User Tools

Site Tools


windows:hiding_data_in_windows_ntfs_using_alternative_data_streams

Windows - Hiding data in Windows NTFS using Alternative Data Streams

Create the file “hello.txt”:

copy con hello.txt Hello World ^Z

Let's see what we got:

dir hello.txt

09/07/2005 01:53 PM 13 hello.txt 1 File 13 bytes 0 Dir(s) 1,642,000,384 bytes free

Ok, the file is 13 bytes in size. Let's hide notepad.exe inside it:

type \windows\system32\notepad.exe > hello.txt:notepad.exe

and see what changed:

dir hello.txt

09/07/2005 01:56 PM 13 hello.txt 1 File(s) 13 bytes 0 Dir(s) 1,641,926,656 bytes free

Notice that the file size has not been updated but the available space on the drive has. The last modification time has however been updated.

To run notepad.exe from inside hello.txt you execute:

start .\hello.txt:notepad.exe

WARNING: The problem with ADS is that Windows can't detect it, so you would need 3rd party software to find files with ADS in it.

There is also no standard Windows tool to remove ADS from a file, which means that you either need to copy it to a FAT partition and back again, overwriting the original copy, or delete and restore it from backup.

Another interesting thing about ADS is that it also works on directories, and not only files.

If you attach an ADS to the \WINDOWS (or \WINNT) directory the only easy way to get rid of it safely is to re-install the OS!


References

windows/hiding_data_in_windows_ntfs_using_alternative_data_streams.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki