The NTFS file system has no number of possibilities, but one of them is the presence of alternative data streams (Alternate Data Stream, ADS). The bottom line is that a skin file in NTFS is a collection of streams from which data is collected. For promotion, these data are in the main stream, and if necessary, you can add additional alternative data streams to the file.

Note. Alternative data streams for NTFS appeared a long time ago, even for Windows NT. They were created for the sake of consistency with the HFS file system, which is victorious on MacOS. HFS collected data about the file from a special resource pool.

NTFS files are subdivided into attributes, one of which is $DATA, or the data attribute. Streams have additional authority to the $DATA attribute. For zamovchuvannyam there is one, the main potik $DATA:″″. Yak bachite, you can’t name wine, that’s what it’s called unnamed. It is also possible to create additional, named streams, for example. $DATA:″Stream1″. A skin file in NTFS can have a small amount of data streams, which can be avenged, in no way related to data.

All the data recorded in the file is used for promotion from the main flow of data. If we open a file, then the main stream itself, alternative streams are attached to the file and are not shown for additional significant benefits. You can't use the standard methods if you want some programs to be able to read the data attached to them. Also for work with threads, you can change the command line.

For example, let's see the console and for the help of the echo command we create a text file streams.txt and write it in a new text:

echo Tsei main stream>streams.txt

And with an offensive command, we write the text up to the alternative stream stream1:

echo This is alternate stream>streams.txt:stream1

If you now open the streams.txt file with any text editor, we would rather have the first entry, the text "This is alternate stream" will be deleted. You can read the information attached to stream1:

more

Alternate streams can be extended to not less than 10 files, but up to directories. For example, add an alternative stream2 stream, which will replace the text "Hide stream in Streams", to the stream directory Streams:

echo Hide stream in Streams>:stream2

І let's see stream2 by the offensive command:

more<:stream2

Instead of alternative streams, you can open it at the console. For example, Notepad (Notepad) can also be used to attach data to data streams, as in the file name through a double-double, specify the name of an alternative stream. Repeating the front butt, changing the name of the stream to stream1.txt:

echo This is alternate stream>streams.txt:stream1.txt

I saw an alternative flow at the notepad with the command:

notepadstreams.txt:stream1.txt

Note. Standard Notepad requires a txt extension for the name of the stream, otherwise you can enter it. More editors, for example, the same Notepad ++, can show instead of an alternative stream, independently name it.

The presence of alternative streams to the file is not displayed in Windows Explorer and other file managers. In order to know them, the easiest way is to speed up the team dir /R(starting from Windows Vista) to show all data streams, alternative screens.

You may be lucky that the alternative streams are surrounded by textual tributes. We think it's not so, and in alternative streams you can save any information. For example, let's create the picture.txt file and add it to the new pic1.jpg file, in which case we can use the same image:

echo Picture>picture.txt
type pic1.jpg>picture.jpg:pic1.jpg

In this way, we can call a typical text file, and to display an image from an alternative stream in the Paint graphics editor, we speed it up with the command:

mspaint picture.txt:pic1.jpg

In a similar rank, you can add to any type of file or data - add images to text files, add text information to media files, etc. , Explorer all the same show the size of the file 1kB.

More alternative streams can be used to download files. For example, take the test.txt file and add the Notepad addendum (notepad.exe) to the alternative note.exe file:

type notepad.exe>test.txt:note.exe

And to launch the attached notebook, we speed it up with the command:

start .\test.txt:note.exe

To the point of possibility, there are some shkidli programs, adding the code of alternative NTFS streams.

Streams utility

For work with alternative streams, there are some third-party utilities, for example, the Streams console utility from Sysinternals. It can signify the presence of alternative flows and see them. The utility does not affect the installation, it is enough to unpack and run it. For example, we can check the presence of streams in the Streams folder with the command:

Streams.exe -s C:\Streams

І we can see alternative streams from the streams.txt file:

Streams.exe -d C:\Streams\streams.txt

PowerShell

PowerShell also works with alternative flows - create, show, show them together, and see them. For example, let's create a text file:

New-Item -Type file -Path C:\Streams\stream.txt

Dodamo entry to the main thread:

Set-Content -Path C:\Streams\stream.txt -Value ″Main stream″

І in an alternative potik z im'yam Second:

