Uncover the mysteries of 'stream', a truly hidden file under NTFS

Uncover the mysteries of 'stream', a truly hidden file under NTFS

[Author: Lu Lin: 14:21:15]

Author: Lu Lin
Source: http://lu0.126.com

NTFS supports a special concept, that is, stream. How is a stream method? Let's first look at the definition of the stream:
Stream
A sequence of bits, bytes, or other small structurally uniform units.
BIT sequence, or small unified structural units. Of course, a small unified structural unit does not necessarily mean a uniform size and format.
A stream is attached to a file. You can store binary data, text, or other things in the stream. just like a file. what files are stored, and what streams can be stored. each file can contain multiple streams. however, the stream is somewhat different from the file. each stream needs a separate CreatFile (...) the stream is not opened when the file is opened.
The stream name and file name are separated by:. Example: ABC:.
ABC is the file name, and the stream name is A. When we operate the stream, we can use the following simple method:
ECHO STREAM1> ABC: STREAM1
ECHO STREAM2> ABC: STREAM2
Now ABC has two streams: STREAM1 and STREAM2.
The read stream can be used:
MORE <ABC: STREAM1
MORE <ABC: STREAM2
In this way, the content is read. CreateFile ("ABC: STREAM1 ",...);
If you use a programming method, the operation will be the same as the file operation.
So why stream? The advantage of a stream is concealment. WINNT does not have any tool to discover the existence of a stream.
C:> ECHO "Hi Reader"> XX. TXT: MyStream
C:> dir xx. TXT
Volume in drive C is Wizard
Volume Serial Number is 40E5-92D4
 
Directory of C:
03/18/98 08: 36a 0 XX. TXT
1 File (s) 0 bytes
0 Dir (s) 3,399,192,576 bytes free
This is the benefit. Therefore, an article in the green Corps specifically introduces the stream, which is a format for hiding deep file access.
Indeed, NT does not provide tools. however, we still detect the existence of the stream. that is, the Stream provided by Inside Programming for everyone. exe. this tool can see the files containing the stream and the names of all the streams.
Of course, NT provides an API, BackupRead (...) used to read the stream name. since it is Inside Programming, introducing this API obviously cannot provide more help. Next we will introduce a native api: NtQueryInformationFile (...)
The following section describes the stream-related parts of the API:
/* ++
Streaminfo. h
Author: lulin
Date: 2000.8.25
Abstract:
Interface to NtQueryInformationFile
Stream portion.
 
---*/
# Ifndef _ STREAMINFO_H __
# Define _ STREAMINFO_H __
# Include <windef. h>
Extern "C "{
Typedef long ntstatus;

Typedef struct {
Union {
NTSTATUS Status;
PVOID Pointer;
};

ULONG * Information;
} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;

Typedef struct {// infoclass 22
ULONG NextEntryOffset;
ULONG StreamNameLength;
LARGE_INTEGER EndOfStream;
LARGE_INTEGER AlloCationSize;
WCHAR StreamName [1];
} FILE_STREAM_INFORMATION, * PFILE_STREAM_INFORMATION;

_ Declspec (dllimport) NTSTATUS _ stdcall NtQueryInformationFile (
HANDLE handle,
PIO_STATUS_BLOCK io_status_block,
PVOID FileInFormation,
ULONG FileInformationLength,
Int FileInfomationClass
);
}

# Endif/_ STREAMINFO_H __
When NTFS stores a stream name, $ DATA is added to the name. For example, when ABC: STREAM1 is stored, the stream name is saved as: STREAM1: $ DATA, therefore, you need to remove: $ DATA. here, I will not discuss STREAM in detail. how to operate EXE requires that the source program can also be purchased by friends. $20/copy. the information on the payment information UTILITY page.