In the end, due to cheaper hardware (in dollar equivalent), more expensive computers take away the resources completely sufficient to run the operating system. Microsoft Windows NT (i200MMX + 32-64 Mb). Unreliability and non-transferability of Windows 95/98, as well as lack of availability to properly manage resources current computers bring the rich people to the idea of ​​switching to NT.

With so many misunderstood people, you won’t find anything radically new for yourself. Having installed Internet Explorer 4 and without being disturbed by the numerical capabilities of NT due to the established security policy and protection, in most cases in Windows 98 you may see the presence of two “Automatics” folders in the start menu (currently for all users This is the presence of the Add/Remove Hardware applet in the Caravan Panel. And if you do not format the disk with the NTFS file system, you may no longer know the difference.

This article also describes the operations of NTFS under FAT, VFAT, FAT16 and FAT32. Main features: creation date before updating, attachment records, maximum volume size and file size on a new one up to 16 Exabytes ( 1 Exabyte = 1000000 GB), the ability to compress adjacent files and folders, set permissions and audit to be widely covered in literature and documentation prior to Windows NT. However, there are still unknown and limited possibilities of NTFS: hardlinks and multiple data flows or forks. Let me tell you about them myself.

Multiple data streams. This term is familiar to Macintosh users. On this system, a file can have two streams (forks): a data stream and a resource stream. The data stream saves data to the file - this stream is copied as a single file when the file is transferred from a Macintosh to a PC. Another flow to the file is the flow of resources, which contains data from the operating system - menus, icons, fonts, and in general all those that are usually called resources. If Windows NT Server serves Macintosh clients and provides disk space for storing files, the server's file system must support the client's file format. This is one of the reasons for the appearance of multiple data streams in NTFS.

How was this implemented? Any information about the file, starting with its name, permissions and ending with the data that is stored in the file, from the NTFS point of view is an attribute that is stored in the stream. NTFS developers appreciated that there is no need to be limited by one stream for data - the nameless one, and added the ability to create several named streams, in addition to the main one. To create multiple streams, you can use the Win32 API function, or you can do it in a simpler way.

From Kernighan's and Rich's Hours - a distributor of the language of the UNIX operating system - rich operating systems have the ability to formalize the removal and removal operations. From this point of view, any input operation can be viewed as an input operation from the stream or output to the stream regardless of what is in the data (console, keyboard, file or port) and receiving (again the same ol, in This is either a monitor screen, a printer or a file). It is also possible to redirect input and output from programs from the screen to the printer and enter commands not from the keyboard, but from a file. In our time of widespread use of graphical interfaces, the ability to stagnate is even rare, which is clearly stated by the butt.

The Microsoft operating systems command echo is used to display information on the screen in text mode:

C:>echo Hello, World!

The echo command, as a device for displaying information, displays the vikoryst monitor screen. This command can be redirected from the console to a file (for which the “>” symbol is used):

C:>echo Hello, World! > file

As you know, the echo command did not display anything on the screen. You can also see the line “Hello, World!” in the file. Similarly, the echo command can be redirected to the printer:

C:>echo Hello, World! >lpt1

Again, there is nothing on the screen, but on the side of the paper in the printer you can see the same row “Hello, world!”, which is basically the printer connecting to the lpt1 port. In this way, the output of any program in text mode can be redirected to any device that supports streaming input of information or a file, except for those programs that use text mode to display information without indirect modification These video memories and other non-standard ones, from the point the gaze of the classic C, possiblity.

Similarly, you can redirect the input of programs. The command of more Microsoft operating systems is used to buffer the output of commands to display more information that does not fit on the screen. This command can also be used to illustrate input redirection:

C:>more Hello, World!

The file had a row “Hello, World!”, which was directly displayed on the screen.