Set-Content -Path C:\Streams\stream.txt -Value Second stream -Stream Second

Potim vivemo instead of the main

Get-Content -Path C:\Streams\stream.txt

and alternative streams:

Get-Content -Path C:\Streams\stream.txt -Stream Second

In order to reveal the presence of alternative streams, you can speed up with the command:

Get-Item -Path C:\Streams\stream.txt -Stream *

And you can see the downloaded streams with the command:

Remove-Item -Path C:\Streams\streams.txt -Stream *

Vikoristannya

Alternate streams are vicorated both by Windows itself and by other programs. For example, Internet Explorer divides the border into 4 security zones and, when files are captured, add labels to them, to remove information about the zone, for which the stench was captured.

Numbers of marks are saved in an alternative potency and are a number like 0 to 4:

Internet (3)
Mіstseva merezha (1)
Other sites (2)
Unsafe sites (4)
Local computer (0)

In order to switch to cioma, let's go to the folder "Problem", take the vanity file from the Internet and check it for the presence of alternative streams. Like a bachite, a new one has a present potik z im'yam Zone.Identifier, in a row ZoneID=3.

This means that the file is brought to the untrusted zone of the Internet, and if it is entered, we must protect it. Some programs, for example Word, read the given data when the file is read and see the advance.

Also, File Classification Infrastracture (FCI) is based on various alternative streams. Among other programs, alternative streams are vicorated by anti-virus programs, the Kaspersky Anti-Virus protection cream, in which the checksum is removed, which is removed as a result of the recheck.

Vtіm, zastosuvannya alternative streams do not intermingle, you yourself can come up with a zastosuvannya for them. For example, with help, you can capture special information from third-party eyes. Files, like alternative streams, can be copied or transferred from disk to disk, all streams will be copied at once with the file.

Also, when using alternative streams, you need to remember that the stench is hard to bind to the NTFS file system. In order to fix them, the files to be sorted on disks with NTFS can only be processed with them under Windows. If you move the file to any other file system, all streams of the main crim will be consumed. Also, alternative streams are formed when transferring files to FTP or when transferring as a postal attachment.
Taken from http://windowsnotes.ru/other/alternativnye-potoki-dannyx-v-ntfs/

More:
ADS - a feature of the NTFS file system has been introduced, it is impossible to disable it.

ADS allows you to add any files to other files and navigate directories (!). The OS itself is periodically updated, adding to the Internet access to the file “Zone.Identifier”

Zone.Identifier can, before speech, be edited in order to get ahead of this file from the Internet. Vіdkriti in the safe mode?

You can add a potik to a file like this:
type file1 > file2:file3

try viyaviti
dir /r

run the exe like this:
start file2:file3

if it didn’t work, then like this:
mklink file4 file2:file3
start file4

For example, link the calculator to the root disk (!) And run yoga through the power

Meta tsієї statti explain sens
data streams (alternate data streams)
in Windows operating systems,
demonstrate how to create them
compromise the car, how do you know
attached files for help
utilities. The first time you need to be aware
sens ADS and those who carry a threat of stench, then
marveling at how the stink victorious for the evil
Well, let's find out, let's take a look at the tools
for the manifestation of activity and those
Zupiniti away from illegal work
them.

New?

Additional data flows appeared in
Windows together from NTFS. Really, really, I
rosemary, there was no special sensation in them - stench
buli zrobleni for the summation of HFS, the old
Macintosh file system - Hierarchical File System. On right
the one that has a victorious file system
like a head of data, so a head of resources for
saving content. Gilka data,
vodpovidno, vodpovidalna for zmist
document, and resource bar for
file identification - one type and another
danich. Until now, about the reason
additive flows over standard coristuvacs
few people know. Prote, at the computer world
bezpeki stench otrimali pevne
wider. For example evil hackers
hack ADS to save files to
evil computers, so the very stench
get infected with viruses and other malware. On right
aje everything is in the fact that qi flows are not
looked through by the most obvious methods, by the same
Conductor chi through the command line. Chim
cіkavі tі streams? And tim, what's up with the vipadku
do not start to investigate the evil
respect for them, before that, not all antiviruses
behind the locks look over the streams in
Pokladyvay soft software

