Moving a file with an alternative stream. Alternative NTFS streams, or the creation of secret files whose existence is not obvious at first glance

In this topic, I will look at four types of metadata that can be attached to a file or directory using the file system NTFS. I will describe for what purposes this or that type of metadata can be used, and I will give an example of its use in some Microsoft technology or third-party software.

We will talk about reparse points, object ids and other types of data that a file may contain in addition to its main content.

Object ID this is 64 bytes that can be attached to a file or directory. Of these, the first 16 bytes allow you to uniquely identify a file within the volume and access it not by name, but by identifier. The remaining 48 bytes can contain arbitrary data.

Object IDs have existed in NTFS since Windows 2000. In the system itself, they are used to track the location of the file that a shortcut (.lnk) refers to. Let's say the file referenced by the shortcut has been moved within the volume. When you launch the shortcut, it will still open. A special Windows service, if the file is not found, will attempt to open the file not by its name, but by a previously created and saved identifier. If the file was not deleted and did not leave the volume, it will open, and the shortcut will again point to the file.

Object identifiers were used in the iSwift technology of Kaspersky Anti-Virus version 7. This is how this technology is described: The technology was developed for the NTFS file system. In this system, each object is assigned an NTFS identifier. This identifier is compared with values in a special iSwift database. If the database values with the NTFS identifier do not match, then the object is checked or rechecked if it has been modified.

However, the overabundance of created identifiers caused problems with scanning the disk with the standard chkdsk scanning utility; it took too long. In subsequent versions of Kaspersky Anti-Virus, the use of NTFS Object Id was abandoned.

Reparse Point

In the NTFS file system, a file or directory may contain a reparse point, which is translated into Russian as "reprocess point". Special data is added to the file or directory, the file ceases to be a regular file and can only be processed by a special file system filter driver.

Windows contains reparse point types that can be processed by the system itself. For example, reparse points in Windows implement symbolic links (symlinks) and junction points (junction points), as well as mount points for volumes in a directory.
The reparse buffer attached to a file is a buffer with a maximum size of 16 kilobytes. It is characterized by the presence of a tag that tells the system what type the reparse point belongs to. When using a reparse buffer of your own type, you still need to set the GUID in a special field, and in Microsoft reparse buffers it may not be present.

What types of reprocessing points are there? I will list the technologies that use reparse points. These are Single Instance Storage (SIS) and Cluster Shared Volumes in Windows Storage Server 2008 R2, Hierarchical Storage Management, Distributed File System (DFS), Windows Home Server Drive Extender. These are Microsoft technologies Third-party technologies that use reprocessing points are not mentioned here, although these exist as well.

Extended Attributes

Extended file attributes. It was about them. It is only worth mentioning here that this technology is practically not used under Windows. Of the software I know of, only Cygwin uses extended attributes to store POSIX permissions. A single file on NTFS can have either extended attributes or a reparse point buffer. Simultaneous installation of both is impossible. The maximum size of all extended attributes in one file is 64 KB.

Alternate Data Streams

Additional file streams. Probably everyone already knows about them. I will list the main features of this type of metadata: naming (that is, a file can have several streams, and each has its own name), direct access from the file system (they can be opened using the format “file name, colon, stream name”), unlimited size , the ability to run a process directly from a thread (and the ability to implement it through it).

Used in iStream technology of Kaspersky Anti-Virus. They are used in Windows itself, for example, when downloading a file from the Internet, a Zone.Identifier stream is attached to it, containing information about where the file was received from. After running the executable file, the user may see a message “Unable to verify publisher. Do you really want to run this program?.

This gives the user additional protection against the thoughtless launch of programs obtained from the Internet. This is just one use of streams, and they can store a wide variety of data. The mentioned Kaspersky Anti-Virus stored checksums of each file there, but later this technology was also abandoned for some reason.

Anything else?

Is there some more security id, plus standard file attributes that are not directly accessible, even though they are also implemented as file streams. And they, and extended attributes, and reparse and object id - all these are file streams from the point of view of the system. There is no point in directly changing the security identifier, shown in the following picture as::$SECURITY_DESCRIPTOR; let the system deal with changing it. The system itself does not provide direct access to other types of streams. So that's it.

Viewing the contents of object id, reparse points, as well as working with extended attributes and alternative file streams is possible using the program

Visibly-invisibly

Blog reader Victor was unable to run the PowerShell script he downloaded from the Internet. Carefully reading my instructions avoided the problem, but the root of it was not PowerShell's strict security policies.

Victor downloaded from the TechNet gallery an archive with the PSWindowsUpdate.zip script for managing Windows Update, which I talked about. However, the unpacked script refused to work. When I suggested to the reader that the first point of my instructions talked about the need to unlock the archive, everything went like clockwork.

