Udostępnij za pośrednictwem


Alternate Data Streams

I want to recap a topic that has been around for a while:  Alternate Data Streams.  This topic has resurfaced again in an interesting way.  I'm going to tell you about it in later post.  However, I thought I'd explain Alternate Data Streams again, just in case some of you don't know what they are.  The later post will then make more sense.

So, what are Alternate Data Streams?  Well, it happens that NTFS files can have more than one set of data stored inside them.  (You cross-platform guys might know about "resource forks."  This is a similar concept.)  Everyone knows about the primary stream.  This is the data that we normally associate with files.  It is the data that we see when we open the file, and it accounts for the file size numbers that we see in file listings.  However, we can "hide" other sets of data in a file too.  Let's look at a simple example. (It is very important that you use the same commands that I do.  Not all console commands are aware of alternate data streams.)

Open a command window and try the following:

Create a file called "names.txt" that contains my name:
echo Jerry > names.txt

Prove that the file contains my name:
more < names.txt

Get the size of the file:
dir names.txt

You should see that the file contains 8 bytes.  That's 5 bytes for my name, 2 bytes for the CRLF, and 1 byte for the space.  (Look closely at the command.  There's a space between my name and the ">" character.)  This is all very normal.  Now let's mess with some alternate streams.

Add my wife's name to the file, in an alternate data stream:
echo Tammy > names.txt:wife

Prove that the file contains both names:
more < names.txt
more < names.txt:wife

Get the size of the file:
dir names.txt

There are now two separate sets of data in this one file.  One, the default, contains my name.  The alternate stream contains my wife's name.  However, the directory listing shows 8 bytes, not the 16 that are actually there.  The dir command is not aware of alternate data streams, so it doesn't account for them in its listing.  Some of the file's data is now hidden.

Let go one step further.  Add my son's name:
echo > Evan names.txt:son

Check out the results as we did before.  You now have 23 bytes of data contained in three steams, but the directory listing still shows 8.

Neat, huh?

I'll leave the rest to you.  Remember that we are talking data streams here, not text.  There is a demo on the web that shows how to hide calc.exe inside sol.exe.  You can execute either program, too.  The possibilities run deep.

Now, why did I bring this up?  I'll tell you more in another post.  However, for right now, you should know that many programs take advantage of these streams.  For example, some virus scanners hide tracking data in the files that they scan.  Some viruses hide themselves in there too.  Stay turned for more.

Comments

  • Anonymous
    September 20, 2007
    PingBack from http://msdnrss.thecoderblogs.com/2007/09/20/alternate-data-streams/

  • Anonymous
    September 20, 2007
    If we delete a file, does it delete all the data streams associated with that file? Also, is there a way to see all data streams associated with a file?

  • Anonymous
    September 20, 2007
    Hi fkautz, Yes, deleting a file deletes all of the streams associated with it.  (Thank goodness!)  Otherwise, we'd be in a world of hurt.  Alternate Data Streams are used a lot more often that you might think.   To view all of the streams in a file, you need to access the file using low-level APIs.  Fortunately for those of us that don't want to write stuff like this, there are numerous programs on the web that do it for us.  The one that I've heard the most about is called LADS (List Alternate Data Streams), and can be downloaded from http://www.heysoft.de/Frames/f_sw_la_en.htm.  Give it a try.  You might be surprised at the number of alternate streams in use on your system.

  • Anonymous
    September 20, 2007
    The website you linked from heysoft.de mentions we can use "dir /r" in Windows Vista. I tried it out and it does show alternate streams.

  • Anonymous
    September 28, 2007
    The comment has been removed

  • Anonymous
    October 15, 2007
    is there a way to separate the ADS from the file it is stored on and save the ADS as a file on your computer, eg; say i want to store an exe file as an ADS on a program or file then i want to retrieve that ADS and save it onto my computer with a different name

  • Anonymous
    October 15, 2007
    is it possible to take an ADS off a file (say an image or an executable file) and save it somewhere as a new file?

  • Anonymous
    October 16, 2007
    Hi Dennijr, Yes, you can do what you ask.  However, the only way that I know to do it would be to write a program using the low-level file APIs.  You can learn more here: http://msdn.microsoft.com/msdnmag/issues/06/01/NETMatters/.  There is also an interesting FAQ here: http://www.heysoft.de/Frames/f_faq_ads_en.htm.