Until then

In order to understand the real need
ADS is more briefly demonstrated to work with them.
In applications for help, the Metasploit Framework is penetrating
to the car. For whom the victorist is indulgence
MS04-011 (LSASS). Let's help for help TFTP salle files,
yakі i pom_stimo at dodatkovі flows
danich. How will it be completed on
run the remote machine from the command line
rows scanner, which scans the merezh on
presence of other machines. Reveal respect,
that the authors of the Metasploit Framework secured their
created by the METASPLOIT signature, the author
zahisnyh programs could signify a package,
exit view MF. Give respect to the package,
exit type of attacker:

Here 192.168.1.102 is the attacker's computer
which is the Metasploit Framework, and 192.168.1.101 -
vrazlivy computer with Win2K Prof. In this vantage point
delivered without patches and servispacks,
inclusive for demonstration purposes
:). Show respect that ADS themselves do not
nadto korisnі, stink, naturally, please
the attacker is less for that vipadka, for example
access to the car, systemic volatility
operating system. At the right side
you probably don't know unpatched W2K, so
shukati other principles
penetration.

Lower mi Bachimo, that the attack was successful and on
attacking machine vodcrito reverse shell,
vіddany sacrifice. For zamovchuvannyam for tsієї
port 4321 is victorious in Metasploit,
however yoga can be changed:

Having penetrated the car, you need to pass it to the
files. For whichever TFTP is possible, in this case
ipeye.exe is optional.

So download psexec.exe, pslist.exe and
klogger.exe Listing directory C: Compaq,
where everything and bowed:

Zaphati now ipeye.exe s potik,
association with the reference file
test_file.

Let's do it yourself, you can grow and strimko
other necessary work files.
Give respect to the alternative
Potik can be organized not only for
files, ale th for directory in the same C:\ before
butt. Let's start the scanner, about which mi
spoke on the cob, ipeye.exe, on the infected
computer:

c:\Compaq\test_file:ipeye.exe

(Dali be)

Windows operating systems are endowed with two small data capture functions: NTFS data streams (also known as alternative data streams) and Access-based Enumeration (ABE) permission-based resource list access. Alternate data streams allow you to add attached information to the file, such as information about the file. More than anything, you won’t get caught up in the streams of data, prote evildoers can win technology against you, so the next thing about it and about those who can work it out.

As for the ABE method, you can expand your arsenal. This method allows invisible folders and files to be used with resources for those files, so as not to be allowed to access them.

Axis scho need to know about qi sobi.

Rіchki, scho to revive the sea of ​​​​danih

Alternate data streams are a function of the NTFS file system. If they were given a Windows NT 3.1 system in order to allow NT and Macintosh bugs to exchange files.

An NTFS file is compiled from data streams. This is the standard data stream $DATA, and possibly one or more alternative data streams. Whether it’s a kind of koristuvach, some kind of necessary permission to work with a file, get a clear flow of $DATA data, maybe write it down, and also read and write data to the whole flow.

Alternate data flow - additional information or files, such as a koristuvach or the program can attach to an NTFS file. About the basis of the alternative to the flow of data, only the one who created yoga knows. Call koristuvachi do not know what is coming to the file an alternative data flow; rіch to that, scho nі vmіst tsgo flow, nі yogo іm'ya not є visible. Until then, there is no way to change the file in the expanded file.

Іsnuє impersonal ways of finding alternative data flows. On Windows systems, streams are stopped to collect data documents created by programs that are not included in the Microsoft Office suite, such as simple text files (.txt). Data items, for example title, subject and data about the author, can be entered on the Summary tab of the Properties dialog box in the file. The number of data is saved in the alternative data flow of SummaryInformation.

Windows programs, such as the Encrypting File System (EFS) and Windows Explorer, convert alternative data streams to transfer more data files to files that are stored on storage devices that are formatted on the NTFS system. The EFS program, for the help of alternative data streams, comes to encrypted files with information about encoding and decoding, which ensures the possibility of decentralized encryption and decryption by means of these programs.

