EG Information
Training Missions
Knowledge Bank
Pimp Us Out!
Has Enigma Group Helped You? Then Help Us By Advertising For Us. Place One Of The Following Images On Your Site And Create A Link Back To Enigma Group.
|
| |
Affiliates
|
|
Enigma Group's Articles
Return to Category Selection
Alternate Data Stream - Submitted By: p2501 2009-02-27 07:19:06
First of all I have not "discovered" this feature. I read about it on some Czech server and author was a guy called .cCuMiNn.. There was also citation from Hakin9 by RubberDuck, so past your gratitude there and not to me, I just share the knowledge :-) Nevertheless I found it very interesting and I did not found it here, so... and it's useful for "us", heh  So let's begin! (This is shortened version with basic info, you can google for more if you wish) -= Alternate Data Stream =- 1) What it is ? It's a "feature" of NTFS file system. It allows user to "hide" his files behind others. 2) Hide ? Yes. If you look at the file you'll see it has the same size as before, but there is something else also. Windows itself has no tools to detect these files. No one can see this file except some third party softwares. 3) So what can I do with this hidden file ? It can by any file. Such as EXE, VBS,... You can RUN IT. And proccess that will shows will look like anything but not the EXE file you ran. 4) Sounds interesting, how to use it ? It's very simple: a) open your command line b) copy some exe file to C: (for example notepad.exe c) create new text file (behind which you will hide the exe file) by typing: ECHO "This is a test" > testfile.txt d) HIDING OF EXE FILE: Type to command line: TYPE C:notepad.exe > testfile.txt:notepad.exe e) now when you look at the listing of files, you will see that the testfile.txt has not changed at all! But now, RUN YOUR HIDDEN FILE: START C:testfile.txt:notepad.exe now the new notepad proces should appear. With this "feature" you can hide anything and run it directly (EXE) or with proper program. 5) Nice, Does it have any "disadvanteges" ? Yes. This "feature" is on NTFS only. So when you copy the file from NTFS to FAT32 and back the alternate file is not copyied. Also unhiding is little bit tricky. You have to use third party software such as lads.exe ( www.heysoft.de). But still you can hide your porn behind the recipe for apple pie  I hope you liked it! p2501 Internet sources: http://www.windowsecurity.com/pages/article_p.asp?id=1314http://www.infosecwriters.com/texts.php?op=display&id=53http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=243
Return to Category Selection
Comment By: niteshade 2011-08-07 21:24:14
can this be done in a program using file operations without
changing or needing a library? Like (in python):
hidden = open('C:windowsexplorer.exe:virusfile.bat', 'r+')
Would that work?
If you wish to submit a comment, you must be a registered member and logged in. Login or Register.
Return to Category Selection
|
| |
|
|
Who Visited EnigmaGroup Today?
1584 Guests, 269 Users (182 Spiders)
dark_void, limited, Cockelala, Xendz, Rex_Mundi, strudels, trueorfalse, Klosse, ddxc, whisperer, GothicLogic, Blavatsky, InjectioN, Hessesian, whoami, hackaday, Bumpadjuppy, DrOptix, blackknight911, Effomeidonize, Distorted, JohnMalkovitzch, TheHarrisonW, Obop, hkevin, ellisp, Vreality2007, advenlydent, zach, suetekh, Vengeance987, m0rt, 2345, electro-technic, riesenjoe, IvanDimitriev, nmobin27, RomeoG, timetrust, 2142, 3ntr0py, BillTuer, advilapyday, lotato, lonely.connection, CloverCipher, vnd, aurena, rospark, valy1177, learning, st3alth, Partisan, K0gller, fitz, Jayjay, psychomarine, Vspectrum, San Marino, TinCardinal, brunoriversyhn, code-g, yshiau, Psiber_Syn, Seasharp, obencefoozy, SlayingDragons, Link-, tinuigimeni, jasonbourne, Fred, somebody777, Meonkzt, CJ_Omaha, jearrorne, cls777, unsugsNashy, Balksnuntails, Sir D. Naut, batsbargy, Rik, Macabre, Nightraven, Iccyx, Repuhlsive, vipervince2002, Janomatrix, lol, veceattainc, techno, Exclaw, Nikhil, evjfvir967nj, Mod777, nermtode, Tjm, bjy1997, hecky, saraf, elprof, damoniceht, trik, jordan86, SnoopSky, dan_movie, OnetInsolefon, darkfire1515, seojlhmyrhwh, Thoplehap, MaxMeier, 1028rajeev, Abhinav2107, autotuneuser, alexelixir, Tauya, Jozinbrejl, kernel_mod, quolc, anandoump, vladavlada, Taicadine, AnnaNoult, GreenTiger, baripadatimes, Ewing, Blackbeard, thepuppeteer, BON-SELE, hak4r, Unotohumsmush, NIGHTWOLF, m4f10, avacraft, becool, thecoder, n01se, alpha1, saki, ObesseJew, ActictGlync, sajan, unicornrainbow, Domihoolbob, matt.14, max66, SnowFury, Spud101, myfabregas, Ausome1, kajman121, Frudopvia, ideveloper6, OLOLO, Bugshuppy, lamb, VagWirura, LialiTiTviors, Ordeptpen, scifics, Pozycj-Z21, Gkjt, interPuscruse, aaftab, TheCheeseDemon, blackcyxx21, jollyjimbo, N4g4c3N, rineDriekly, Rap70r, Xargos, flarornEral, ovetz13, sonu sahu, Breezy, emitleBen, Hackpad, JWTSR, nicyun, kaizo, itevainee, luke460, AverageJoe, zeratu92, litbk, Mr.Pickle, mannavard1611, LoopyLion, NexusVos, mtroscheck, burberrybagsjr, nikedunksxm, xordux, jeho, Lonewolf034, Dragonite, nhorton, Reloaded, Odile, Kaptain_k1rk, Teefelltugh, grizzly, posthuman01, jakesboy2, pwnpwnlolz, Sabo, Lakhoamnmek, Røgue, dot_Cipher, mori, snickerless1, cart1m, KELATALFTUS, hubris, Afrika, welepocourl, carpinteyrofbt, ReottphoffBom, Reahastegah, pumashoesld, pdanielt, dmac006, DnA-Ender, Red Fox, couptupleakb, ryanjcrook, iMaxx, sh3llcod3, TimHortons, EmilaHapsaums, Feld Grau, burgeoningneophyte, Maroonhat, CookieAu, tinkansinar, Mitodina, timberlandoutletlufc, zsefvy, guccioutletox, AlexDiru, AbercrombieFitchhl, Ryuske, r0z4, slchill, kalak55, Ph4Kt480ii, beefarn, Jigoku, WrossyJes, pollolololo, ZepSung, Fragility, jell0, C9019, Othrguy, Noticon, KIKNWING, llasarus, mdubz, leah027, iellswo, MAZI_, Estilaamoli, subtentar, Trollorful, no, nas0151, Traybo, howisthechicken, thethird3y3 |
| |
|
|
|
|
|
