- Open the windows terminal and create a text file:
C:> echo The quick brown fox > fox.txt
This command saves the echoed string to a text file called fox.txt
- View the contents of fox.txt:
C:> type fox.txt
The quick brown fox
- Append new content to the hidden file
C:> echo jumps over the lazy dog > fox.txt:this_is_hidden
It seems we have created a new file called fox.txt:this_is_hidden, but that is not the case, this_is_hidden
is an alternate data stream on the fox.txt file, and there is no file named fox.txt:this_is_hidden
C:> type fox.txt:this_is_hidden
The filename, directory name or volume label syntax is incorrect
We can reveal the contents of the file with a different command:
C:> more < fox.txt:this_is_hidden
jumps over the lazy dog
The ‘original’ data is still there.
C:> type fox.txt
The quick brown fox
Yet, there’s only one file in the directory, which is fox.txt:
C:> dir
Note:
- The file timestamp changes after adding an ADS to a file. That is the only indication that a change has happened.
- The file size remains unchanged when adding an ADS. This implies that you could have many ADS files within a file without your knowledge.
- Because of this subtlety, it can be difficult to detect ADS.
Example of abusing ADS in malware:
c:> type c:\windows\system32\rundll32.exe > fox.txt:rundll32.exe
Here we have copied rundll32 into a new stream on fox.txt.
To run this hidden copy of rundll32.exe directly from ADS, we run:
c:>start c:\fox.txt:rundll32.exe
Note that we can replace rundll32 with any particularly nasty malware.