Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Question about Alternate Data Streams


  • Please log in to reply
11 replies to this topic

#1 MaryBet82

MaryBet82

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:26 PM

Posted 04 December 2009 - 08:29 PM

I have been reading about alternate data streams, including the tutorial here ADS Tutorial and trying some of the examples and as usual, I'm confused.

I tried the test example from the tutorial
C:\test>type c:\windows\notepad.exe >ads.txt:np.exe only my test folder was in My Documents so my prompt was different but I typed the command exactly as above. [in the example given there was a space before "ads.txt" but that didn't work so I took it out and got ads.txt in the test folder]
I then used the start command example except I had to put in the path to my test folder
...\test>start "c:\documents and settings\username\my documents\test\ads.txt:np.exe"
and what happens is that a second command prompt window opens instead of notepad [with "...\my documents\test\ads.txt.np.exe" in the name\address\whatever bar rather than "..\system32\cmd.exe" per usual] .
I clicked on notepad.exe in c:\windows and notepad opens. So how did I substitute cmd.exe for notepad.exe?
Don't :thumbsup: . OK, go ahead.
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

BC AdBot (Login to Remove)

 


#2 petewills

petewills

  • Members
  • 1,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:09:26 PM

Posted 05 December 2009 - 03:35 PM

Perhaps the people who are 'into' ADS, do not feel the need to visit these forums!

My conclusions from a brief trawl through Google:

ADS is not a feature that can be disabled; countermeasures are important.

The best practice is to enable real-time scanning in your Anti-Virus program.
Real-time scans can shield from execution of a malicious code inside an alternate stream.

Monitoring changes to the file system helps to detect the creation of additional or new data streams.

Many freeware tools are available for monitoring NTFS partitions for Alternate Streams.

(Alternate Streams are lost when the file is moved from a NTFS partition to a FAT or FAT32 partition,
because FAT does not support ADS).

ADS is a vulnerability, rather than a compatibility feature.

ADS is an essential part of NTFS and has legitimate uses too.

The security features of NTFS far outweigh the vulnerability.

I think I'll stick with the two lines above.

I guess I'm not sufficiently interested in this dull (although perhaps tricky) subject, to pursue it further.

Good luck in your endeavours; should work if you follow the tutorial exactly.

Anyone else care to contribute?

#3 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:03:26 PM

Posted 05 December 2009 - 05:51 PM

As far as I know, executable code can be directly run from ADS only in XP. Security improvements are added in Vista and 7 so the executable code in ADS cannot be run directly. You have to extract it first in Vista and 7.

One of security improvements in Vista and 7 is that you can simply do a dir /r command to see the ADS objects in a folder.

In XP, to hide notepad.exe and then run it use these command :
type c:\Windows\notepad.exe > test.txt:np.exe
start ./test.txt:np.exe


#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:26 PM

Posted 05 December 2009 - 07:26 PM

This is a quirk/bug that arises from the need for the Alternate Data Stream to be specified by the full path when the path contains spaces. Giving the full path when the path contains spaces requires the use of one of two modifications to the command:

1. Enclose the path in quotes; or:
2. Use 8.3 compliant names.

In your example above, you used the quotation marks option, which is fine for most things. But quotation marks seem to screw up everything when dealing with ADS. So, you need to use the 8.3-compliant names in the path.

"8.3" names are a holdover from the days of MS-DOS, where there was an eight character limit on the length of file and folder names (plus an additional three characters allowed for file extensions. Windows XP supports these naming conventions for backwards comparability reasons. Any file or folder in Windows XP can be referenced by its 8.3 name. (Further reading on 8.3 Filenaming)

To avoid naming collisions, where more than one file or folder has the first eight characters of their names in common, a tilde and a number is appended to file and directory names like this:

file~1.txt

The tilde and number count towards the eight character limit, however, which means that only the first six characters of the name are used, followed by the tilde and number (starting at 1). Spaces in names are removed. So, names like these:

my really neat picture.jpg
my really boring picture.jpg

become this:

myreal~1.jpg
myreal~2.jpg

This would mean that a path like this:

c:\documents and settings\username\my documents\test\ads.txt:np.exe

becomes this:

c:\docume~1\userna~1\mydocu~1\test\ads.txt:np.exe

Thus, in order to be able to supply the full path of the ADS, while avoiding the quirks around using quotation marks, you should use the 8.3 name of the file.



PS:
Neat tool: Stream Viewer

Edited by Amazing Andrew, 05 December 2009 - 07:27 PM.


#5 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:26 PM

Posted 05 December 2009 - 09:20 PM

Thanks people.
I guess I wasn't really clear about my question and the topic title was misleading. My question isn't about ADS per se but about using the command prompt to create an executable ADS - or rather how did it go wrong.

I don't understand how the type & start commands that were supposed to make the ADS np.exe open notepad instead made it open a 2nd command prompt window. And the 2nd command prompt window did appear to open from the ads np.exe file because it has the path c:\documents & settings\username\my documents\test folder\ads.tx:np.exe in its title/address bar. I usually open the command prompt by rclicking my start button [I forget how I did that] and it always has c:\windows|system32 in its title/address bar.

I have previously only used the "type" command to read text files [back in "real" DOS when you booted into DOS and opened Word Perfect & later Windows for Workgroups from the Dos command prompt] Its use to "fork" one exe file into another was new to me but I saw the same basic command - type path\anyfile.exe > path\testfile.txt:testads.exe - in several articles on ADS including the bleeping com tutorial.