Implemented in Windows XP Service Pack 2 (SP2) is Microsoft Internet Explorer (IE) using the Security.Zone alternative data flow to ensure the classification of the security zone of files recorded on NTFS volumes. As a result, IE can block the ability to expand the scope of the rights of malicious attacks, which can be useful in situations where the malicious code is captured from an Internet zone that is not safe beyond the security criteria of the Internet zone and save this code to a hard drive y. IE locally saves content up to the Local Machine security zone, as it transfers more rights, to the lower Internet security zone. Package XP SP2 zavzhd verify the flow of data Security.Zone before tim how to allow the zavantazhennogo code to work on the local system.

Channel for the transmission of the code

Alternative data streams, which deserve respect and insecurity, are due to the fact that their names and instead are not displayed in Windows Explorer windows. That is why the organizers of various attacks vvazhayut such streams by hand grabbing data or malicious code that they have stolen from the system. The butt of vikoristannya tsikh flows [email protected] The hackers have hacked an alternative data stream to get to the ODBC .ini file with scripts in the Visual Basic (VB) movie.

When activated, the worm creates an appearance record with administrative updates and sends itself to addresses, which itself appears in the Microsoft Outlook address book.

Another concern is that the disk space, visions for alternative data streams, are not shown in data about the expansion (files) and about not occupying disk space by the Windows Explorer program. A hacker can hack alternative data streams to fill up the disk space of a file server, and the administrator will only have to scratch his head trying to get to the bottom of the problem. In addition, it must be said that the Dir command-line utility does not respect alternative data streams when processing data about the expansion (files and folders). Today, there is only one zasib of Microsoft, building to secure alternative data streams when the account is cleared: the utility Chkdsk.

Adding a new stream

If you're a human being, if you have write access to an NTFS file, you can use the best operating system commands to access the file as an alternative data stream. For example, the following command creates an alternate data stream mystream, passes mystream to the file with the file.txt name, and takes the phrase "top secret" from the mystream stream.

echo top secret > file.txt: mystream

You can look inside the mystream stream for an additional command

As it was planned more, you can add downloaded files to alternative data streams. Is it possible to attach a copy of the Windows Calculator (calc.exe) to the file file.txt. For whom it is necessary to simply enter the command

type calc.exe > file.txt: calc.exe

To run the attachment calculator, enter the command

start.file.txt:calc.exe

You may want to note that alternate data streams and both are not shown in the Microsoft toolboxes. Open the Windows Explorer program and look at the authority of the file file.txt. In fact, the size of the file becomes 112 Kbytes (the space occupies the file calc.exe) - but the program will show the size of the file equal to 0 Kbytes: the $DATA data source does not have information about the file being opened, and the Windows Explorer program cannot read the information from an alternative data stream .

It was clear that there were some threats with alternative data streams, especially in the mergers, but they did not allow for the access to NTFS resources, and did not impose strict control over access to Windows servers. It uses a simple mechanism to protect, building a way for hackers to try alternative data streams - the NTFS access control system. Since the attackers cannot allow data to be written to the file, they cannot create alternative data streams and send them to the file.

Iyavlennya zmin

If you blame yourself for the fact that hackers managed to get around the blocking of the installed permissions, hurry up with one of the expanded tools for revealing instead of alternative data streams. Programs for checking the integrity of the system, such as Tripwire Enterprise and Tripwire for Servers, allow you to display all the changes in the NTFS file system, which are small in the Windows system, including adding or changing the data flow.

Proposed Sysinternal program Streams - this is a command-line utility that can be searched without cost, that assigns the names of those received to the files of alternative data streams. Screen 1 shows how to hack the Streams utility to look up the name of the calc.exe data stream that was previously added to file.txt. This utility can be obtained from http://www.sysinternals.com/utilities/streams.html.

Another simple way to show an alternative data stream is to use Windows Explorer to copy the suspicious file to the storage device with the file system, NTFS directory (let's say, to the FAT storage device). Other file systems are not equipped with the means to work with alternative data streams. Therefore, if you try to copy the NTFS file with the received alternative data streams for placing it on a different file system, NTFS seems to be ahead, similar to that shown on screen 2. Also, please be safe, so you can copy the file from the other command line for help with the Copy command, Windows copy it to the NTFS file system and see the data flow without delay.

Collectively won resources for help ABE

ABE is the advanced feature of the split variant of files, as Microsoft previously implemented with the Windows Server 2003 SP1 package. It is possible to win in any double Windows catalog regardless of the fact, in which file system the data is saved, which are double won. ABE allows administrators to attach folders and files that are saved on globally accessible resources, in spite of the fact that they do not have full permissions to access them on the NTFS level. In other words, go about the safety of security on the level of folders.