Victor asked to explain why the system blocked the script, and how it knew that the archive was downloaded from another computer.

To be honest, today's topic is not new, but I decided to cover it on my blog for several reasons:

Many articles were written back in the days of Windows XP or Windows 7 and do not take into account the built-in capabilities of newer Microsoft operating systems.
One of the articles planned for the near future touches on this topic, and it is easier for me to refer to material for the relevance and correctness of which I myself am responsible.
The blog has a large audience, and for many readers this topic will still be new :)

Today on the program

NTFS data streams

Windows gets information about the file's source from the alternative data stream (ADS) of the NTFS file system. In the file properties, she modestly writes that it is from another computer, but in reality she knows a little more, as you will see later.

From an NTFS point of view, a file is a collection of . The contents of the file is a data attribute named $DATA. For example, a text file with the line “Hello, World!” has the data attribute “Hello, World!”

In NTFS, the $DATA attribute is a data stream and is called primary or unnamed because... it has no name. Formally, it looks like this:

$DATA:""

$DATA- Name attribute
: - delimiter
"" - Name flow(in this case there is no name - there is nothing between the quotes)

Interesting Features of Alternative Data Streams

In the context of the examples above, I want to make a few interesting points.

Invisible changes

Having created a text file with the first command, you can open it in a text editor and make sure that all further manipulations do not affect the contents of the file in any way.

It gets interesting when the file is opened, say, in Notepad++. This editor can warn you about file changes. And it will do this when you write an alternative stream to the file, but the content will remain the same!

Record and view ADS from CMD

ADS can be created and displayed from the command line. The following commands write hidden text to a second ADS named MyStream2 and then display it.

Echo Hidden Text > C:\temp\test.txt:MyStream2 more< C:\temp\test.txt:MyStream2

Viewing ADS in text editors

The same Notepad++ will show you the contents of ADS if you specify the name of the stream on the command line

"C:\Program Files (x86)\Notepad++\notepad++.exe" C:\temp\test.txt:MyStream1

Result:

With notepad, this trick will work only if there is a .txt. The commands below add a third ADS and open it in Notepad.

Echo Hidden Text > C:\temp\test.txt:MyStream3.txt notepad C:\temp\test.txt:MyStream3.txt

Result:

Blocking downloaded files

Let's get back to the question a reader asked me. Whether a file will be blocked depends primarily on the program in which it was downloaded, and secondly on the OS settings. So, all modern browsers support blocking, and it is included in Windows.

Remember that when an archive is locked, all unpacked files will be locked “inheritedly”. Also remember that ADS is a feature of NTFS, i.e. When saving or unpacking an archive on FAT32, no blocking occurs.

View information about the source of a blocked file

In PowerShell, go to the folder with the downloaded file and see information about all the threads.

Get-Item .\PSWindowsUpdate.zip -Stream * FileName: C:\Users\Vadim\Downloads\PSWindowsUpdate.zip Stream Length ------ ------ :$DATA 45730 Zone.Identifier 26

As you already know, $Data is the contents of the file, but ADS also appears in the list Zone.Identifier. This is a clear hint that the file was received from some zone. Do you know where this picture is from?

To find out the zone, you need to read the contents of the ADS.

Get-Content .\PSWindowsUpdate.zip -Stream Zone.Identifier ZoneId=3

Obviously, it is aimed at batch unlocking (for example, when the archive is already unpacked). The command below will unlock in the Downloads folder all files containing in the name PS:

Dir C:\Downloads\*PS* | Unblock-File

Of course, there are all sorts of utilities with a graphical interface, even those that can be integrated into the context menu. But, in my opinion, PowerShell or, at worst, streams is quite enough.

How to prevent files from being blocked

The blocking is controlled by the group policy Do not store information about the zone of origin of attached files. As the name suggests, blocking is standard Windows behavior, and the policy allows you to change it.

However, it is not obvious from the name that the policy applies not only to email attachments, but also to files downloaded from the Internet. Read more about the attachment manager in KB883260.

In home editions there is no group policy editor, but no one has canceled the registry: SaveZoneInformation.zip.

Other examples of practical application of ADS

The scope of ADS is not limited to adding a downloaded file zone, nor is it necessary to store only text in ADS. Any program can use this NTFS feature to store any kind of data, so I'll just give a couple of examples from different areas.

File Classification Infrastructure

about the author

Interesting material, thank you. I learned something new about PowerShell, which is still a little familiar to me :)

I often use WhatsApp to communicate with my family - so far there have been the fewest problems with this service, even my parents have gotten used to it. Kontaktik is also mainly for family, although the exchange of messages there is mainly around published albums with photos and videos. Some relatives remain faithful to Viber - it didn’t work out for me, I just keep it for them, without giving up trying to drag them to WhatsApp.

For work, mainly Slack, when something is urgent - WhatsApp, very urgent - SMS. VKontakte for communication about working with the outside world.