The command I used was "type c:\windows\notepad.exe >c:\documents & settings\username\my documents\test folder\ads.tx:np.exe". So how did cmd.exe in system32 get forked to np.exe? [there is a notepad.exe in c:\windows but no cmd.exe]
I feel like I'm in the twilight zone - if I typed the command wrong it just shouldn't have worked.
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:26 PM

Posted 05 December 2009 - 09:51 PM

I'm not sure why cmd.exe got executed, but if you follow my advice and use 8.3 names it should work.

#7 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:03:26 PM

Posted 06 December 2009 - 04:16 AM

The command I used was "type c:\windows\notepad.exe >c:\documents & settings\username\my documents\test folder\ads.tx:np.exe". So how did cmd.exe in system32 get forked to np.exe? [there is a notepad.exe in c:\windows but no cmd.exe]
I feel like I'm in the twilight zone - if I typed the command wrong it just shouldn't have worked.


Command line syntax of start.exe command is : START "title" [/Dpath] [options] "command" [parameters]

1. Normally, you just type command as in start notepad.exe. In that case, the title is set to command line you passed.
2. When you type start without any parameter, it assumes command to be cmd.exe (current process).

When you type start "c:\documents and settings\user\ads.txt:np.exe". Read and Execute file access of ads.txt:np.exe is denied to start.exe and it assumes no command line parameter so it starts cmd.exe in a separate process. But title is already set to c:\documents and settings\user\ads.txt:np.exe. Result is what you see.

To run the binary code in ADS correctly type start ./ads.txt:np.exe.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:26 PM

Posted 06 December 2009 - 05:22 PM

I am pretty sure vista does not support executable streams any more in Vista and higher. Vista and higher also offer the dir /r command that will list streams.

#9 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:26 PM

Posted 06 December 2009 - 05:52 PM

Thanks Romeo29 & Amazing Andrew

I finally got it to work by moving the test folder to c:\ and typing either
start c:\test/ads.txt:np.exe or start c:\test\ads.txt:np.exe [both ways work I found out by "accident"]
I'm still confused about ads, but I understand the start command much better, which was really what my question was about.

I tried using the tilde [`] but I kept getting the message "The system cannot find the file c:\documen~\user\mydocum~\test\ads.txt:np.exe." I also tried putting the forward slash [/] before the file name but "The system cannot find the file c:\documen~\user\mydocum~\test/ads.txt:np.exe" I'm a dyslexic typist so long paths can defeat me. I typed them umpteen times and they looked correct. I copied the messages above from the command prompt window, just substituting user for my username once pasted. So those are the paths I typed that didn't work.

I've tried Streams by SysInternals, but it didn't find any ads in folders where I know the files have ads - maybe it's not SP3 ready. AlternateStreamView listed the ads's on my Word docs that Streams didn't. To this non-expert it seems like a nice little freeware utility. I always like utilities that let you save the list they generate and this one gives you text/html/csv/xml as options. I'll take a look at Stream Viewer. I also came across a way to add a streams tab to file properties, but I don't remember where or how. It's in my notes somewhere.

My original interest in ADS was if Word's summary and other info [such as printdate] were in those files, couldn't a program be written [or had one been written] that would allow separating the files in a folder into printed and not printed? A database-type or file search program might be able to use the keywords in the summary tab. I used to be able to search by the keywords in my Word docs [Windows for Workgroups 3.1], but I don't see much use in being able to print the keywords per document or in the document. [You also ought to be able to highlight a word and click a button and add it to your keyword list w/out opening the properties box ]
The hacking/infection potential is also of concern, but [if I understand what I've read] for someone besides me to put an exe in an ADS file on my computer at this point they'd have to be skillful and specifically targeting my computer.
Another concern [probably just theoretical] would be if some program added lots & lots of info to the ads of the files they generate since Explorer doesn't show you the size of the ads files.

I apologize for not being clearer about my question and the misleading title topic. It started out as "2 Questions about ADS". When I decided one question was enough I should have changed it to "problem w/start command and ADS".
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:26 PM

Posted 06 December 2009 - 07:10 PM

Were you testing this in XP or Vista?

#11 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:03:26 PM

Posted 06 December 2009 - 10:05 PM

I also tried putting the forward slash [/] before the file name but "The system cannot find the file c:\documen~\user\mydocum~\test/ads.txt:np.exe" I'm a dyslexic typist so long paths can defeat me. I typed them umpteen times and they looked correct.


You forgot the dot before slash. It should be start .\ads.txt:np.exe The dot means current folder, so you do not have to type the whole path.
Windows has become friendly about forward and backward slash so both of them work on XP and later versions.

As Grinler has mentioned, Vista and 7 do not allow you to execute any binary code present in ADS. So your experiement works only on XP. But confusingly all XP, Vista and 7 have same NTFS version.

#12 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:26 PM

Posted 15 December 2009 - 09:06 PM

I wondered about that dot. I think I tried it once, but I probably typed something else wrong so it didn't work. Now I know.

All testing on WinXP SP3 tab ed

Thanks everyone for your help. Currently I'm having to troubleshoot more basic, bleeping computer stuff. When I have time I'm going to do some more searching/reading on ads and if I figure everything out [haha] I'll edit this reply for anyone else interested.
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users