Saturday, November 17, 2012

Hidden Alternative Data Streams

Bypassing Alternative Data Streams detection tools.

Before we can start playing around I should explain what a Alternative Data Stream or ADS is and how to create them.

A real definition can be found on wikipedia: wiki. I would describe it as a file which gets appended to a already existing file. One effect of ADS files is, that there are not listed in explorer.

Getting Started

Lets start creating a simple ADS. The following cmd command appends calc.exe to file.txt with the name hidden.exe. If file.txt doesn't exist it will be created:

C:\users\asdf\> type C:\windows\write.exe > file.txt:hidden.exe

  • C:\users\asdf\ is the current working directory
  • type outputs the content of a file
  • > pipes the output into a file
  • file.txt is the file where the ads gets appended
  • : defines the starting of the ads
  • hidden.exe is the name of our ads

To start the hidden.exe we use the wmic call

C:\users\asdf\>wmic process call create C:\users\asdf\file.txt:hidden.exe

With dir /r we can list ads

C:\users\asdf\>dir /r
17.11.2012 16:55 0 file.txt
10.240 file.txt:hidden.exe:$DATA

To list ADS a lot of tools exist, like streams from Sysinternals or dir /r (Windows 7).
But the only good tool is tsk-xview.exe made by Michael Hale Ligh Autor of the Malware Analyst Cookbook (its XP only). Here is a short introduction of the tool link

Stealth ADS or fooling the api

To bypass ADS detection tools which rely on the windows api, you have to use obscure file names. There a some tricks to make windows go crazy, I will show you two tricks:

1. Using … as a name

The first trick is to use … as the name for the file which resides on the disk. The ads appened to it, won't be visible by dir /r or any other tool, which uses the windows api. Additionally you won't be able to delete this file :)

C:\users\asdf\> type C:\windows\write.exe > ...:hidden.exe

Now lets do a dir /r

C:\users\asdf\>dir /r
17.11.2012 17:24 <DIR> .
17.11.2012 17:24 <DIR> ..
17.11.2012 17:24 0 ...
17.11.2012 16:55 0 file.txt

No ADS listed. To proof its there, just start the ads as usual:

C:\users\asdf\>wmic process call create C:\users\asdf\...:hidden.exe

Have fun trying to delete the file :P

2. Using a reserved name like COM1

To create files with reserved names like nul or COM1 we have to use UNC path. Instead of C:\ you can write \\.\C:\. The modified command will look like this

C:\users\asdf\> type C:\windows\write.exe > \\.\C:\users\asdf\COM1:hidden.exe

But all this tricks won't work against the tsk-xview.exe (which only works on Windows XP... ). It reads the file system on low-level, without using the windows api so strange file names are no obstacle.
So how to bypass that, with only one command in cmd?

The forgotten location

I almost gave up defeating this forensic tool, but then I rememberd that there is a special location for ADS. ADS can not only be appended to files on the disk, it is also possible to append them to the drive itself. We just append an ads directly to C:\ and the forensic tool won't find it. So here is the magic command

C:\users\asdf\> type C:\windows\write.exe >C:\:hidden.exe

It is simple like that.

That was my short summary about stealth ads.