APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

The dark side of NTFS and Alternative Data Streams.

© March 2005 Drag Sidious

Author: Drag

I was reading the article Tony linked to about the dangers of Windows-based rootkits. And in one paragraph they mention that a average programmer has the skills to develop a kernel mode root kit for Windows. It made me remember a article I read about alternative data streams and NTFS.

Alternative data streams were originally designed, I beleive, to acheive a high amount of compatability with Apple's HFS filing systems. Apple's stuff has a fairly unique property that they store a large amount of metadata with a file, along with the actual data the file contains. (file location on the screen, last program used to open file, icon information, etc etc) In other file systems that don't support this (like Ext3) that you want to use to serve files to Apple systems you end up with these ._filename to go with the individual files to support this metadata. (can be a big pain in the rear, you have to clean these out often)

So NTFS ADS was originally designed to provide compatability and/or allow for more advanced file system features and complex metadata.

However it never realy went anywere. Most support for it was dropped and it just became one of those features that never got used. Well at least for the Win32 API, which was added onto the NT stuff to make it a desktop OS. No support for ADS at all.

This has lead to the perverse situation were you can actually store programs and files inside other file's ADS's and the end user has no way to know that they exist. You can even stick data into directories.. even C:\!

This is a simple example that I use to show off. You have to be running NTFS.. And you use full paths.

cd C:\
copy C:\winnt\notepad.exe C:\notepad.exe
edit C:\randumb.txt
(some gibberish)
type notepad.exe > randumb.txt:nd.exe

now you can still execute that notepad.exe program from within the text file..
start C:\randumb.txt:nd.exe

Or something like that. Usually takes a couple tries to remember everything from scratch, but it's not difficult. Then I open up explorer and show that there is no way to detect the np.exe. Even checking file sizes and such will not show anything.

Ironicly you do use ADS now in Windows XP SP2, I beleive, for part of their security model. It's used to store the metadata that Windows uses for zones of control and such.

It puts the 'zone' information in Zone.Marking like such: filename:zone.marking

I originally learned about the nastiness of hidding files in alternative data streams from a article written by a H. Carvey called "The Dark Side of NTFS (Microsoft’s Scarlet Letter)" from the following. https://www.infosecwriters.com/texts.php?op=display&id=53

He has a better overview and more information. He also points to a usefull program called lads.exe that will help show information about a file's alternative data streams.

This article mentions a bit about Zone.Marking: https://redmondmag.com/columns/article.asp?EditorialsID=716

This page is a FAQ about NTFS from the writer of lads.exe, Frank Heyne https://www.heysoft.de/en/software/lads.php?searchresult=1&sstring=ntfs#wb_21

I find this sort of thing very interesting. Reiserfs v4 is suppose to have a similar feature. It allows a file to be both a file AND a directory at the same time. So you could have a file randumb.txt, but then stick a text file containing metadata into randumb.txt/metadata.randumb.txt or something like that. It would allow similar functionality to HFS+ for any programs that may want to take advantage of it. I could see similar security issues with it, I suppose.

Do a search for 'Files That Are Also Directories' in this page: https://www.namesys.com/v4/v4.html (page gone, sorry)

I hope they were a bit smarter about the possible security issues then MS originally was with NTFS!

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> The dark side of NTFS and Alternative Data Streams.

Inexpensive and informative Apple related e-books:

Take Control of IOS 11

iOS 8: A Take Control Crash Course

Take Control of Upgrading to El Capitan

Take control of Apple TV, Second Edition

Take Control of High Sierra

More Articles by © Drag Sidious

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

It is not only that there is no hiding place for the gods from the searching telescope and microscope; there is no such society any more as the gods once supported. (Joseph Campbell)

Linux posts

Troubleshooting posts

This post tagged:





Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode