Exchange data streams on NTFS

Lake2 <lake2@mail.csdn.net> http://mrhupo.126.com

---- Directory --------
1. Preface
2. Concepts
3. Nature and Application
-3.1 create
-3.2 Delete
-3.3 detection and Extraction
-3.4 save and transfer
-3.5 file hiding
-3.6 run
-3.7 IIS-related
4. Postscript
5. References
----------------

1. Preface

Exchange data stream (ADS) is nothing new, but users and administrators know little about it. This article will discuss ADS with the help of previous documents. In case of any errors, please kindly advise me.

2. Concepts

Let's take a look at Microsoft's explanation of Multi-file streams:

In the NTFS file system, each file can have multiple data streams. It is worth mentioning that the stream is not a NTFS 2000 function, but the stream already exists from Windows NT 3.1. When reading file content in a non-NTFS Volume (such as a Windows 98 computer's disk partition), you can only access one data stream. Therefore, you will think it is the real and "unique" content of the file. There is no such mainstream name, and it is a unique stream that non-NTFS file system can process. However, when creating a file on an NTFS Volume, things may be different. See Figure 1 to understand this important concept.
Figure 1]

ADS is a unique feature of the NTFS file system, that is, the multi-data stream files mentioned above, in addition to mainstream streams, but API-based Win32 does not support ADS well. For example, we can append a file to another file (carrier) as a stream, however, for Windows resource manager, the carrier file has not changed (including its size and modification time ). This will cause a series of problems.

Next let's take a look at some of the nature and application of ADS.

3. Nature and Application

3.1 create

The syntax for creating ADS is <carrier File Name>: <ADS File Name>

Let's take a look at the example below: echo This is lake2s stream> a.txt: stream.txt

The size of the hosts file is 0. Open a.txt, but there is nothing in it. Of course there is no content. The adsis a.txt: stream.txt, And the content should be in this file. However, you can't display the.txt: stream.txt file by using the typecommand, but you can use notepad. Enter notepad a.txt: stream.txt in the command line. Now, we use the release script to open the.txt file. This will not affect the content of the current file. The a.txt: stream.txt modification will not affect the.txt file.

3.2 Delete

The easiest way to delete ADS is to directly Delete the carrier file. But if you only want to delete ADS and keep the carrier file, the easiest way is to pull the carrier file to a non-NTFS partition. Because ADS is a NTFS "patent", ADS disappears when it leaves the NTFS file system.

If you only want to delete ADS in the NTFS partition, use the following batch:

Type a.txt> a.txt. bak
Rem type does not support ADS, so it is used to back up the carrier
Del a.txt
Rem deletes the carrier and ADS
Ren a.txt. bak a.txt
Rem recovery Vector file

3.3 detection and Extraction

API programming is involved in ADS detection. I am still studying this aspect. Here I will copy Microsoft's words: "Win32 backup API functions (BackupRead, BackupWrite, etc) it can be used to enumerate streams in files ".

Fortunately, analyticdb software has been detected. The following software can be detected:

LADS (List Alternate Data Streams)-http://www.heysoft.de/nt/ntfs-ads.htm
Streams v1.1 (Sysinternals)-http://www.sysinternals.com/ntw2k/source/misc.shtml
NT Objectives Forensic Toolkit (sfind.exe)-(http://www.ntobjectives.com /)

To extract ADS, a third-party tool is required. The cp in the NTRootKit can be used (cp can also be used to create a stream). I have never found the NTRootKit, And the NTRootKit backdoor is found on google, I had to write one in C. This does not require you to be a programming expert. File functions in C Language Support the creation, deletion, and extraction of ADS. You only need to process ADS as a file.

3.4 storage and transmission

As mentioned above, ADS will be lost in non-NTFS partitions, so will ADS be unable to be saved in non-NTFS partitions? There is no way to save it directly. We can save it indirectly. Well, you need a software, and you should have it, WinRAR. When pressurizing a file containing ADS, find the advanced option, there is a "save file stream data", tick (Figure 2), haha, you can compress ADS to the rarfile. This rarfile can be saved to a non-NTFS partition. Note that it is saved and cannot be extracted.

Figure 2]

If you want to transfer ADS, you 'd better use the resource manager to open the sharing of the other party and copy and paste it. If you want to transfer it in other ways, you can only transmit the rarfile containing ADS.

3.5 Information Hiding

To keep confidential information, the traditional approach is encryption. Although the encrypted information is converted into ciphertext that cannot be directly read, it is not safe to tell people that it is a secret. But if I hide the information so that you cannot find it, isn't it OK, therefore, a technology called "Information Hiding" was proposed.

In Ancient Costumes, there are often implicit writing, that is, a piece of white paper is usually a piece of white paper, but in special circumstances, the pre-written words will be displayed. It is most appropriate to use this to represent information hiding. Information Hiding is currently a hot area of information security research, and there are many implementation methods. The most popular is probably using bmp image files as the carrier, by replacing the lowest Bit of each byte in the file.

Haha, but there is a simple Information Hiding Technology in front of us. Yes, that is, using ADS! Since Windows cannot perceive ADS well, we can save the files to be kept confidential as ADS. Check and play.

In addition, most anti-virus software does not detect ADS, so we can use stream to allow anti-virus software to pass backdoors. For example, type nc.exe> a.txt: nc.exe

The original nc.exefile will be detected by Kingsoft. After processing, the.txt: nc.execontent is exactly the same as that of nc.exe, but it will not be discovered by Kingsoft.

3.6 run

As mentioned above, ADS can be used to prevent backdoors from using anti-virus software, but it is not useless if it cannot be run. How can this problem be solved?

Run a.txt: nc.exe directly under the command line. You should use the start command. For more information about how to use this command, run help start.

The start command must use an absolute path or A./file name to run the executable ADS. Example: start./a.txt: nc.exe or start c: a.txt: nc.exe

In Win2000, you can only view the carrier file in the process, while in XP, you can find the whole ADS. Figure 3 uses tlist in XP.

Figure 3]

3.7 IIS-related

Accessing ADS in IIS has some interesting things to do. For more information, see my other Blog "switching data streams (ADS) and IIS past and present" (aspx "> http://blog.csdn.net/lake2/archive/2005/01/26/269659.aspx ).

4. Postscript

Thank you for reading my article :)

5. References

The unfavorable side of NTFS (html "> http://www.xfocus.net/articles/200212/466.html)
Xundi, about Data Flow in NTFS file system (http://www.xfocus.net/articles/200103/81.html)
H. Carvey, The Dark Side of ntfs1_(_side.html "rel = nofollow> http://patriot.net /~ Carvdawg/docs/dark_side.html)
Damon Martin, Windows, NTFS and Alternate Data streams((_martin_gsec.pdf "rel = nofollow> http://www.giac.org/practical/gsec/Damon_Martin_GSEC.pdf)
The NTFS Streams-Everything you need to know (http://www.diamondcs.com.au/index.php? Page = archive & id = ntfs-streams) <