I use Skype only for video calls, mainly with my family. I would gladly replace it with WhatsApp if there were video calls.

urix

Viber now has video calls, and even video calls for the desktop version. So maybe Viber will be the next Skype... in a good way

Andrey Kuznetsov

Interesting material, thank you. I knew about the existence of threads, but I didn’t know that it was so easy to work with them through PowerShell.
As for IM: The only complaints I have about Skype are the startup time on Windows Phone. There is no such problem on iPad and Windows. I use it for voice communication when for some reason it is inconvenient to use GSM.
And correspondence via Whatsapp. Having it only on your phone is more of a plus from a privacy standpoint.

Andrey Kuznetsov: And correspondence via Whatsapp. Having it only on your phone is more of a plus from a privacy standpoint.

Andrey, explain what is the plus here?

Pavlovsky Roman

1. I use most often: Skype and Hangouts - for work on a PC, for other correspondence on VKontakte from any device, since work clients usually use Skype, and friends and acquaintances on Social Networks.

2. I would ideally like to use: Jabber - for correspondence and calls from any device. As for me, the client can be installed on any device and correspond with each other wherever the user is, even on a weak Internet connection + in addition, you can deploy your own jabber server and store all correspondence on the server, so that later you can quickly find the necessary correspondence, if the client does not know how to store history, and plugins for calls via Jabber can be found (for example, through the same SIP Asterisk 1.8+)

Andrey Bayatakov

Most often I use WhatsApp (mainly for work), for calls (audio/video/international calls) Skype. Although desktop Skype is terribly infuriating (I have a transformer and at home I use it mainly as a tablet)… Viber has not caught on. To make calls via WhatsApp you just need to have nerves of steel. You say something to your interlocutor and wait a minute or two for him to hear you (50Mbit connection)…
If there was an opportunity, I would completely switch to Skype. On Windows 10 Mobile, after a recent update, messages from Skype come directly to the built-in Messages application (like SMS), which is very convenient.

Maxim

1. Reluctantly, I use ICQ (for retrograde customers) and Slack (for more modern ones).
2. I would like to use Jabber - for the same reasons as Roman Pavlovsky above.

Vladimir Kiryushin

Hello Vadim!
Before this article, I read your article about how to read the report of scanning the entire system disk using the chkdsk command. Great article! Thanks to her, today after checking the system disk with the chkdsk command, I received a text file of the report. And this article also clarifies a lot of things about the PowerShell program. Some things are incomprehensible to me as a pensioner, but I try not to panic and read diligently to the end. Thank you for the study you are doing with us! All the best to you!

Lecron

What browsers and downloaders create this stream?

What other options are there for the user to use threads? And in particular, a script writer user? Because, although I knew about them for a long time, I never used them. When actually working with a computer, you simply don’t remember about them, and because of this, you may end up using crutches instead of a convenient tool, and without this work, from memory, you can’t come up with anything.
I only thought of one option. A comment to the file, if there is no possibility or desire to write long text in the file name. But this requires support from the file manager, who previously, and even now, writes them to descript.ion or files.bbs.

Speed Guru

Another garbage technology like USN magazine. How much use will you get from ZoneIdentifier or from a virus attached to a file or folder? Of course not. Moreover, this is cluttering the system with unnecessary “sub-files” that are in no way needed by a normal user. Every extra reading in the MFT directory and other operations associated with the maintenance and maintenance of alternative streams means extra wasted processor cycles, RAM, and most importantly, extra load on the hard drive.
You can tell me that this technology is very necessary for the system. But this is nonsense - the system would work perfectly without threads. But no one asks the user - they sold it (like a USN magazine) and did not give the opportunity to completely disable the maintenance of these flows. But as users, I don’t need them at all, I think like you…
All we can do is “streams -s -d %systemdrive%”. But this also does not make it possible to delete threads on the system partition.

Alexiz Kadev

Named streams are a great thing, and they existed, as far as I remember, from the first release of NTFS. It’s quite convenient to store, for example, document versions in named streams, which, if I’m not mistaken, a number of applications have done. But there remains an ambush with copying to another file system - named streams are simply cut off.

It’s a pity that it was impossible to select several messengers in the poll: I use several, since some of my contacts prefer certain ones. So, I use WhatsUp, ICQ (though, of course, not a native client), Skype, SkypeforBusiness (quiet horror, not a client, however, when it was called Lync it was even worse) and Viber (here there is more spam than in others at least once at 5).
And ideally, use just one, like Miranda with plugins, since finding, if necessary, who said/wrote something when in this whole bunch is simply unrealistic. But alas, a number of manufacturers close their protocols and protect them like Kashchei protects his needle.

Vladimir Kokarev

VSh

Vadim Sterkin: Roman, I did not include Jabber in the survey. I decided that few people use it and there are no prospects.

