Unfavorable NTFS side

Translation + sorting: please correct the mistakes caused By Bigworm
This article is based on The Dark Side of NTFS (Microsoft's Scarlet Letter) of H. Carvey)

Translation can be reproduced freely. However, ensure the integrity of the translator, source, and article.

Introduction: Microsoft's platform is constantly increasing. the servers and desktop operating systems used by the company generally run winNT and win2000, while the systems used by home users and students are generally winXP. these platforms are very popular and widely used. however, the users and administrators who use these operating systems know little about a feature of the NTFS file system, that is, "alternate data streams ).

NTFS is a better file system because of its powerful stability and security, NTFS exchanges data streams (ADSs) designed to be compatible with the HFS File System of the Macintosh, it uses resource forks to maintain file-related information, such as icons and other things. microsoft provides a way to create special ADSs through Windows explorer, and the necessary tools and functions of this special ADSs are quite lacking. it is also strange to say that the system has always provided functions and tools that allow users to create ADSs and execute hidden code in such stream files. the article Q101353 in Microsoft KnowledgeBase acknowledges that API-based win32 does not support ADSs well.

The purpose of this article is to introduce in detail how ADSs is created and used, and how the code hidden in ADSs is executed. processing ADSs based on different systems (NT 2 k xp) is also very different.

Create ADSs

The syntax for creating an ADSs file is relatively simple and straightforward. For example, if you create an ADSs file associated with myfile.txt, you only need to use a colon to separate the file name from the ADSs name.

D: \ ads> echo This is an ADS> myfile.txt: hidden

In addition, the ADSs can be created using the content of another file.

D: \ ads> echo This is a test file> test.txt

D: \ ads> type test.txt> myfile.txt: hidden

Then you can use NotePad to check it. The command is as follows:

D: \ ads> notepad myfile.txt: hidden

However, the dir command does not show any changes, and Windows Explorer does not have any available conversions and settings to detect the existence of the new ADSs.

In addition, ADSs can be created and associated with the directory list, rather than a file. this feature will show its importance later in the article, but now we will introduce how to create ADSs and it is sufficient.

D: \ ads> echo This ADS is tied to the directory listing>: hidden

This type of ADSs can also be created using the type and notepad commands.

The content of the ADSs file is not limited to text data. Any stream of binary information can constitute a file, and ADS is just a file. executable things can also be easily hidden in ADSs. See the following example:

D: \ ads> type c: \ winnt \ notepad.exe> myfile.txt: np.exe

D: \ ads> type c: \ winnt \ system32 \ sol.exe> myfile.txt: sol2.exe

Similarly, image files, sound files, or any other data streams can be hidden in ADSs.

Finally, Windows Explorer provides a way to create a special ADSs (RUSS00)

Look: We can fill in a lot of things in the value column.

Http://www.3389.net/bbs/uploadImages/20021221731511210.gif
Figure 1
If a user does not have the permission to write a file, he cannot add ADS to the file.

In addition, windows File Protection can prevent replacement of System files, but it cannot prevent users with proper permissions from adding ADSs to these System files. There is a Tool System File Checker(sfc.exe) it can check whether the protected system file is overwritten, but it cannot detect ADSs.

Detect, view, and use ADSs

As mentioned above, Microsoft does not provide a tool to detect the existence of ADSs. the best tool for detecting ADSs now is Frank heynewrites lads.exe. The current version of this tool is 3.10, which is a command line tool.

See:
Http://www.3389.net/bbs/uploadImages/2002122174413189.jpg
Figure 2
Three of the four files associated with poker start with ASCII, which is similar to the Black peach in the poker shape. The other is the file with a large string of numbers and letters in curly brackets, these four files are created using the method shown in Figure 1.

Now that we have found these files, how should we view the file content? In fact, notepad is a good tool, but there is a trap in the middle.

For example, the following command shows the result we do not want.

