Data Flow in the NTFS file system

Created:
Article Attribute: original
Article submitted: xundi (xundi_at_xfocus.org)

Data Flow in the NTFS file system

Xundi@xfocus.org <security focus>
Http://www.xfocus.org
2000-9-18

The data stream format in the NTFS file system was already a few years ago, while the anti-virus vendor
The file is not fully checked, leading to virus scanning.ProgramNo.CodeOr
Virus Scanning programs may destroy files in the file system.

A Data Stream partitioned by NTFS is a sub-file system that allows additional data to be connected to a special file,
The current FAT file system format does not support the data stream format. Let's take a look at the example below.
Learn how NTFS data streams work:

To use the NTFS file system in windows, create the following file:

Echo "this is the main file"> file1.txt

This command will create a text file named file1.txt with a text string in it
"This is the main file", you can use the following command to verify whether the file is successfully created:

Type file1.txt
Edit file1.txt
Notepad file1.txt

The dir command will display a file of about 26 bytes. The above file is successfully created because you store
The file system contains the named stream portion of the file system ).

Next we will create a data file just prepared and run the following command at the prompt:

Echo "this is the stream"> file1.txt: stream1.txt

The preceding command can be successfully completed without any error display. ":" indicates you.
Specify to associate a stream file. After you try to run the following command:

Type file1.txt: stream1.txt
Edit file1.txt: stream1.txt
Notepad file1.txt: stream1.txt

In addition to notepad, you can find that all the above commands will exit with a certain form of errors,
This is because some windows tools are not very powerful in processing data stream files, because
Many windows tools did not have the corresponding
Update. Okay. Now we can link a large data file to the file1.txt file and check whether
To view the differences between the file's byte size:

Dir c: \ winnt \ *> file1.txt: stream2.txt

The command can be successfully executed, but the data stream file we created adds nearly 6,500 bytes of data,
The file1.txt file displayed by diris only 26 bytes.
The Resource Manager checks the number of false positives in 26 bytes that we still see.

To verify that you have added 6,500 bytes of information, run the following command:

Notepad file1.txt: stream2.txt

You can see a text file that contains the WINNT directory list.
File --> Save As, you will receive the wrong dialog box information. This is because notepad has the ability
Open and create a stream file, but it cannot browse NTFS.

The above is associated with a file as a stream file, but it is interesting that you can also directly create a stream file,
Run the following command to test the function:

Echo "this is a stream file">: file3.txt

OK. The created stream is completely invisible to the DIR or resource browser, that is, hidden,
The stream file cannot be deleted by the del file:

Del file1.txt: stream2.txt
DEL: stream3.txt

Both of the preceding deletion commands fail because the del command is another one that has not been upgraded to be able to process the stream.
Tool. The only way to delete pay-as-you-go streams is to delete the previous primary file.
The append stream is automatically deleted. : In stream3.txt, you must delete the entire directory.
This file, huh, huh.

It is difficult for programmers to identify whether a stream exists.
Createfile () to check whether a data stream file exists.
The data stream name can only be operated. For example, in the above practice, we can open a data stream File
Because we provide the corresponding notepad file name, but you should know from the above, when we use
We failed to perform the "Save as" operation, because the "Save as" operation requires the ability to browse the data flow part of the file system.
Createfile () only works when you provide it with specific information.

This creates an interesting question: "Is there a method? When you don't know the file name
Can I identify the existence of a data stream? "After research, we found that only backupread () in the API function has the ability
We found the existence of data streams. Unfortunately, few tools use this function.

Discussing the existence of data streams in the NTFS file system is not a new problem.
After discussing this question, see URL: http://www.securityfocus.com/templates/archive.pike?
List = 1 & date = & MSG = Pine.SUN.3.94.980320114349.19659S-100000@dfw.dfw.net

Of course, Microsoft also has information about stream and how they work. Refer to the URL below:
Http://www.securityfocus.com/templates/archive.pike? List = 1 & date =
& MSG = Pine.SUN.3.94.980320114349.19659S-100000@dfw.dfw.net

Advisory details
We tested the latest three major virus scanning developers' latest virus scanning programs, all programs
Cannot identify viruses in data streams. For example, create myresume.doc: Iloveyou. vbs
And the word file that saves the I love you virus content in the data stream file, there is no virus to test
The scanner can detect the virus when scanning the entire disk, even if it chooses "check all files"
. This indicates that a malicious user can use the data stream File System to hide malicious code to escape.
Virus scanner.

