How To‎ > ‎

Hiding data in Windows NTFS using Alternative Data Streams

You have gained access to the target and uploaded some tools, but you want to hide them from the system Administrator. It's pretty simple actually, all you need to do is to hide it in a Alternative Data Stream (or ADS for short).

As an example I'll show you how to hide notepad.exe in the file hello.txt. First we create the file "hello.txt":

copy con hello.txt Hello World ^Z

then let's see what we got:

dir hello.txt 09/07/2005 01:53 PM 13 hello.txt 1 File 13 bytes 0 Dir(s) 1,642,000,384 bytes free

Ok, the file is 13 bytes in size. Let's hide notepad.exe inside it:

type \windows\system32\notepad.exe > hello.txt:notepad.exe

and see what changed:

dir hello.txt 09/07/2005 01:56 PM 13 hello.txt 1 File(s) 13 bytes 0 Dir(s) 1,641,926,656 bytes free

Notice that the file size has not been updated but the available space on the drive has. The last modification time has however been updated.

To run notepad.exe from inside hello.txt you execute:

start .\hello.txt:notepad.exe

The problem with ADS is that Windows can't detect it, so you would need 3rd party software to find files with ADS in it. There is also no standard Windows tool to remove ADS from a file, which means that you either need to copy it to a FAT partition and back again, overwriting the original copy, or delete and restore it from backup. Another interesting thing about ADS is that it also works on directories, and not only files. If you attach an ADS to the \WINDOWS (or \WINNT) directory the only easy way to get rid of it safely is to re-install the OS(!).

References:

Comments