So, with additional input-output redirection, you can create and read multiple data streams:

C:>echo string1 > file:fork1

The entry file:fork1 indicates in the file file a stream with the names fork1 (as long as the fragment is not yet created, a new one is created with these names) and redirected to the new parent of the echo command. At this size, the file size does not change during the review of the authorities, and using standard Windows NT methods, the name of the stream cannot be determined. If you know his name, you can use the more command to mean him instead:

In this way, you can create and read instead of data streams to the file. The number of streams created in one file is limited by the available disk space. In a similar way, you can create data streams in directories, but to look at the stream instead, you have to put another way of displaying the stream on the screen, so the more command will display the following format:

If you don’t know anything you need to know, you can write the following program in any C++ compiler:

while (cin.get(ch)) cout.put(ch);

Compose this program more simply as a Win32 console application, and use it as a tool for modifying directory streams.

Windows NT does not work standard features to extract information about numerical data flows. Why work, since such information is still necessary? This issue can be quickly accessed using the streams program by Mark Russinovich, which at the same time output code can be obtained from www.sysinternals.com. This program for extracting information about numerical data streams is undocumented. Windows functions N.T. The information axis is captured by the additional program streams about the file file:

NTFS Streams Enumerator v1.0

Systems Internals - http://www.sysinternals.com

Here you can specify the name of the data stream and its size in bytes (additional 3 characters and spaces after the “>” symbol, carriage rotation and row shift, which are added by the echo command). Unfortunately, streams does not allow you to identify multiple data streams from directories.

Is it possible to consolidate multiple data streams? The cream of stagnation, discovered for them by Apple, can be said about itself for a simple person for storing information, for example, for remembering the installation date of shareware programs. At the dawn of OLE technology, Microsoft transferred corrupted data streams to save information about the transfer of an object, perhaps, securing data streams on FAT turned out to be easier, without creating long file names and data This idea happened to be inspired. Creating a “resource file” for the script to save all the writing that is output by different languages, it may also be possible to stagnate the streams. In addition to the guidance, it is clear that there is no need to stop for multiple data streams, so as not to wash them away with your respect.

Zhorstki poslannya. For those who use different UNIX clones, we know this well. On account as a file FAT systems Whereas it is accepted that a file can only have one name, UNIX does not have such a distinction - a file can have multiple names and data cannot be deleted until the file name manager is equal to 0. There is also a symbolic message - an analogue of shortcuts in Windows, but follow the movement of the object that causes the smell.

Windows NT is designed to comply with the POSIX standard (Portable Operating System Interface for Computing Environments). One of the uses of masculinity is the encouragement of harsh messages and the absence of encouragement of symbolic ones. Obviously, it was believed that labels are a good analogue of symbolic messages.

In NTFS, hard messages are organized in a similar way to multiple data streams: since a file contains multiple data streams, why can there be multiple streams with names? Several file names can be found in different directories, or only within one section.

To prepare a hard code, you need the POSIX Windows NT program. This program and its output texts are included on the “Windows NT Resources” CD. By analogy with UNIX, this program is called ln. The syntax for this command is:

C:>Ln file hardlink1

With the help of this command, we can create another name for the file file, or by sending a hardlink1 instead of the file, you can change it instead of hardlink1, or rather the same file, but with two names. Similarly, you can change other file attributes. A number of file names are not separated, but when a file name is copied, the message is dissolved and another file is created. The possibility of a creative message in another catalosis is clear:

C:>Ln file ../temp/hardlink2

And here it is necessary to indicate not absolutely, but specifically the name of the catalogue.

Zastosuvannya for the hardest poslan can be known no less than for multiple flows of data. For example, make harsh efforts for library dll, to ensure that your program is in the correct format for the file. Other possible statements of harsh messages are better than jokes in the literature that relate to UNIX. And, of course, the accumulation of harsh messages can be combined with descriptions of multiple streams of data.

Meta stats explain sense
alternative data streams
V operating systems Windows
demonstrate how to create them
compromise the car, how to know
received files, vikoryst and secretly accessible
utilities. First time you need to inform me
sense ADS and those that carry the threat of stench, then
I marvel at the stench of vikory for the evil one
Well, let’s find the tools and then look at them
to identify activity that
zupiniti away from illegal work
them.

What's the matter?