In vain
For example, I use OpenFire (freeware xmpp) as an office communicator on several domains.

Therefore, my main one is XMPP (Pidgin.exe, Spark.exe), but 99.8% of these messages are intradomain.
Skype - for external IM
WhatsApp and Viber are for “random connections”, the last n months have been nothing but SPAM, I’m thinking – should I delete it?

Artem

For some reason everything is on Viber. And the quality of communication is quite satisfactory. Otherwise there would be a telegram. It's empty there.

hazet

1. Skype (on PC) and Viber (on Mobile). The reasons are basically the same as for most - the number of available contacts and, naturally, the reluctance of these same contacts to switch to another messenger.
2.uTox. Miniature, nothing superfluous, client for Win, Linux, Mac and Android. Positioned as protected.
P.S. I'll start dragging my contacts onto it more tightly :-)

Evgeniy Karelov

Thank you for your work!

Regarding the survey, I use QIP 2012 on my PC for correspondence, to which ICQ, VKontakte and other contacts are connected. Personally, it’s convenient for me to use one program to communicate over several protocols. And the ability to view social media feeds from one place is very pleasing. Ideally, the only thing missing is support for Skype, which I use for voice communication, but it obviously won't appear.
Although this program looks “abandoned”, because there have been no updates for a long time, it performs its assigned functions perfectly.

strafer

An interesting mixture of the topic of the post about data flows and the IM survey.

According to the survey: Jabber/Jabber, which you shouldn’t have included in the list, although there is WhatsApp based on XMPP, and even Asechka, which is heading towards success.

Jabber, in general, solves all these problems due to the openness of the protocol, the availability of clients for many platforms, and the availability of servers that can be set up independently. But chewing cacti is more traditional, yes.

The list includes clients, not protocols.
ICQ... well, I didn’t put emoticons there, because it should be clear.
Jabber definitely doesn't solve one problem - no one is there.
- strafer
  
  Vadim Sterkin: Clients are listed, not protocols.
  
  Due to the fact that the protocol and source codes of the official client are closed, a natural identity is established between the only client and the protocol.
  
  Vadim Sterkin: ICQ... well, I didn’t put emoticons there, because it should be clear.
  
  It is not enough for the rotten mail girl that the asechka dies a natural death - they also make additional efforts to make it die faster.
  
  Vadim Sterkin: Jabber definitely doesn't solve one problem - there's no one there.
  
  Nevertheless, you yourself wrote for Telegram
  
  looks great, but it's empty (which can be fixed)
  
  Jabber had every chance of becoming what the e-mail ecosystem is today (complete openness of the protocol, the ability to set up your servers for anyone and ensure interaction between servers, etc.), but corporations do not need this, which is clearly seen in the example of the departure from him Google or proprietary WhatsApp.
  - For Telegram - fixable, for Jabber - very unlikely. Therefore, the first one is on the list, but the second one is not.
    - strafer
      
      Of course, Telegram is stylish, fashionable, youthful, but Jabber is not used by anyone cool like Pasha Durov. What are the prospects here?
      
      Hm... come out of your tank of “the whole world is against free software” conspiracy theories. All much easier
      
      If it’s not clear, this is what a person’s first experience of interacting with the officially recommended Jabber client on the most common mobile platform looks like.
      
      strafer
    - I didn’t understand a little where in my comment about the conspiracy.
      
      Yes, everywhere :) You are trying to attribute the failures of jabber to unfashionability and lack of youth, while its clients from the first screen are not adapted to modern reality.
      
      What should I see in the screenshot?
      
      Prompt to enter a phone number ~~~O~

The article was written for Hacker magazine in 2004. It was published in issue 09/04 (69) under the title “Destructive Currents”.

When you take over another NT system and install your own homemade spyware into it, you need to solve the problem of storing the collected information on the victim’s computer. Usually the log is written to a simple file in a directory with a large number of files, for example, in system32.

NTFS Features

This is a common, but far from the best way to hide information on your local computer. There is a chance that the user will notice an extra, constantly updated file that suddenly appeared in his system directory. Append a log to an already existing file? First you need to find a file to which adding information will not spoil its contents. What about saving information in a place that will not be visible either from Explorer, or from the command line, or from any file manager? The NTFS file system provides us with this opportunity. You rarely see it on a regular home PC, since most users still prefer FAT32, even those running XP. But on the local network of a company running Win2k/XP, NTFS is almost certainly used, because this file system provides such capabilities as assigning access rights to users, encryption and file compression. Additionally, NTFS is much more secure than FAT32. So the data hiding method that I will describe is ideal for industrial espionage. With the advent of Longhorn, NTFS has a chance to find a home on home computer drives, as the upcoming WinFS file system, based on NTFS, promises additional information organization and search capabilities that should attract ordinary users.