Of course, there is also the possibility of detecting a virus, provided that the virus scanning resident in your memory must be able
Set to check all files (but this is bound to increase the burden on resources). In this way, when a famous stream file (
When the memory in the named stream is read into the memory, the data stream will also be read into the memory.
The virus scanning program resident in the memory can detect viruses with known virus characteristic strings,
However, in this case, the virus that does not know the virus feature string is powerless for the new virus, and you need to know
In order to reduce the burden on the system, most of today's virus scanning programs generally
If you do not set the option to check all files, the virus scanner with resident memory generally only checks some
The named stream ).

Therefore, because most scanning programs do not include checking the. ini file, a programmer can associate
The file type with malicious code that will not be checked is written to the disk. If the new virus is added
Using known feature strings is hard to be detected by virus scanning programs residing in the memory.

But why did the virus scan developer not process the data stream files? The answer is "Data Stream ".
It can be inserted, but you cannot directly execute Data Stream files, so there is no threat ". This is the correct answer,
If you use the command to open resume.doc: nastyevilvirus.com, the virus code will not be executed.

However, if the virus maker appends the virus code and the executed code (simple call and processing commands) to the stream
File, there is a possibility of damage to the system, the following explanation:

We all know that the scan program is based on the feature string, which indicates that the scan program checks the virus.
The unique type in the code to distinguish other files. If the virus scanner is not capable of checking the use of data streams
The only way that the virus scanner can control the use of streaming data files is to control the existence
The Execution Code in the stream file system.

Therefore, an attacker can write a new virus program to execute a destructive task.
Published, but loaded in a worm or other shipping program, this worm is simple and Virus
Code is used to add data streams to a few important files in the NTFS file system, such as cmd.exe,
Poledit.exe, regedt32.exe, or others.

A few weeks later, the attacker published the virus code, which is used to write data into the famous data stream,
In this way, the virus supplier will echo and generate the feature string for the virus to be updated and downloaded by users,
Then, when the file inserted into the data stream is executed for the first time, the virus scanner resident in the memory
The malicious code loaded into the memory is detected. In this way, the virus scanner simply uses it
Instead of changing the data stream, the system prompts corresponding measures based on the settings:
For example, if "delete infected files" is selected, some important files inserted into the data stream will be
Delete. If you select "Move infected files", the important file system will be moved to
Default location, making the system inoperable. If "prompt for user intervention"
If selected, the execution of the file is stopped and deleted manually. Therefore, regardless of the virus
If the generated data flow file has any potential harm after execution, it will make the virus scan program abnormal.
File to make the system unstable.

So what exactly can we do to deal with these stream file systems?

1. Perform some regular checks on the data stream of the NTFS file system. ntobjective has developed a good
The sfind.exe tool can find the modified data stream. The address can be found here:
Http://www.ntobjectives.com.

2. According to the first step, if you check a new data stream, it should be suspicious, because
No data flow files are created for the default installation of NT and win2000. Of course, it may also be
Third-party software. For example, when a Macintosh volume is created, the stream is used to save
Derived file information. Therefore, you can view the data stream by storing the macinitosh file in the NT System.

3. If you find suspicious data streams and want to clear them from the system, perform the first step
Backup operation. Make sure that the backup file supports the streaming file system. If the data stream does not have
Backup, You can map a drive disk in a remote NTFS partition and copy the file to the remote system.

Then, simply copy the cleaned data stream to the non-NTFS partition, such as the fat system,
Win98 or Linux, and then copy to the local system, so when you
When an object is moved or copied to a remote system, the data stream appended to the object is not saved.

Note that the above moves will change the permissions of some important files, so to ensure the attributes of your documents, you
It is best to use filestat or other tools to move files. This tool can also be used in ntobjective.
Find.

Of course, it is the best way to support vendors with scanning programs.

I personally think the most interesting thing about all the above is that we can create a hidden file.
Adam can also ask him about this situation. Haha .....

Thank you for your patience in reading this article.