In case, if ABE does not stop, coristuvachi, connecting to the main directory, download all the files and folders on the main resource, including those, for reading such stinks, you cannot be allowed, and, access to any blocking for them. If the coristuvach is trying to open a file or a folder, access to which you are not allowed, the system will alert you about the pardon from the explanations about the access fence. Notifications about pardons can beat coristuvachiv from pantelyka, so activating the ABE facilities allows you to change the need for a pardon service.

Vtіm, vikoristannya ABE may have its minuses. Before that, how to turn the client, having connected to the global resource, the list of objects that are stored in the folder, the server is guilty of reverifying all lists of access control to these objects: ty. As a result, there may be a slight decrease in the productivity of the system, especially when reducing to hard resources, which will avenge a lot of objects.

Koshti ABE dotsilno vykoristovuvaty, for example, for the improvement of globally accessible resources in the home catalogs of koristuvachiv. Instead of creating a resource assigned to a hard-to-find resource for the home directory of a skin koristuvach, you can create one single resource, which will avenge the home catalogs of all koristuvachs from the father of the root home directory. Koristuvachi podklyuchatimyutsya to the root directory, and you can use ABE for help, and also allow NTFS to control the visibility of home directories in your root directory.

Activation of the ABE function

This function will have a new ensign of the globally accessible resource SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS; at the moment, if the rows are written, there are fewer implementations in Windows 2003 SP1 and Release 2 (R2) packages. This flag means that you will disable the ABE function to one of the folders.

To set the ensign, you can use the extension of the powers of the Windows Explorer folder or the abecmd.exe command line. Microsoft has expanded the ABE Explorer extension and abecmd.exe in the ABE installation package, which is an add-on module for the Windows Server 2003 SP1 platform. The installation package can be downloaded from the Microsoft site at http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D 9-78D9-4342-A485-B030AC442084 . The ABE shards are not server-side extensions, and can be tweaked independently depending on which version of Windows is installed on the client.

After installing the ABE features on the server, you can install the same ensign for that other folder. Right-click on the folder, select Properties, go to the Access-based Enumeration tab, and set the flag Enable access-based enumeration on this shared folder, as shown on screen 3. To enable the ABE function to all globally accessible resources in the system, set the flag this folder"s setting to all existing shared folders on this computer.

Another way is to win the zasib of the command line abecmd.exe. To get the ABE function to the shareddocs resource, which is accessible to everyone, enter the following command:

abecmd /enable shareddocs

To activate the ABE function on all available resources, you can disable the /all parameter, and enable ABE - the /disable parameter.

Access control

ABE is a simple zasіb, which allows you to add more files with access to less files, which are necessary for your work. Koristuvachi can easily know the files they need, the shards don’t have to sneak through the folders, so they can’t get to the right, and they don’t stink the service of supporting feeds about those who don’t see the files, allowing them to work with them.

In order to defend against hackers, like cheating alternative data streams, administrators are responsible for improving access to globally accessible resources and winning one of the utilities I have described for detecting alternate data streams, as well as changing the system NTFS.

Jean De Klerk([email protected]) is a reference book of the Security Office of the Hewlett-Packard company. Engaged in the identification and security of Microsoft products. Author of the book Windows Server 2003 Security Infrastructures (Digital Press). Alternate Data Stream Support (AltDS) was added to NTFS for storage with the HFS Macintosh file system, albeit using a stream of resources to collect icons and other information about the file. The AltDS wiki has been tampered with in an inaccessible way. The explorer and other programs work with the standard stream and cannot read data from the alternative ones. For the help of AltDS, you can easily add data, which can be shown by standard system revisions. This article will give basic information about the work and the purpose of AltDS.

Creation of AltDS

Creating AltDS is easy. For whom we speed up in command line. For the cob we create the base file, to which our streams are attached.