Attach any data to the file

The method is to save data not to a file, as usual, but to an NTFS file stream. The stream can be attached to another file (in this case, its size does not change, and the data remains untouched, which means that utilities that check file checksums will not notice the changes), to a directory, or to a disk. NTFS Alternate File Streams is one of the features of NTFS that has been present in it since the earliest versions of Windows NT. It lies in the fact that one file can have several threads containing data, and only the main thread in which the contents of the file is stored is available to the user. There is something similar in the HFS file system on Macintoshes. There, streams are called forks. Until recently, they were used as file resource storage or contained information about the file type. With the advent of MacOS X, Apple recommended placing resources in separate files and identifying file types by extensions. But branching support still remains. On Windows, streams are typically used to store some additional information about a file. For example, a stream might contain a summary of a document. If the system is on an NTFS disk, then the explorer.exe file probably contains a summary. Depending on the summary content, streams named SummaryInformation, DocumentSummaryInformation, and several others may be attached to the file. On my computer I found a thread named $MountMgrRemoteDatabase attached to the C drive.

The user can find out about streams attached to a file only in some cases, for example, when copying a file with an attached stream to a disk with FAT/FAT32. These file systems do not support them, so the system will prompt you to confirm the loss of information in the streams, indicating their names. Of course, this situation will never arise if the stream is attached to a disk or to a system folder. It is not necessary to use threads for spying purposes. If you are a developer of shareware programs, then you can easily use streams to store information about registration, the number of days until the expiration date, in a word, everything that should be hidden from the user of your program.

Working with Threads

There are both similarities and differences in working with files and streams. There's not much like it. Both files and their streams are created and deleted by the same WinAPI functions CreateFile and DeleteFile. Reading and writing are implemented, respectively, by the ReadFile and WriteFile functions. This is where the similarities end, only differences follow. Stream names may contain special characters that cannot be part of a normal file name: such as “*”, “?”, “<”, “>" ,“|" and a quote character. In general, any stream name is saved in Unicode format. Service characters from the range 0x01 – 0x20 can also be used. There is no standard function for copying and moving a stream: MoveFile and CopyFile do not work with streams. But no one bothers you to write your own functions. Streams do not have their own attributes, creation or access dates. They are inherited from the file they are attached to. If the file itself contains any data, then it can also be represented as a stream. Stream names are displayed as "filename:streamname:attribute". The standard attribute of the stream in which the data resides is called $Data. There are many other attributes whose names also begin with the “$” sign. The contents of the file are in an unnamed stream (filename::$DATA). This property of the file system to represent the contents of a file as a stream was associated with a bug in older versions of Microsoft IIS, when a hacker who wanted to find out the text of a script on a vulnerable server simply added “::$DATA” to its name, and the server, instead in order to execute the script, it gave out its source code. Working with streams is similar to working with files. Take a look at Listing 1. This is a simple example of a program that creates a stream file and writes information to it. After running the program, an empty “testfile” file will appear in its directory. You can see the contents of the attached stream by typing “more” in the command line< testfile:stream». Как видишь, имя потока указывается после имени файла, отделенное от него знаком двоеточия. Самое трудное при работе с потоками – это получить их список для конкретного файла. Стандартной функции нет, и поэтому придется писать ее самому. Напишем небольшую консольную программу, которая бы возвращала список потоков по имени файла. Такая прога есть у ребят из Sysinternals, с открытым кодом, и она работает, но мне не понравился их способ. Они используют вызовы Native API, и поэтому их код большой и трудный для понимания. Мы же напишем свою прогу, которая будет работать из командной строки, с алгоритмом попроще и со стандартными API функциями.

Getting a list of threads

The algorithm is based on the use of the BackupRead function. It is designed for backing up files. When you back up a file, it is important to save as much data as possible, including file streams. The information is taken from the WIN32_STREAM_ID structure. From there you can get the stream name, its type and size. We will only need streams of type BACKUP_ALTERNATE_DATA. All functions and structures are described in the winnt.h header file. First you need to open the file for reading using CreateFile. In the dwFlagsAndAttributes parameter, you must specify the FILE_FLAG_BACKUP_SEMANTICS flag, which will allow you to open not only files, but also directories. Then we run a while loop that reads information about the file into the sid structure, from which we will get information about each thread. Before the next pass of the loop, we clear the structure and move the file pointer to the next stream using the BackupSeek function. After all the threads are found, we clear the lpContext containing service information and close the file. The source code of the program is shown in Listing 2. You can take the already compiled program from our disk. To work with streams, it is not necessary to write special programs. There are some things you can do directly from the command line. Some examples are shown in the box.

