Alternate Data Stream

A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides a method of hiding data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer.

ADS usage is pretty easy, for instance: the command
“type myrootkit.exe > c:\windows\system32\notepad.exe:myrootkit.exe”
will fork the common windows Notepad program with an ADS “myrootkit.exe.”

Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl, for example:
"start c:\windows\system32\notepad.exe:myrootkit.exe” will launch myrootkit.exe but the process shown on taskmanager is notepad.exe

But how can I detect ADS ? The following tools are able to find them..
CrucialADS :
Streams.exe :
Sfind.exe :
Lads.exe :

More details about ADS are available on: MS Site and also here.
Share on Google Plus

About Vittorio Pavesi

    Blogger Comment
    Facebook Comment

1 commenti:

Anonymous said...

Excellent Article.