Return to Data Hiding

Stealth Alternative Data Stream

Tutorial Key Facts
Supported Operating SystemWindows XP, Vista, Win 7 (all versions) , 8
File System Type: NTFS
NTFS VersionNot Applicable
Last Update2014/07/07
AuthorNihad Hassan

The Ultimate guide to Data Hiding using STEALTH alternative data stream

[copyrightsThis]Microsoft select a set of reserved names to be used for its connected hardware devices Output operations (like printer use LTP) or to enables software components to communicate (use COM), these names are CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9[1]. We can make more stealth ADS files which is not detectable by tools like lns.exe (http://ntsecurity.nu/toolbox/lns), Streams.exe (www.sysinternals.com/utilities/streams.html) ,Ad spy (http://www.bleepingcomputer.com/download/ads-spy/ ) , sFind (http://www.mcafee.com/us/downloads/free-tools/forensic-toolkit.aspx), or regular DOS commands (DIR and DIR /r) through naming our ADS file with one of these reserved names. After testing all known ADS detection tools, only Lads.exe was able to detect ADS stealth stream files.

Figure 1: Error messages after attempting to name file or folder with reserved Windows names

Figure 1: Error messages after attempting to name file or folder with reserved Windows names

As we note from Figure 1, attempting to create a file or directory with any of the reserved names mentioned before generate an error.

Before saving any file or directory to the file system under Windows , the OS performs a check on the validity of the name using NT-style name rules , these rules check for name , path length (255 characters maximum) in addition to the existing of periods inside the path name. In order to override this naming rules limitation we use the prefix (?) , for file I/O, putting the (?) prefix to a path string tells the Windows APIs to disable all string parsing and to send the string that follows it straight to the file system[1].

Figure 2: Creating a file with reserved Windows name

Figure 2: Creating a file with reserved Windows name

We create a file with reserved Windows name called CON.txt, but when trying to open it I get a message (Cannot access the file) , to read this file we need to use the prefix (?) again

Figure 3: Reading a file with reserved Windows name

Figure 3: Reading a file with reserved Windows name

Now we combine both methods, creating a file with reserved Windows device name and appending an ADS file stream to it, this create what is called “Stealth Alternative Data Stream” , this approach allow users to create completely hidden ADS files which are not easily detected , most ADS detection tools , DOS commands (DIR and DIR /r) are not able to uncover the hidden streams within these files, some anti-virus software do not scan stealth ADS, we can also hide malicious software , malware inside the hidden file as we did in previous section and use the same techniques described previously to lunch executable hidden inside ADS files , here is a quick example of hiding a Windows calculator inside a Stealth hidden ADS and lunching it later using the WMIC command.

Figure 4: Hiding executable file inside a stealth ADS file

Figure 4: Hiding executable file inside a stealth ADS file

Figure 5: Running executable file inside Stealth ADS file using WMIC command

Figure 5: Running executable file inside Stealth ADS file using WMIC command

 

[important]

On the Web:

[1]MSDN website <online>. Naming Files, Paths, and Namespaces. Available at: http://msdn.microsoft.com/en-us/library/aa365247%28VS.85%29.aspx [Accessed 2014/03/25].

[/important]

Permanent link to this article: http://www.darknessgate.com/security-tutorials/date-hiding/stealth-alternative-data-stream/