How code and data can be hidden within files and directories Overview … · Windows Alternate Data Streams – Marc Ochsenmeier How code and data can be hidden within files and directories

Windows Alternate Data Streams

www.winitor.com – Marc Ochsenmeier

How code and data can be hidden within files and directories

March 2012

Overview Introduction

Importance

Origin

NTFS Stream Basics

Usages

Demo

Issues

API

Tools

http://www.winitor.com/




March 2012

Introduction A file is more than one file…

A file can act as container for other files

One visible

None or several invisibles

Any kind of content of any size

A file is basically the first stream of a file





March 2012

Importance ADS is part of the NTFS infrastructure

◦ Is a mechanism that cannot be disabled

ADS can contain data

◦ Content must be taken into account by backup…

ADS can contain code

◦ Existence must be taken into account by antivirus…

◦ Potential danger (WNT.Stream virus)

ADS are almost unknown

ADS are almost invisible





March 2012

Origin ADS exist since the inception of Windows NT 3.1, enabling

Windows and Macintosh clients to share files.

◦ Data (content) and resource (management) forks

Windows servers host resources through the FSFM service.





March 2012

NTFS Basics - MFT Information about files on a NTFS partition is located in a construct

called the Master File Table

◦ One record hosts a collection of attributes that document a file





March 2012

NTFS Basics - Streams A File is a collection of attributes

◦ All are stored as (logically) separated streams

◦ Some are mandatory (name, time stamps…)

◦ Some are optional (security descriptor)

◦ Some may appear more than once (LFN/8.3, data…)

Standard info LFN 8.3 Security Data …

Code Code Encryption





March 2012

NTFS Basics – File Content The content of a file is one stream among others

Strictly speaking, NTFS doesn't manage files, it manages streams

$STANDARD_INFORMATION General attributes (read-only, archive, time stamps, file creation, last modified).

$FILE_NAME A file can have two filename attributes when a file with a long name has an automatically generated "8.3 name“.

$SECURITY_DESCRIPTOR Access Control List (DACL), Audit Control List and Integrity Level (SACL).

$DATA Files have one default (unnamed/anonymous) data attribute (content of a file) and can have several (named) data attributes.

Directories have one (default/unnamed/anonymous) data attribute (content of a directory) and can have several (named) data attributes.





March 2012

Properties Streams share many properties





March 2012

Windows usage Windows Explorer Zone Model

◦ The trust level of some downloaded files is stored inside a text file saved as an ADS and named „Zone.Identifier“

[ZoneTransfer]

ZoneId=3





March 2012

Windows usage Icons for Favorites are saved in an ADS of the URL files





March 2012

Windows usage Changes of entries in the Journal File are store in an ADS named $J

\$Extend\$UsnJrnl

$STANDARD_INFORMATION (resident)

$FILE_NAME (resident)

$DATA $J (nonresident)

logical sectors 23039352-23090447 (0x15f8d78-0x160550f)

logical sectors 26399296-26400295 (0x192d240-0x192d627)

logical sectors 60720016-60728719 (0x39e8390-0x39ea58f)

logical sectors 184110184-184110951 (0xaf94c68-0xaf94f67)

logical sectors 60967328-60968351 (0x3a249a0-0x3a24d9f)

logical sectors 58715456-58716479 (0x37fed40-0x37ff13f)

logical sectors 58572096-58580287 (0x37dbd40-0x37ddd3f)

$DATA $Max (resident)





March 2012

Windows XP usage XP generalizes the “Office Summary” to all files

◦ Office Summary are stored in OLE streams

◦ Others Summary are stored in ADS streams

“DocumentSummaryInformation”

“SebiesnrMkudrfcoIaamtykdDa”

“SummaryInformation”





March 2012

Windows 2000 usage Thumbnails Explorer View

◦ “encryptable” ADS is added to the “Thumbs.db” files

Indexing Service

◦ “♣Q30lsldxJoudresxAssqpcawXc" ADS stream is added to image files





March 2012

Demo Syntax

Create an ADS into a file

Create an ADS into a directory

Open a file located in an ADS

Run a program located in an ADS





March 2012

API Documented

◦ CreateFile, ReadFile and WriteFile

◦ BackupRead, BackupSeek and BackupWrite

◦ Starting with W2K3

FindFirstStream

FindNextStream

◦ IZoneIdentifier COM interface

Undocumented

◦ NtQueryInformationFile





March 2012

Management Tools No real Windows built-in tool

Nfi – Windows Resource Kit

File Monitor - www.sysinternals.com

Streams – www.sysinternals.com

Sfind – www.foundstone.com

CmdStream/ShowStream

…


http://www.sysinternals.com/

http://www.sysinternals.com/

http://www.foundstone.com/




March 2012

Evolution Support the enumeration of ADS (starting with Vista)





March 2012

Issues Backup & restore

Forensic

DOS Attack

Code Execution

Detection and removal

Window Resource Protection (WRP)

Misuse of valid ADS

Anti Virus

File Version System Control (eg. SVN)

Windows Scripting Host

User Account Control (UAC)

Unsupported on other file systems





March 2012

Summary ADS exist

ADS cannot be disabled

ADS can be used

ADS can be misused


How code and data can be hidden within files and directories Overview … · Windows Alternate Data Streams – Marc Ochsenmeier How code and data can be hidden within files and directories

Documents