notepad window with the text "You can't see me" in it. Also notice that while the amount of total hard drive space free went down the file size of sample.txt did not increase:
C:>dir sample.txt
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:
09/27/2004 01:58 PM 23 sample.txt
1 File(s) 23 bytes
0 Dir(s) 12,658,040,832 bytes free
C:>
You can make an AltDS in not only files, but also directories, here is a quick example:
C:>md stuff
C:>cd stuff
C:stuff>echo Hide stuff in stuff>:hide.txt
C:stuff>dir
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:stuff
09/28/2004 10:19 AM
0 File(s) 0 bytes
2 Dir(s) 12,253,208,576 bytes free
C:stuff>notepad :hide.txt
Hopefully you now see a notepad window with hide.txt's contents. If all one could do with AltDS was hide text files it would not be that impressive, but there's much more that can be done with this useful NTFS feature.
Hiding and running an executable.
As it turns out, using AltDS to hide executables is not much harder than it is to hide text files. AltDS makes for a great way for malware to hide itself on a system. Here's an example of how and executable can be hidden behind another file:
First we make our file to hide behind:
C:WINDOWS>echo Test>test.txt
Next we put an EXE behind is, I'm just using notepad.exe because it's convenient:
C:WINDOWS>type notepad.exe>test.txt:note.exe
Next we confirm the contents of the text file when some one tries to open it.
C:WINDOWS>type test.txt
Test
Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase the size of test.txt.
C:WINDOWS>dir test.txt
Volume in drive C has no label.
Volume Serial Number is 007E-2E3C
Directory of C:WINDOWS
09/19/2004 08:37 AM 6 test.txt
1 File(s) 6 bytes
0 Dir(s) 19,734,708,224 bytes free
Now we will attempt to run our hidden exe. Notice the "." in front of the file name, this is necessary because the "start" command needs to know the correct path to the file (at least if you are using XP).
C:WINDOWS>start .test.txt:note.exe
C:WINDOWS>
If all worked well there should now be a notepad window up on your system. You should be able to hide just about any other EXE file this way if you wish.
No comments:
Post a Comment