Exchange data stream on NTFS
-------------------------------------------------- ----- | Lake2
---- Directory -------- 1, Preface 2, Concept 3, Nature and Application - 3.1 Creation-3.2 Delete-3.3 Detection and Extract-3.4 Save and Transfer -3.5 File Hide-3.6 Run -3.7 IIS related 4, demonstration 5, reference article ----------------
1 Introduction
Exchange data stream (hereinafter referred to as ADS) is not new, but users and administrators know very little about it. This article will discuss the ADS in conjunction with the predecessors. If there is a mistake, I hope to enlighten the master.
2, concept
First look at Microsoft's interpretation of multi-file streams:
Under the NTFS file system, each file can have multiple data streams. It is worth mentioning that the stream is not the function of NTFS 2000, but it has existed from Windows NT 3.1. You can only access a data stream when you read the file content under a non-NTFS volume (such as a disk partition of a Windows 98 computer). So you will think it is the true and "unique" content. Such a mainstream is not named and the only stream of the non-NTFS file system can handle. But when you create a file on the NTFS volume, things may not be the same. Refer to Figure 1 to understand this important concept.
【figure 1】
ADS is a unique nature of the NTFS file system, which is the previous multi-stream file except the stream, but the API-based Win32 cannot support ADS. For example, we can attach a file to another in the form of streams, but for Windows Explorer, the carrier file does not have any changes (including its size, modification time, etc.). This will result in a series of problems.
Let's take a look at some of ADS's nature and application.
3, nature and application
3.1 Creation
Creating ADS is very simple, syntax is
Watch the example below: Echo this is lake2's stream> a.txt: stream.txt
Through the above example we are very simple to create an ADS, it is not visible under Windows, do not believe you can use the resource manager or Dir command to see if the size of the A.TXT file is 0. Open A.TXT, but there is no content. Of course, there is no content, here ADS is a.txt: stream.txt, the content should be in this file. Note that this type command is not displayed with the TYPE command, but notepad can be. Still entering notepad a.txt: stream.txt, huh, just see "this is lake2's stream". Now we use Notepad to open A.TXT to modify the content, which does not affect the content of the stream; Similarly, the modification of the a.txt: stream.txt does not affect the carrier file a.txt.
3.2 Delete
Deleting the ADS is the easiest, directly deleting the carrier file; but if you only want to delete the ADS, the easiest way to keep the carrier file is to pull the carrier file to a non-NTFS partition to go. Because ADS is NTFS "patent", the NTFS file system ADS is also smoked. If you just want to delete ADS in the NTFS partition, you can use this batch:
TYPE A.TXT> A.TXT.BAKREM TYPE cannot support ADS, so take it to back up the carrier DEL A.TXTREM to delete the carrier and Adsren a.txt.bak a.txtrem Restore vector files
3.3 Detection and extraction
About ADS detection involves the API programming, huh, I am working hard, here you copy Microsoft: "Win32 backup API functions (Backupread, BackupWrite et al) can be used in enumeration files."
However, in the already software that has already detected ADS, the following software can be detected:
Lads (List alternate data streams) - http://www.heysoft.de/nt/ntfs-ads.htmstreams v1.1 (sysinternals) - http://www.sysinternals.com/ntw2k/source/misc.shtml NT Objectives fornsic Toolkit (sfind.exe) - (http://www.ntobjectives.com/)
To extract ADS, you must have a third-party tool. The CP in the ntrootkit toolkit can be done (CP can also be used to create a stream); NTROOTKIT Toolkit I have not found it, Google's last search is the Ntrootkit back door, I have to use C. Written one. This will not ask you to be programmed master, the file function in the C language fully supports the creation, deletion, extraction of ADS, just put the ADS as a file to handle it.
3.4 Save and Transmission
As mentioned earlier, ADS will be lost in non-NTFS partitions, then do you not save ADS in a non-NTFS partition? There is no way to save directly, we can save indirect. Oh, this need to be used, you should have, it is WinRAR. When the file containing ADS is pressurized, find advanced options, there is a "save file stream data", hook (Figure 2), huh, you can compress the ADS to the RAR file. This RAR file can be saved to non-NTFS partition - note, it is saved and cannot be decompressed.
【figure 2】
If you want to transfer ADS, it is best to open the other party's shared replication paste with the Explorer; if you want to transfer it in other ways, you can only transfer the RAR file containing ADS.
3.5 Information Hide
To confidential information, traditional practices are encrypted. Although the information content after encryption has become a secret that cannot be directly read, it is also equal to telling people that this is secret, it is not safe; but if I hide the information, let you find it, so Techniques called "Information Hide" are raised.
There are often hidden stations in the costumes, just a white paper is usually a common white paper, but the word pre-written under special effect will be displayed. This is the most appropriate. Information hidden is the hot field of current information security research. There are many implementations. The most popular probably is implemented by the BMP image file as a carrier, and is implemented by replacing the file per byte.
Oh, there is a simple information hiding technology in front of us. Yes, use ADS! Since Windows can't detect ADS, then we can save the documents to be confidential in ADS. But here reminded that the security of using ADS to achieve information is not very high, but it is not very low - I think there should be no one if it is nothing to spend a lot of time with lads.exe to detect play. In addition, most anti-virus software does not detect ADS, so we can use the flow of anti-virus software Pass. Example: Type nc.exe> a.txt: nc.exe
The original file Nc.exe will be checked by Kingsoft BD, after processing, although A.TXT: Nc.exe content is exactly the same as Nc.exe, but will not be discovered by Jinshan.
3.6 operation
As mentioned earlier, ADS can use ADS to avoid anti-virus software, but if you can't run, it is not useless. How to run?
The command line is running directly A.txt: nc.exe is not line, should be used with a start command. Detailed usage of this order you play Help Start to see.
The start command runs with an absolute path or the current path when running the executable ADS. / Plus the word name. Look: Start ./a.txt:nc.exe or start c: /a.txt: nc.exe
Viewing the process under Win2000 can only see the carrier file, and the entire ADS can be discovered under XP. Figure 3 is a screenshot of TLIST in XP.
【image 3】
3.7 related to IIS
Accessing ADS in IIS will have some interesting things happening, this refer to my other blog "Exchange data stream (ADS) and IIS's past life," (http://blog.9cbs.net/lake2/archive/ 2005/01/26 / 269659.ASPX).
4. Truth of contact
Thank you for reading my article :)
5. Reference article
Bigworm translation, "NTFS unfavorable side" (http://www.xfocus.net/Articles/200212/466.html )Xundi, "Data Stream Problem in the NTFS File System" (http://www.xfocus. Net / Articles / 200103 / 81.html) h. carvey, "THE DARK SIDE OF NTFS" (http://patriot.net/~carvdawg/docs/dark_side.html )damon Martin, "Windows, NTFS and Alternate Data Streams "(Http://www.giac.org/practical/gsec/damon_martin_gsec.pdf )"ntfs streams - everything you need to know" (http://www.diamondcs.com.au/index.php?page=archive&id = NTFS-streams)