Detection

Once a stream of information is attached to something, its contents are difficult to access without knowing its name. If a stream is attached to a logical volume, then Windows has no standard tools at all to detect it. Because the stream name may contain characters that are not allowed in regular file names, this creates additional difficulties when trying to find out the contents of the stream using the command line. The document summary content is typically stored in a stream with a name that contains the character code 0x05. This character can be typed in the console (Ctrl+E), but if it were the character 0x10 or 0x13 (carriage return and line feed), then it would be impossible to type them. Theoretically, you can find out about attached threads by chance, using some software that is likely to be on your computer. WinRAR has an option, and if it is enabled, then you may notice that the size of a small file placed in the archive not only does not decrease, but even increases (due to the fact that the data in the streams is also placed in the archive). This may raise suspicions. A program for monitoring access to the file system - FileMonitor from the same Sysinternals - does not distinguish between access to files or streams. Accordingly, a careful study of the disk access log of a suspicious program (your keylogger) will reveal both the name of the stream where the log is written and the name of the file to which it is attached.

Viruses

In September 2000, the first virus appeared that used alternative file streams to spread. W2k.Stream was the first representative of a new type of virus - stream companion. It looks for .exe files in its directory, and if it finds it, it begins the infection process. An additional stream is attached to the file, into which the virus transfers the contents of the original file, and then the body of the virus is copied into the main stream of the file. After running the infected file, the virus again tries to infect files in its directory and then launches the program from an additional thread. Indeed, using the CreateProcess function you can start a process from a thread. Moreover, the file with the stream can be safely deleted, but the process will remain. Just a fairy tale for the Trojans! Despite the fact that almost four years have passed since the appearance of W2K.Stream, not all antiviruses are yet able to detect malicious code in file streams. Therefore, the emergence of new worms and viruses that use them can pose a serious danger.

Other viruses that use streams

In addition to W2K.Stream, streams have found application in other viruses and worms. The first worm to use file streams was I-Worm.Potok. This little beast attaches several threads to the odbc.ini file in the Windows directory and stores scripts there for sending itself by mail. Another virus is W2k.Team. Descriptions of these and other similar viruses can be found on the website http://www.viruslist.com/

Working with streams from the console

Creating a file with a stream:
type nul > somefile.txt:Stream

Write to stream:
echo "Something" >> somefile.txt:Stream

Reading from a stream:
more< somefile:Stream

Copying the contents of an existing file to a stream:
type file1.txt >> somefile.txt:Stream

Copying the contents of a stream to a file:
more< somefile.txt:Stream >> file2.txt

Removing threads

There is an opinion that a stream can only be deleted together with the file to which it is attached. This is wrong. If you know the name of the stream, then you can always delete it with the standard DeleteFile function.

Listing 1. Example of creating a thread.

#include int main() ( DWORD dwRet; HANDLE hStream = CreateFile("testfile:stream", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, NULL, NULL); WriteFile(hFile, "This is a stream", 17, &dwRet, NULL); CloseHandle(hStream); return 0;

Listing 2. X-Stream: Program showing a list of streams

#include #include #include #include int _tmain(int argc, _TCHAR *argv) ( WIN32_STREAM_ID sid; ZeroMemory(&sid, sizeof(WIN32_STREAM_ID)); DWORD dw1,dw2,dwRead; INT numofstreams = 0; //Buffer for the stream name in Unicode format WCHAR wszStreamName; LPVOID lpContext = NULL; /* * Open the file for reading with the * FILE_FLAG_BACKUP_SEMANTICS parameter, which allows us to * open not only files, but also directories with disks. */ HANDLE hFile = CreateFile(argv,GENERIC_READ,FILE_SHARE_READ, NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,NULL ); if (hFile == INVALID_HANDLE_VALUE) (printf("\nError: Could"t open file, directory or disk %s\n",argv); exit(0); ) DWORD dwStreamHeaderSize = (LPBYTE)&sid.cStreamName - (LPBYTE)&sid + sid.dwStreamNameSize; printf("\nStreams information for %s:\n",argv); while (BackupRead(hFile, (LPBYTE) &sid, dwStreamHeaderSize, &dwRead, FALSE, TRUE, &lpContext)) ( / /If the stream type is incorrect, then we interrupt the loop if (sid.dwStreamId == BACKUP_INVALID) break; ZeroMemory(&wszStreamName,sizeof(wszStreamName));

//Get the stream name if (!BackupRead(hFile, (LPBYTE) wszStreamName, sid.dwStreamNameSize, &dwRead, FALSE, TRUE, &lpContext)) break;

if (sid.dwStreamId == BACKUP_DATA || sid.dwStreamId == BACKUP_ALTERNATE_DATA) ( numofstreams++; printf("\n\nStream\t\t#%u",numofstreams); switch (sid.dwStreamId) ( case BACKUP_DATA: printf ("\nName:\t\t::$DATA"); break; case BACKUP_ALTERNATE_DATA: printf("\nName:\t\t%S",wszStreamName ) printf("\nSize:\t\ t%u\n",sid.Size); ) //Move to the next stream BackupSeek(hFile, sid.Size.LowPart, sid.Size.HighPart, &dw1, &dw2, &lpContext);

Alternate Data Stream (AltDS) support was added to NTFS for compatibility with the Macintosh file system HFS, which used a resource stream to store icons and other file information. The use of AltDS is hidden from the user and is not accessible through normal means. Explorer and other applications work with the standard stream and cannot read data from the alternative stream. With AltDS you can easily hide data that cannot be detected by standard system checks. This article will give basic information about the working and definition of AltDS.

