What is an Alternate Data Stream (ADS)?In the Windows NTFS file system, a file actually consists of different data streams. One data stream holds the security information (access permissions, & etc.), and a second data stream holds the data you know as your file. There may also be another data stream with link information instead of the real data stream, if the file is actually a link. And there may be alternate data streams, holding data the same way the standard data stream does that are however invisible... While there is nothing wrong with alternate data streams (they work as expected and as documented), any user (even the guest account) can hide quite a lot of data in an alternate data streams and nobody will know about it. You can create a text file with 20 bytes of data in the official main data stream and 300MB in one or more alternate data streams, and both Explorer & the Dir command will only report the files size at 20 bytes! How do you create an Alternate Data Stream?Well... you can do it at a command prompt, just type notepad visible.txt:hidden.txt. This will create the file visible.txt and a hidden file/data stream named hidden.txt in the file visible.txt. How do you copy text data into an Alternate Data Stream?Just type type File2Copy.txt > visible.txt:HideMe2.txt. This will create another hidden file/data stream named HideMe2.txt in the file visible.txt. Keep in mind that if the target stream (HideMe2.txt in this case) already exists, it's data will be overwritten not appended! How do you copy text data from an Alternate Data Stream into a visible file?Just type more < visible.txt:HideMe2.txt > SeeMe.txt. This will create a visible file named SeeMe.txt from the hidden file/data stream named HideMe2.txt in the file visible.txt. Keep in mind that if the target file (SeeMe.txt in this case) already exists, it's data will be overwritten not appended! How do you copy binary data into an Alternate Data Stream?Just type type HideMe.exe > visible.txt:hidden.exe. This will create another hidden file/data stream named hidden.exe in the file visible.txt. Keep in mind that if the target stream (hidden.exe in this case) already exists, it's data will be overwritten not appended! How do you copy binary data from an Alternate Data Stream into a visible file?Just type cat visible.txt:hidden.exe > SeeMe.exe. This will create a visible file named SeeMe.exe from the hidden file/data stream hidden.exe in the file visible.txt. Keep in mind that if the target stream (SeeMe.exe.exe in this case) already exists, it's data will be overwritten not appended!
How do you execute a binary (.exe file) hidden in an Alternate Data Stream? Using the file in the above example, & assuming that
the file is in the C:\ADS_Test\ directory, on an NT4 Machine you can use: However this command will generate an error on a Win2000/XP machine
that implies that the file location information was insufficient. To avoid
this error (and execute the file) use either absolute or relative paths in
the command string:
How do you delete an Alternate Data Stream?Let us assume there is a file named KeepMe.exe, with an
Alternate Data Stream named EvilToy.exe. The KeepMe.exe file is very
important and the Alternate Data Stream EvilToy.exe is very dangerous. We
need to hold the main (KeepMe.exe) stream and delete the (EvilToy.exe)
Alternate Data Stream. Let's also assume there is no FAT partition
available on the network in question, otherwise we could just move the
file to the FAT partition which would remove (destroy) the ADS, and then
move it back again. So... At our trusty Bommand Prompt we type:
|