Have you ever right-clicked on a MS Word document and viewed the "Properties" page and the "Advanced Summary" tab? Did you notice that some fields such as "Author" and "Title" can be modified by double-clicking in that area while some fields such as "Last Saved By" cannot? The "Last Saved By" field has been bugging me for a while because MS Word automatically grabs the currently logged on Windows username, whether a domain account or a local one, and throws it in there but provides no means to change it. So where exactly is this "Last Saved By" data stored?
A file is composed of more than just the data contained within it. A single file is made up of one or more streams of data: one containing the main data load, such as the text in a Word document or the music data in an mp3, another stream containing the Access Control List (ACL), the list of users who can access the file and what level of permissions they have on NTFS volumes, and possibly other streams containing a variety of information obscured from the user's normal or advanced views and methods. A data stream is a unique set of file attributes. Streams have separate opportunistic locks, file locks, and sizes, but common permissions. Alternate Data Streams are not unique to the NTFS file system. They exist (and are called file system forks) in other file systems such as Apple's HFS, Novell's NWFS and NSS. For the sake of brevity, I will not get into ADSs on other file systems in this article.
Initially, the idea behind ADS was to store metadata about a file, such as a thumbnail image, title or author, and keep it with the actual data of the file. The fact is that there is no limit or constriction on what you can pack in an ADS. You can hide a 500MB video in a 1KB plain text file. Not just a word document, but a plain notepad text file! I'll let your imagination work on what you can do with that soar for a minute. Ok, let's get down to business:
To stay organized, let's create a folder somewhere to do some testing. C:\\ADS will do just fine. Create a new text file using notepad or the ECHO command, type something like "This is just some plain text" and save the file as plain.txt in C:\\ADS.
C\\:ADS>echo This is just some plain text > plain.txt
Open a command prompt and navigate to C:\\ADS and follow my lead. Let's make sure there is nothing in the file other than what you typed:
C:\\ADS>type plain.txt
This is just some plain text
Let's check the file size so far:
C:\\ADS>dir plain.txt
Volume in drive C is O/S
Volume Serial Number is 2C43-1A10
Directory of C:\\ADS
11/02/2005 02:10 PM 28 plain.txt
1 File(s) 28 bytes
0 Dir(s) 7,338,393,600 bytes free
Note the file size is 28 bytes, which is what we expected. Time to create our first ADS:
C:\\ADS>echo Hidden Text > plain.txt:hidden
Using the TYPE command, or Notepad if you're lazy, check if you can see the words "Hidden Text" that we just piped into the plain.txt file. You won't see them. That was our first ADS and clearly its content is hidden from normal view. The name takes on the format of file.ext:ADS. The ADS name follows the same rules as any file name in Windows. If you do not provide an extension name a null is automatically assumed (e.g. HOSTS. or LMOSTS).
C:\\ADS>type plain.txt
This is just some plain text
The words Hidden Text are no where to be seen. Let's see if the file size changed so far:
C:\\ADS>dir plain.txt
Volume in drive C is O/S
Volume Serial Number is 2C43-1A10
Directory of C:\\ADS
11/02/2005 02:16 PM 28 plain.txt
1 File(s) 28 bytes
0 Dir(s) 7,338,254,336 bytes free
It did not change. The file size is still 28 bytes. So where did the 11 extra bytes we piped into the file go?
C:\\ADS>type plain.txt:hidden
The filename, directory name, or volume label syntax is incorrect.
C:\\ADS>type plain.txt:hidden. [note the extra period after hidden]
The filename, directory name, or volume label syntax is incorrect.
What's happening is that the type command cannot properly read ADS and is freaking out because we're feeding it an unusual file.ext:file.ext format for a file name and it does not like that. Notepad, however, will work:
C:\\ADS>notepad plain.txt:hidden
WILL NOT WORK - Notepad will display a message saying it cannot find PLAIN.TXT:HIDDEN.TXT and ask if you want to create a new file. This is because our ADS is named "hidden.", with a period after hidden. Try this now:
C:\\ADS>notepad plain.txt:hidden.
You should see a notepad window open up and show the words "Hidden Text." Notice the notepad window title is plain.txt:hidden.-notepad. So the data does exist, but it did not affect the file size. Interesting. If we just managed to pack an extra 11 bytes without increasing the file size, what's to stop us from packing 1MB or 50MB? Or even 1 Jiggawatts? Nothing.