Creation of AltDS

Creating an AltDS is very easy. To do this, we will use the command line. First, let's create a base file to which we will attach our streams.

C:\>echo Just a plan text file>sample.txt
C:\>type sample.txt
Just a plan text file

Next, we'll use a colon as an operator to indicate that we'll be using AltDS:

C:\\>echo You can"t see me>sample.txt:secret.txt

You can use the following commands to view the content:

C:\more< sample.txt:secret.txt

C:\notepad sample.txt:secret.txt

If everything works well, you will see the text: You can't see me, but when opened from Explorer, this text will not be visible. You can also attach AltDS not only to a file, but also to a folder. To do this, create a folder and attach some kind of some text:

C:\>md stuff
C:\>cd stuff
C:\stuff>echo Hide stuff in stuff>:hide.txt
C:\stuff>dir
Volume in drive C has no label.
Volume Serial Number is 40CC-B506Directory of C:\stuff
09/28/2004 10:19 AM .
09/28/2004 10:19 AM…
0 File(s) 0 bytes2 Dir(s) 12,253,208,576 bytes free
C:\stuff>notepad:hide.txt

Now you know how to view and edit an attached AltDS using Notepad, as well as how to attach it to files and folders.

Hiding and launching applications

Hiding applications using AltDS is as easy as hiding test files. First, let's create the base file again:

Next, let's place our application in a stream, for example I used notepad.exe:

C:\WINDOWS>type notepad.exe>test.txt:note.exe

Now let’s make sure that our file contains the same text:

C:\WINDOWS>type test.txt
Test

And now the fun part, let’s launch our hidden application:

C:\WINDOWS>start .\test.txt:note.exe
C:\WINDOWS>

Since this article is not a complete translation of the article taken, it is formatted as a simple topic. Additional techniques can be found at the link provided.

UPD:

Utilities for working with AltDS (list taken from the article linked above):

LADS - List Alternate Data Streams by Frank Heyne
www.heysoft.de/Frames/f_sw_la_en.htm

Streams.exe from SysInternals.

The NTFS file system has many interesting features, one of which is the presence of alternative data streams (Alternate Data Stream, ADS). Their essence is that each file in NTFS is a set of streams in which data is stored. By default, all data is in the main stream, but if necessary, additional, alternative data streams can be added to the file.

Note. Alternative data streams in NTFS appeared a long time ago, back in Windows NT. They were created for compatibility with the HFS file system, then used on MacOS. HFS stored file data in a special resource stream.

Files in NTFS are divided into attributes, one of which is the $DATA, or data attribute. Streams are additional properties of the $DATA attribute. By default there is one, main thread $DATA:″″. As you can see, it has no name, so it’s called unnamed. You can also create additional named streams if you wish, for example. $DATA:″Stream1″. Each file in NTFS can have several data streams containing different, unrelated data.

All data written to the file ends up in the main data stream by default. When we open a file, we see exactly the main stream, while alternative streams are hidden from the user and are not displayed using normal means. They cannot be seen in standard ways, although some programs can read the data hidden in them. You can also use the command line to work with streams.

For example, let's open the console and use the echo command to create a text file streams.txt and write the text into it:

echo This is main stream>streams.txt

And with the following command we will write the text to the alternative stream stream1:

echo This is alternate stream>streams.txt:stream1

If we now open the streams.txt file in any text editor, we will see only the first entry, the text “This is alternate stream” will remain hidden. You can read the information hidden in stream1 with the command:

Alternative streams can be added not only to individual files, but also to directories. For example, let's add an alternative stream stream2 containing the text “Hide stream in Streams” to the current Streams directory:

echo Hide stream in Streams>:stream2

And output stream2 with the following command:

more<:stream2

Alternate stream content can be opened in more than just the console. For example, Notepad can also access data hidden in streams if you specify the name of an alternative stream in the file name, separated by a colon. Let's repeat the previous example, slightly changing the stream name to stream1.txt:

echo This is alternate stream>streams.txt:stream1.txt

And open an alternative stream in notepad with the command:

notepad streams.txt:stream1.txt

Note. Standard Notepad requires a txt extension in the stream name, otherwise it will not be able to open it. More advanced editors, such as Notepad++, can show the contents of an alternative stream, regardless of its name.