Additional streams of data appeared in
Windows from NTFS. Really, as much as I
I mean, there was no special sense in them - there was a stench
boules for use with HFS, old
Macintosh file system - Hierarchical File System. On right
for the fact that this file system is vikoryst
both a pile of data and a pile of resources for
saving content. Gilka data,
certifiably, certifiably for replacement
document, and a folder of resources for
Identification of the file - its type and others
tributes Until now about sleep
additional flows from primary producers
few people know. However, in the computer world
the safety of the stench was taken away by the song
wider For example, evil hackers
Use ADS to save files on
evil computers, they just stink
become infected with viruses and other malware. On right
even everything is that these flows are not
are overlooked by the most advanced methods, by ourselves
A guide through the command line. Chim
What are the flows? And tim, what's wrong
investigation of the evil never again commits atrocities
I respect them, not all antiviruses are like that
for their preparations they look at the streams in
searching for cheap software

Check it out

In order to understand the real concern
ADS will be better demonstrated to work with them.
In the application please help Metasploit Framework is penetrable
to the car. For whom is vikorystvo spilling
MS04-011 (Lsass). Then, for help, TFTP transfer files,
which are suitable for additional flows
tributes How will this end?
From a remote machine, run from the command
row scanner, which scans the edges on
presence of other machines. Bring back respect
that the authors of Metasploit Framework have secured their
created with the METASPLOIT signature, by author
sick programs could have stolen the package,
output MF. Return respect to the package,
Exit view of the attacker:

Here 192.168.1.102 is the computer of the attacker
who is worth the Metasploit Framework, and 192.168.1.101 -
Varying computer with Win2K Prof. In this video
delivered without patches or service packs,
inclusive for demonstration purposes
:). Please note that ADS itself is not
it must be brown, stinky, natural, pleasing
the attacker only in that attack, as it is
access to the machine, systemic dispensing
operating system. At this measure you
It’s unlikely that you’ll find unpatched W2K, or
will have to joke about other principles
insightful.

We are humbled that the attack was successful and on
the attacking vehicle has an open reversible shell,
given by sacrifice. Getting ready for this
port 4321 is being vikorized in Metasploit,
however, you can change it:

Having entered the car, you need to hand it over to Tudi
files. For whom TFTP is needed, in this
ipeye.exe can be removed at any time.

This is how we download psexec.exe, pslist.exe and
klogger.exe. See directory listing C: Compaq,
where everything went:

Now put away ipeye.exe from the sweat,
associations with the existing file
test_file.

Then you can earn the same things quickly
Other necessary work files.
Please note that there is an alternative
flow can be organized not only for
files, and also for directories of the same C:\ to
butt. Let's start the scanner, about what we are
spoke on the cob, ipeye.exe, on the infected
computer:

c:\Compaq\test_file:ipeye.exe

(There will be more)

The article was written for the magazine "Hacker" in 2004. It was published in issue 09/04 (69) under the title “Destructive Currents”.

By consuming the damn NT system and installing its own spyware software into it, it is necessary to solve the problem of saving information that is collected on the victim’s computer. Make sure the log is written to a simple file in a catalog with a large number of files, for example, system32.

Possibilities NTFS

This is a widening, but not far shortest method grab information on local computer. There is a chance for the user to mark the latest file that is constantly being updated, which suddenly appears in the system catalog. Should I append the log to the existing file? To begin with, you need to know such a file, adding any information does not zip it together. And how to save information in such a place that it will not be visible from the explorer, nor from the command row, nor from anything file manager? The NTFS file system provides this capability. At home, this is rarely the case, as most computers still use FAT32, especially those running XP. Ale zate in local measures Any company that runs Win2k/XP may also use NTFS, since this file system provides such capabilities as assigning access rights to users, encrypting and compressing files. In addition, NTFS is much more reliable than FAT32. So the method of acquiring data, which I will describe, is ideally suited for industrial fishing. With the advent of Longhorn, NTFS may have a chance to be installed on the drives of home computers, since the current WinFS file system, based on NTFS, is additional possibilities from ordering and searching for information that may attract high-value investors.

