I'm going to try and go through some steps on using ADS to hide information.
First, I will create a text file named "host.txt" with some information in it using the following command:
echo "Stuff" > host.txt
Now I will create another text file named "evil.txt" that contains the data that I want to hide:
Echo "Evil Stuff" > evil.txt
Ok so now we have 2 files, one just normal and the other one theoretically has some bad stuff in it.
Now if you execute "type host.txt" or "type evil.txt" you can see that text appended to the end of each file.
Let's hide evil.txt in a stream in host.txt now.
type evil.txt > host.txt:evil.txt
The command executes and it looks like nothing has changed. Except for the date modified.
Now let's delete evil.txt just for good measure.
del evil.txt
Now let's see if we can view the evil.txt contents that is hidden in a stream in host.txt
more < host.txt:evil.txt
There it is, nice and hidden.
Ok so that is hiding text data, what about executables? Can you put an executable in an alternative stream and execute that? Let's try.
Let's compile a simple little C program named ads.exe to execute.
#include <stdio.h>
int main(void)
{
printf("Bad stuff just happened\n");
system("pause");
return 0;
}
The simple output is:
Now let's hide that in the host.txt file
type ads.exe > host.txt:ads.exe
Once again, nothing looks like it has changed with the host.txt file.
Now delete ads.exe
Del ads.exe
Let's try to execute the ads.exe stream.
start .\host.exe:ads.exe
I am unable to get this to execute on Windows 7 using the 'start' command. Let's try using the 'wmic' command to start a process.
wmic process call create d:\ads\host.txt:ads.exe
PERFECT!
Let's try on an XP box I have using the 'start' command.
BINGO!!
No that we've see how alternate data streams can be created, let's quickly look at a program that can be used to detect these streams.
There are quite a few out on the Internet but the one we will look at is Streams from Microsoft. You can download it and unzip it into a directory.
Doing a quick:
Streams /?
Shows a pretty simple syntax. I'll run it on the host.txt file to see what it shows.
Streams host.txt
This has 3 streams attached to it: ads.exe, ads.ps1, and evil.txt. The ads.ps1 was just something I toyed around with Powershell, you can ignore it.
This is just a quick sampling of what Alternate Data Streams are, how to create them, and just one application out there that can be used to detect. I have found these streams to be very interesting and is definitely something I will keep an eye on and do a little more research into.
Until next time….See Ya!