The presence of alternative streams for a file is not displayed in any way in Explorer and other file managers. In order to find them, the easiest way is to use the command dir/R(starting with Windows Vista), which shows all data streams, including alternative ones.

You might think that alternative streams are limited to text data. This is not true at all, and absolutely any information can be stored in alternative streams. For example, let's create a picture.txt file and add the pic1.jpg stream to it, into which we will place the image of the same name:

echo Picture>picture.txt
type pic1.jpg>picture.jpg:pic1.jpg

Thus, outwardly we have a regular text file, and to open an image from an alternative stream in the Paint graphic editor, we use the command:

mspaint picture.txt:pic1.jpg

In a similar way, you can add any data to any type of file - add images to text files, add text information to media files, etc. Interestingly, alternative content does not increase the apparent file size, for example, adding a 30GB HD video to a 1kB text file , Explorer will still show the file size as 1kB.

You can also hide executable files in alternative streams. For example, take the test.txt file and add the Notepad application (notepad.exe) to the alternative note.exe stream:

type notepad.exe>test.txt:note.exe

And to launch a hidden notepad we will use the command:

start .\test.txt:note.exe

By the way, some malicious programs take advantage of this opportunity by adding executable code to alternative NTFS streams.

Streams utility

There are several third-party utilities for working with alternative streams, such as the Streams console utility from Sysinternals. It can detect the presence of alternative threads and remove them. The utility does not require installation, just unpack it and run it. For example, let's check the presence of streams in the Streams folder with the command:

Streams.exe -s C:\Streams

And remove alternative streams from the streams.txt file:

Streams.exe -d C:\Streams\streams.txt

PowerShell

PowerShell can also work with alternative streams - create, detect, display their contents, and even delete them. For example, let's create a text file:

New-Item -Type file -Path C:\Streams\stream.txt

Let's add an entry to the main thread:

Set-Content -Path C:\Streams\stream.txt -Value ″Main stream″

And to an alternative stream named Second:

Set-Content -Path C:\Streams\stream.txt -Value ″Second stream″ -Stream Second

Then we will output the contents of the main

Get-Content -Path C:\Streams\stream.txt

and alternative streams:

Get-Content -Path C:\Streams\stream.txt -Stream Second

In order to detect the presence of alternative streams, you can use the command:

Get-Item -Path C:\Streams\stream.txt -Stream *

And you can remove unnecessary threads with the command:

Remove-Item -Path C:\Streams\streams.txt -Stream *

Usage

Alternative streams are used both by Windows itself and by some programs. For example, Internet Explorer divides the network into 4 security zones and when downloading files, it adds tags to them that contain information about the zone from which they were downloaded.

These tags are stored in an alternative stream and represent a number from 0 to 4:

Internet (3)
Local network (1)
Trusted sites (2)
Dangerous sites (4)
Local computer (0)

To make sure of this, let's go to the downloads folder, take a file downloaded from the Internet and check it for the presence of alternative streams. As you can see, it contains a thread named Zone.Identifier, which contains the string ZoneID=3.

This means that the file belongs to an untrusted Internet zone, and you need to be careful when opening it. Some programs, such as Word, read this data when you open the file and issue a warning accordingly.

Also, the File Classification Infrastructure (FCI) is based on the use of alternative streams. Among third-party programs, some anti-virus programs use alternative streams; in particular, Kaspersky Anti-Virus stores in them the checksum obtained as a result of the scan.

However, the use of alternative streams is not limited to this; you yourself can come up with any use for them. For example, with their help you can hide personal information from prying eyes. Files containing alternative streams can be freely copied or transferred from disk to disk, all streams will be copied along with the file.

And yet, when using alternative streams, you must remember that they are strictly tied to the NTFS file system. In order to use them, the files must be located on NTFS disks, so you can only work with them from Windows. If you move the file to any other file system, then all streams except the main one will be lost. Also, alternative streams are cut off when transferring files via FTP or when sending them as an email attachment.
Taken from http://windowsnotes.ru/other/alternativnye-potoki-dannyx-v-ntfs/

More:
ADS is a built-in feature of the NTFS file system that cannot be turned off.

ADS allows you to add any files to other files and even directories (!). The OS itself periodically takes advantage of this, adding the “Zone.Identifier” stream to files downloaded from the Internet.

Zone.Identifier, by the way, can be edited in order to get rid of the warnings “this file was downloaded from the Internet. Open in safe mode?

You can add a stream to any file like this:
type file1 > file2:file3

try to discover
dir/r

run the exe like this:
start file2:file3

If it doesn't work, then do this:
mklink file4 file2:file3
start file4

This, for example, will bind the calculator to the root drive C (!) and launch it through the link