Attach any details to the file

The method is to save data not in a file, as before, but in an NTFS file stream. The stream can be attached to another file (in which the size is not changed, and the data is lost incomplete, which means that utilities that check file checks do not mark changes), directory or disk. Alternative NTFS file streams are one of the capabilities of NTFS that have been present in them since the early days Windows versions N.T. The point is that one file can contain multiple threads to store data, and only the main thread is available in which the file is stored. It's similar for the HFS file system on Macintoshes. There, streams are called forks. Until recently, they were criticized as a hoarder of resources for a file or misplaced information about the file type. With the advent of MacOS X, Apple recommended placing resources within files, and assigning file types to extensions. However, the encouragement to unwind is still lost. On Windows, streams must be used to save any additional information about the file. For example, the user may have a document created. If the system is on a disk with NTFS, the explorer.exe file will start up. Along with this, streams with the names SummaryInformation, DocumentSummaryInformation and others can be attached to the file. On the computer, I detected a thread from $MountMgrRemoteDatabase, attachments to drive C.

You can find out about streams attached to a file in certain cases, for example, when you copy a file with a stream attached to a FAT/FAT32 disk. These file systems do not support them, so the system will prompt you to confirm the loss of information in the streams that specified their names. It is clear that this situation is not at all to blame, since the flow of attachments to the disk or to the system folder. Neobov'yazkovo vikoristuvat flows for Shpigunsky purposes. If you are a shareware software developer, then you can completely edit streams to save registration information, how many days until the end of the term of vykoristaniya, in a word, all those that may be captured What's your program?

Working with threads

Working with files and streams has both similarities and responsibilities. There is not much of the same. Both files and their streams are created and deleted using the same WinAPI functions CreateFile and DeleteFile. Reading and writing are implemented, obviously, by the ReadFile and WriteFile functions. Whose similarities end, then there will be only one responsibilities. Stream names may contain special characters that cannot be part of a normal file name: such as “*”, “?”, “<”, “>" ,“|" i symbol of paws. Whatever the stream is, it is saved in the Unicode format. Service symbols in the range 0x01 – 0x20 can also be used. There is no standard function for copying and transferring to a thread: MoveFile and CopyFile do not work with threads. No one cares about writing their own functions. Streams have different attributes, dates of creation and access. The stench subsides in the file that is attached. Just as the file itself has all kinds of data, it can also be seen in the stream. Stream names are displayed as “file_name:stream_name:attribute”. The standard attribute for a stream containing data is called $Data. There are many other attributes, the names of which also begin with the “$” sign. Instead, the file is located in an unnamed file (file_name::$DATA). With this power file system Present instead of a file in a visible stream to a bug in older versions of Microsoft IIS, if a hacker wants to recognize the text of any script on the uploaded server by simply adding “::$DATA” to its name, and the server will instead evict the script , having seen your exit code. Working with streams is similar to working with files. Take a look at Listing 1. This is a simple example of a program that creates a file with a stream and writes information. After launching the program, an empty file testfile will appear in its directory. You can get more information instead of the attached thread by typing “more” in the command line< testfile:stream». Как видишь, имя потока указывается после имени файла, отделенное от него знаком двоеточия. Самое трудное при работе с потоками – это получить их список для конкретного файла. Стандартной функции нет, и поэтому придется писать ее самому. Напишем небольшую консольную программу, которая бы возвращала список потоков по имени файла. Такая прога есть у ребят из Sysinternals, с открытым кодом, и она работает, но мне не понравился их способ. Они используют вызовы Native API, и поэтому их код большой и трудный для понимания. Мы же напишем свою прогу, которая будет работать из командной строки, с алгоритмом попроще и со стандартными API функциями.

Selectable list of streams

The algorithm is based on the frozen BackupRead function. The won is reserved for backup files. Koli Robish backup copy file, it is important to save as much data as possible, including file streams. The information is taken from the WIN32_STREAM_ID structure. You can see the size of the flow, its type and size. We no longer need streams of the BACKUP_ALTERNATE_DATA type. All functions and structures are described in the header winnt.h. You will first need to open the file to read using CreateFile. The dwFlagsAndAttributes parameter requires the FILE_FLAG_BACKUP_SEMANTICS flag to be specified, which allows you to back up not only files, but also directories. Then we run a while loop, which reads information about the file from the sid structure, which provides information about the skin flow. Before the next pass through the cycle, the structure is cleared and the file is stored before the next flow using the additional BackupSeek function. Once all threads have been found, we clear the lpContext to contain service information and close the file. The output code of the program is shown in Listing 2. You can take the compiled program from our disk. For robots with streams it is not necessary to write in language special programs. You can earn money directly from the team row. The neck of the butts is pointed at the cut-in ones.