D: \ ads> notepad myfile.txt: hidden

When executing this command, notepadwill ask you to create a new file, which is strange. We have already created myfle.txt: hidden. To achieve the desired result, enter the following command:

D: \ ads> echo This is another ADS> myfile.txt: hidden.txt

D: \ ads> notepad myfile.txt: hidden.txt

The expected result is displayed. The extension added after the file name allows you to use notepad to open ADSs. This method also applies to other ADSs, such:

D: \ ads> notepad myfile.txt: np.exe

ADSs is a feature of the NTFS file system. If files with ADS are moved to other file systems, such as FAT, FAT32, or ext2, ADS will be deleted, because these file systems do not support ADS, if they are moved between NTFS partitions, ADSs will be retained.

It is relatively simple to delete ADSs. Use the following command.

D: \ ads> type myfile.txt> myfile. bat

D: \ ads> del myfile.txt

D: \ ads> ren myfile. bat myfile.txt

Now let's take a look at it with lads.exe. We can see that all the ADSs are missing.

Run ADSs www.2cto.com

In the previous example, we have hidden executable code in ADSs, which seems useless unless the code can be automatically executed. in fact, the start command can be used to execute the code. Now let's create an ADSs

D: \ ads> type d: \ winnt \ notepad.exe> myfile.txt: np.exe

However, an error occurs during execution on 2000, because the path information we provide is insufficient.

Therefore, we should specify the path, regardless of the absolute or relative path. For example, any of the following commands can:

D: \ ads> start d: \ ads \ myfile.txt: np.exe

D: \ ads> start. \ myfile.txt: np.exe

Is there a notepad ??

When the command is executed, the progress will show a more interesting example. For example, the situation will occur when you run pslist.exe.
Http://www.3389.net/bbs/uploadImages/200212217153098127.jpg
Figure 3
The input name is myfile.txt:

Check the situation in the task manager:
Http://www.3389.net/bbs/uploadImages/20021221774639617.jpg
Figure 4

Let's take a look:
Http://www.3389.net/bbs/uploadImages/20021221785933109.jpg
Figure 5

Let's take a look at the process in the xp Manager:

Http://www.3389.net/bbs/uploadImages/20021221710248550.jpg
Figure 6

There is also an alternative method to hide the file stream. Let's demonstrate how to create a shortcut on the desktop and enter d in the Project location: \ ads \ myfile.txt.set the file you created to sol2.exe (that is, use this command type d: \ winnt \ system32 \ sol.exe> myfile.txt: sol2.exe). Now we can modify it in the created shortcut attributes, direct the shortcut to d: \ ads \ myfile.txt: sol2.exe. Check whether the shortcut icon has changed?

Now we can double-click this icon to execute this file. See the execution result:
Http://www.3389.net/bbs/uploadImages/200212217105442063.jpg

Figure 7

Another simple method is to add the complete path of the data stream file directly under the run key in the registry:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. The hidden file will automatically Run the next time the system starts.

In the start dialog box, you can also run ADSs, for example, file: // d:/ads/myfile.txt: sol2.exe.

For administrators who use perl, execute the following code: ADSs

My $ file = 'd: \ ads \ myfile.txt: sol2.exe ';

'$ File ';

Save the file as ads. pl and run the following command:

D: \ perl> ads. pl

In fact, windows WSH can also execute ADSs:

D: \ ads> echo MsgBox "VBS file to test ADSs"> ads. vbs

D: \ ads> wScript ads. vbs

D: \ ads> type ads. vbs> myfile.txt: ads. vbs

D: \ ads> wScript myfile.txt: ads. vbs

Or:

D: \ ads> start. \ myfile.txt: ads. vbs

 

Summary:

ADSs is a feature of NTFS. It is designed to be compatible with HFS. however, it is difficult to find out, so it is a dangerous situation for administrators. Now Bennie and Ratter of 29A have published a kind of technology called W2K. stream virus, which uses ADSs.

We cannot use NTFS as a solution to this problem, because NTFS plays a major role in security and reliability. in fact, administrators should correctly use the DACLs (discretionary access control listsexample) for files and directories, and often use tools such as lads.exe to scan their own systems.

Some of the articles have been sorted by myself and some irrelevant content has been deleted.

If you want to see the original article can refer to http://patriot.net /~ Carvdawg/docs/dark_side.html.