First of all I have not "discovered" this feature. I read about it on some Czech server and author was a guy called .cCuMiNn.. There was also citation from Hakin9 by RubberDuck, so past your gratitude there and not to me, I just share the knowledge :-) Nevertheless I found it very interesting and I did not found it here, so... and it's useful for "us", heh
So let's begin! (This is shortened version with basic info, you can google for more if you wish)
-= Alternate Data Stream =-
1) What it is ?
It's a "feature" of NTFS file system. It allows user to "hide" his files behind others.
2) Hide ?
Yes. If you look at the file you'll see it has the same size as before, but there is something else also. Windows itself has no tools to detect these files. No one can see this file except some third party softwares.
3) So what can I do with this hidden file ?
It can by any file. Such as EXE, VBS,... You can RUN IT. And proccess that will shows will look like anything but not the EXE file you ran.
4) Sounds interesting, how to use it ?
It's very simple:
a) open your command line
b) copy some exe file to C: (for example notepad.exe
c) create new text file (behind which you will hide the exe file) by typing:
ECHO "This is a test" > testfile.txt
d) HIDING OF EXE FILE: Type to command line:
TYPE C:notepad.exe > testfile.txt:notepad.exe
e) now when you look at the listing of files, you will see that the testfile.txt has not changed at all! But now, RUN YOUR HIDDEN FILE:
START C:testfile.txt:notepad.exe
now the new notepad proces should appear.
With this "feature" you can hide anything and run it directly (EXE) or with proper program.
5) Nice, Does it have any "disadvanteges" ?
Yes. This "feature" is on NTFS only. So when you copy the file from NTFS to FAT32 and back the alternate file is not copyied. Also unhiding is little bit tricky. You have to use third party software such as lads.exe (
www.heysoft.de). But still you can hide your porn behind the recipe for apple pie
I hope you liked it!
p2501
Internet sources:
http://www.windowsecurity.com/pages/article_p.asp?id=1314http://www.infosecwriters.com/texts.php?op=display&id=53http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=243