Viyavlennya

Having attached the thread with the information until you reach it, it is important to reach it without knowing its name. If you attach the thread to a logical point, then Windows does not have any standard features to show it. So, in the name of a stream there may be characters that are unacceptable in the names of primary files, which creates additional difficulties when trying to recognize a stream, causing problems command row. Instead of the document, please save it with the name as you place the symbol with code 0x05. This character can be typed in the console (Ctrl+E), but if the symbol is 0x10 or 0x13 (carriage rotation and row shift), then typing them would be impossible. Theoretically, you can find out about the attachment of streams, vikoryst and other software that is available on your computer. WinRAR has an option, and if it is enabled, you can note that the size of a small file located in the archive does not only not change, but actually increases (due to the fact that the data is also located in the streams) in the archive). This may cause suspicion. A program for integrating archives to the file system - FileMonitor from these Sysinternals themselves - does not compromise the functions between archives of files or streams. Apparently, it is important to update the log file to the disk of the suspected program (your keylogger) and see the name of the stream where the file is written, the name of the file, and the name of the attachments.

Viruses

In the spring of 2000, the first virus appeared, which uses alternative file streams for its expansion. W2k.Stream was the first representative of a new type of virus – stream companion. You look for .exe files in your directory, which means the infection process is starting. An additional thread is attached to the file, which virus should be transferred along with original file and then the body of the virus is copied to the main stream of the file. After launching an infected file, the virus tries to infect files in its directory, and then launches the program from the additional stream. In fact, with the additional CreateProcess function you can launch a process from a thread. Moreover, the file from the stream can be safely deleted, but the process can be lost. Just a fairy tale for the Trojans! Regardless of the fact that many years have passed since the appearance of W2K.Stream, not all antivirus programs currently detect malicious code in file streams. Therefore, the emergence of new pathogens and viruses, which are related to them, can become a serious concern.

Other viruses like vikory streams

Cream W2K.Stream, streams have been found to be stagnant in other viruses and viruses. The first worm that vikorized file streams was I-Worm.Potok. This carefully attaches a bunch of streams to the odbc.ini file in the Windows directory and saves scripts there for delivery by mail. Another virus is W2k. Team. Descriptions of these and other similar viruses can be found on the website http://www.viruslist.com/

Working with threads from the console

Create a file with a stream:
type nul > somefile.txt:Stream

Post at the stream:
echo "Something" >> somefile.txt:Stream

Reading along the way:
more< somefile:Stream

Copying instead of an explicit file to a stream:
type file1.txt >> somefile.txt:Stream

Copying instead of stream from file:
more< somefile.txt:Stream >> file2.txt

View of streams

The main idea is that the stream can only be deleted at once with the file, up to the number of attachments. Not so. If you know the name of the stream, you can delete it using the standard DeleteFile function.

Listing 1. Butt of the flow.

#include int main() ( DWORD dwRet; HANDLE hStream = CreateFile("testfile:stream", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, NULL, NULL); WriteFile(hFile, "This is a stream", CloseHandle(hStream); return 0 ;