It's up to you to give an ADS an extension name such as .txt or .exe. Using the TYPE command, you can output the content of any file, executable or not, into any other file as an ADS. A simple exercise everyone uses is packing calc.exe (Windows Calculator) inside a plain text file.
C:\\ADS>type %systemroot%\\system32\\calc.exe > plain.txt:calcu.exe
C:\\ADS>dir plain.txt
Volume in drive C is O/S
Volume Serial Number is 2C43-1A10
Directory of C:\\ADS
11/02/2005 02:32 PM 28 plain.txt
1 File(s) 28 bytes
0 Dir(s) 7,338,135,552 bytes free
File size is still 28 bytes! How do you execute the calcu.exe that is inside plain.txt?
C:\\ADS>start plain.txt:calcu.exe
Access is denied.
You will also see a "Parameter is incorrect" error message.
C:\\ADS>start C:ADS\\plain.txt:calcu.exe
That works. Alternatively, the relative path .\\plain.txt:calcu.exe will work too.
C:\\ADS>type pr0n.avi > myresume.doc:pr0n.avi
Executing an ADS depends on the type of data in it. Executables can simply be launched using the START command as demonstrated above. For non-executables, the application with which to open the file type needs to be specified.
Examples:
mspaint.exe .\\something.txt:image.bmp
wmplayer.exe .\\readme.txt:song.mp3
Alternate Data Streams are not limited to files; they can be created in folders too:
C:\\ADS>echo Folder hidden stream > :fstream
An interesting point to note is that Microsoft IIS 6.0 and later parses data streams. http://somesite.com/file.txt:m33p.html for example.
Transporting files containing Alternate Data Streams is tricky. ADSs are lost whenever the file containing them is moved to a non-NTFS volume. Furthermore, emailing a file containing an ADS will not work as the ADS will be stripped while it hops through mail servers and different file systems. The only effective way I know of to transport a file and preserve any ADSs contained within it is to use the NTBackup utility to backup the file into a .bkf file before transporting it. NTBackup is included in WinNT/2K/XP/2K3 and is capable of backing up multiple files and/or directories into a single .bkf file while preserving any ADS information contained within. Once you have your .bkf file, you can email it or burn it onto a CD. To retrieve the data contained within the ADS, simply restore the file to an NTFS volume and use one of the methods outlined above to view the data.
Useful NTFS ADS utilities:
streams.exe from Sysinternals.com provides a way to search for Alternate Data Streams.
C:\\ADS>streams -s *.*
Streams v1.53 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\\ADS\\.:
:fstream:$DATA 23
C:\\ADS\\plain.txt:
:calcu.exe:$DATA 114688
:hidden:$DATA 14
:image.bmp:$DATA 661554
StrmExt.dll from http://msdn.microsoft.com/library/en-us/dnfiles/html/ntfs5.asp provides a nice GUI tab to the "Properties" page of files in Windows Explorer that allows you to easily view and edit streams. You will need to first download NTFSext.exe and unzip it. Next, unzip StrmExt.zip and copy StrmExt.dll from Strm\\Ext\\Release\\Min\\Dependency to %systemroot%\\System32 and register it using regsvr32 StrmExt.dll then just right click on a file and you'll see a new Streams tab.
To enable the Streams tab for folders, add this registry key:
HKEY_CLASSES_ROOT\\Directory\\shellex\\PropertySheetHandlers\\{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}
To enable the Streams tab for root folders:
HKEY_CLASSES_ROOT\\Drive\\shellex\\PropertySheetHandlers\\{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}
Although Alternate Data Streams have existed for a while, it is not until recently that virus writers started utilizing them. You can imagine how below adequate anti-virus software will be to detect malicious code hidden in a data stream if it is not designed to search, read and scan not just the main data stream of a file but any other streams as well. I know Kaspersky A/V to be one that does scan Alternate Data Streams.
Finally, now that we have a good understanding of ADS, I still have not found how ADS created by Microsoft applications such as Word cannot be changed. This "Last Saved By" ADS is really getting to me >:(
I hope you find this article useful.
-kAzuNGu
References:
http://support.microsoft.com/kb/105763
http://msdn.microsoft.com/library/en-us/dnfiles/html/ntfs5.asp
http://en.wikipedia.org/wiki/Alternate_data_stream
http://www.ntfs.com/ntfs-multiple.htm
http://www.infosecwriters.com/texts.php?op=display&id=53
This article was originally published by CyberArmy.net in the CyberArmy Library.
|