C:\>echo Just a plan text file>sample.txt

C:\>type sample.txt
Just a plan text file

Let's move quickly like an operator, to point out those who will win AltDS:

C:\\>echo You can't see me>sample.txt:secret.txt

For a review, you can win the following commands:

C:\ more< sample.txt:secret.txt

or

C:\notepad sample.txt:secret.txt

If everything is good, then add the text: You can "t see me, and when you open it from the data explorer, the text will not be visible. Also, AltDS can be attached not only to the file, but also to the folder. Or the text:

C:\>md stuff
C:\>cd stuff
C:\stuff>echo Hide stuff in stuff>:hide.txt
C:\stuff>dir
Volume in drive C has no label.
Volume Serial Number is 40CC-B506Directory of C:\stuff
09/28/2004 10:19 AM .
09/28/2004 10:19 AM…
0 File(s) 0 bytes2 Dir(s) 12,253,208,576 bytes free
C:\stuff>notepad:hide.txt

Now you know how to look at and edit AltDS attachments with a notepad, and also how to attach it to files and folders.

Attaching and launching programs

It's as easy to grab AltDS as test files. For the cob, let's create the base file again:

Let's save our program in the future, for example I'll use notepad.exe:

C:\WINDOWS>type notepad.exe>test.txt:note.exe

Now we are changing, that in our file everything is the same text:

C:\WINDOWS>typetest.txt
test

And now, naytsіkavіshe, let's launch our zahovaniya dodatok:

C:\WINDOWS>start .\test.txt:note.exe
C:\WINDOWS>

Since this article is not a new translation of the article taken, it is designed like a simple topic. Dodatkovі priyomi can be known for the help of the authorities.

UPD:

Utilities of work with AltDS (list of captures for 3 stats for others):

LADS - List Alternate Data Streams by Frank Heyne
www.heysoft.de/Frames/f_sw_la_en.htm

Streams.exe as SysInternals.

Wee chuli schos about NTFS streams? Also, the functionality of the file system, which can be known in practice, is known. Today, let's talk about those who can be curly.

For a little bit of theory on the cob.
Support for alternative data flows was added in NTFS for consistency with the HFS Macintosh file system, as a way to win a lot of resources to save icons and other information about the file. The stench is present in NTFS more from earlier versions Windows NT. The essence of technology is that the file on NTFS you can use a sprinkling of streams to avenge the data. Explorer and more popular file managers head stream(which can not be named), which is the main file in the file. Streams can be victorious to save metadata to a file, in this way the stench was victorious in Windows 2000, as far as I can see.

IN Windows 7 alternative NTFS streams, what is the file, do not use the staff. And for nothing: even cunning viruses, for example, can write to themselves in the streams of a whole innocent file. Having seen the file with streams, which should be cleared about the data, you can find out that the time was significantly larger, lower by borrowing the file for a thought Conductor.
To review current flows, we will use the console utility created by Mark Russinovich.

How to create an alternative NTFS stream

Deyakі console commands allow you to create and display in flow NTFS for example command echo You may be able to create an alternative path to a text file. Schob Bulo understood how it works, we can look at the butt. Enter next at the command line:
echo Hello Happy Bulldozer > hello.txt
echo Hello World > hello.txt:test

And now open the hello.txt file in Notepad:

Text hello world having gone "behind the scenes" test. How to specify in the file name what to display, and in the name of the stream, to open the file in the stream is not visible: double - an invalid character for naming the file. However, you can speed up in a command line, which is something loyal and allow the following command to vickonat the axis:
more< hello.txt:test

pereglyad NTFS streams As I wrote above, you can viconati through the streams.exe utility
streams.exe hello.txt


I care, everything is clear here.

Alternative NTFS streams and Notepad

Put the programs in the first place without special zusil and imitate the flow:

Standard Notepad assign the txt extension to the stream name. If you want to win yoga, you need to name the streams like this:
echo Hello World > hello.txt:test.txt
Todi vikonana z cmd.exe command will give a positive result:
notepad hello.txt:test.txt

Alternate NTFS streams and different file types

You might be thinking that the NTFS alternate streams staging area doesn't extend beyond text files. Tse not so. At the attacking butt, I added to the file hello.txt a potik, scho to revenge the data on the 7z archive:

I will designate that streams can be created not only for files, but also for folders and navigating hard disk partitions.

Everything is surrounded by your special fantasy and needs. Vikoristovuyuchi described priyomi, you can easily capture special information from an unprepared koristuvach, for example. Like a different zakhist like a fool, whatever you want.