Listing 2. X-Stream: A program that displays a list of streams

#include #include #include #include int _tmain(int argc, _TCHAR *argv) ( WIN32_STREAM_ID sid; ZeroMemory(&sid, sizeof(WIN32_STREAM_ID))); DWORD dw1,dw2,dwRead; = NULL;/* * We open the file for reading with the * FILE_FLAG_BACKUP_SEMANTICS parameter, which allows us to * open not only files, but also directories on disks. ), if (hFile == INVALID_HANDLE_VALUE) (printf("\nError: Could"t Open file, directory or disk %s\n",argv); exit(0); ) DWORD dwStreamHeaderSize = (LPBYTE)&sid.cStreamName - (LPBYTE)&sid + sid.dwStreamNameSize; printf("\nStreams information for %s:\n",argv); /If the stream type is incorrect, the loop is interrupted if (sid.dwStreamId == BACKUP_INVALID) break;ZeroMemory(&wszStreamName, sizeof (wszStreamName)); //Output the stream name if (!BackupRead(hFile, (LPBYTE) wszStreamName, sid.dwStreamNameSize, &dwRead, FALSE, TRUE, &lpContext)) break; sid.dwStreamId == BACKUP_ALTERNATE_DATA) ( numofstreams++; printf("\n\nStream\t\t#%u",numofstreams); switch (sid.dwStreamId) ( case BACK ("\nName:\t\t::$ DATA"); break; case BACKUP_ALTERNATE_DATA: printf("\nName:\t\t%S",wszStreamName); break; ) printf("\nSize:\t\ t%u\n",sid.Size); ) //Moved to the next thread BackupSeek(hFile, sid.Size.LowPart, sid.Size.HighPart, &dw1, &dw2, &lpContext); //Clears the structure before the next cycle ZeroMemory(&sid,sizeof(sid)); ) //Clears lpContext to place service information //for the BackupRead function BackupRead(hFile, NULL, NULL, &dwRead, TRUE, FALSE, &lpContext); //Closing the file CloseHandle(hFile); return 0; )

The topic of file streams also includes:

• NTFS Stream Explorer 2.00 Program for robots with NTFS streams

Alternate Data Stream support (AltDS) was added to NTFS for compatibility with the Macintosh HFS file system, which allowed for the flow of resources for storing icons and other file information. Vikoristannaya AltDS is reserved for private users and is not available through special means. Explorer and other programs operate using the standard stream but cannot read data from alternative ones. Using AltDS, you can easily capture data that cannot be detected by standard system checks. This article will provide basic information about the work and purpose of AltDS.

Creation AltDS

It's really easy to create AltDS. For whom is the team speeding up? Now let’s create the base file until we can attach our streams.

C:\>echo Just a plan text file>sample.txt

C:\>type sample.txt
Just a plan text file

Next, we quickly double-click in the operator’s box to indicate those who will use AltDS:

C:\\>echo You can't see me>sample.txt:secret.txt

To see this, you can use the following commands instead:

C:\more< sample.txt:secret.txt

or else

C:\notepad sample.txt:secret.txt

If everything works well, then add the text: You can't see me, but when you open it from Data Explorer, the text will not be visible. Also, AltDS can be attached not only to a file, but also to a folder. Or the text:

C:\>md stuff
C:\>cd stuff
C:\stuff>echo Hide stuff in stuff>:hide.txt
C:\stuff>dir
Volume in drive C does not have a label.
Volume Serial Number is 40CC-B506Directory of C:\stuff
09/28/2004 10:19 AM .
09/28/2004 10:19 AM…
0 File(s) 0 bytes2 Dir(s) 12,253,208,576 bytes free
C:\stuff>notepad:hide.txt

Now you know how to view and edit AltDS attachments using Notepad, as well as how to attach them to files and folders.

Getting started and starting the program

It’s as easy to import programs, tools, and AltDS as test files. For starters, I’ll create a basic file:

Next, let's put our add-on in the flow, for example, I'll use notepad.exe:

C:\WINDOWS>type notepad.exe>test.txt:note.exe

Now let's look at the text in our file:

C:\WINDOWS>type test.txt
Test

And now, let’s launch our donation:

C:\WINDOWS>start .\test.txt:note.exe
C:\WINDOWS>

Since this article is not a complete translation of the taken article, it is framed as a simple topic. Additional methods can be found in the instructions indicated.

UPD:

Utilities for robots with AltDS (list of items taken from statistics for items sent):

LADS - List Alternate Data Streams by Frank Heyne
www.heysoft.de/Frames/f_sw_la_en.htm

Streams.exe from SysInternals.