Bypassing Alternative Data Streams detection tools.
A real definition can be found on wikipedia: wiki. I would describe it as a file which gets appended to a already existing file. One effect of ADS files is, that there are not listed in explorer.
Getting Started
Lets start creating a simple ADS. The following cmd command appends calc.exe to file.txt with the name hidden.exe. If file.txt doesn't exist it will be created:
C:\users\asdf\> type C:\windows\write.exe > file.txt:hidden.exe
- C:\users\asdf\
is the current working directory
- type
outputs the content of a file
- >
pipes the output into a file
- file.txt
is the file where the ads gets appended
- :
defines the starting of the ads
- hidden.exe
is the name of our ads
To start the hidden.exe we use the wmic call
C:\users\asdf\>wmic process call create C:\users\asdf\file.txt:hidden.exe
With dir /r we can list ads
C:\users\asdf\>dir /r
17.11.2012 16:55 0 file.txt
10.240 file.txt:hidden.exe:$DATA
To list ADS a lot of tools exist, like streams from Sysinternals or dir /r (Windows 7).
But the only good tool is tsk-xview.exe made by Michael Hale Ligh Autor of the Malware Analyst Cookbook (its XP only). Here is a short introduction of the tool link
Stealth ADS or fooling the api
To bypass ADS detection tools which rely on the windows api, you have to use obscure file names. There a some tricks to make windows go crazy, I will show you two tricks:
The first trick is to use … as the name for the file which resides on the disk. The ads appened to it, won't be visible by dir /r or any other tool, which uses the windows api. Additionally you won't be able to delete this file :)
C:\users\asdf\> type C:\windows\write.exe > ...:hidden.exe
Now lets do a dir /r
C:\users\asdf\>dir /r
17.11.2012 17:24 <DIR> .
17.11.2012 17:24 <DIR> ..
17.11.2012 17:24 0 ...
17.11.2012 16:55 0 file.txt
No ADS listed. To proof its there, just start the ads as usual:
C:\users\asdf\>wmic process call create C:\users\asdf\...:hidden.exe
Have fun trying to delete the file :P
2. Using a reserved name like COM1
To create files with reserved names like nul or COM1 we have to use UNC path. Instead of C:\ you can write \\.\C:\. The modified command will look like this
C:\users\asdf\> type C:\windows\write.exe > \\.\C:\users\asdf\COM1:hidden.exe
But all this tricks won't work against the tsk-xview.exe (which only works on Windows XP... ). It reads the file system on low-level, without using the windows api so strange file names are no obstacle.
So how to bypass that, with only one command in cmd?
The forgotten location
I almost gave up defeating this forensic tool, but then I rememberd that there is a special location for ADS. ADS can not only be appended to files on the disk, it is also possible to append them to the drive itself. We just append an ads directly to C:\ and the forensic tool won't find it. So here is the magic command
C:\users\asdf\> type C:\windows\write.exe >C:\:hidden.exe
It is simple like that.
That was my short summary about stealth ads.
