Menu
Is free
registration
the main  /  Tips/ Software using alternative ntfs streams. Alternative data streams in NTFS or how to hide notepad

Software using alternate ntfs streams. Alternative data streams in NTFS or how to hide notepad

The purpose of this article is to explain the meaning
alternate data streams
in operating rooms Windows systems,
demonstrate how to create them and
compromise the car, how to find
hidden files using public
utilities. The first step is to realize
the meaning of ADS and the threat they pose, then
let's see how they are used for hacking
and finally then we will consider the tools
for activity detection and how
stop further illegal work with
them.

What for?

Additional data streams appeared in
Windows along with NTFS. In fact, as far as I am
I understand, there was no particular meaning in them - they
were made for compatibility with HFS, old
Macintosh file system - Hierarchical File System. Business
is that this filesystem uses
both data fork and resource fork for
storage of content. Data Fork,
accordingly, responsible for the content
document, and the resource branch for
file identification - its type and others
data. By the present time about existence
additional streams from regular users
few people know. However, in the world of computer
security they received a certain
Spread. For example evil hackers
use ADS to store files on
compromised computers, they also sometimes
are used by viruses and other malware. Business
because the whole point is that these streams are not
viewed by conventional methods, the same
Explorer or command line. How
are these streams interesting? And the fact that in the case
burglary investigations do not always pay
attention to them, besides, not all antiviruses
by default view streams in
search for malicious software.

To the point

To understand the real danger
ADS will better demonstrate how to work with them.
In the example, we use the Metasploit Framework to penetrate
on the car. To do this, we use the vulnerability
MS04-011 (lsass). Then, using TFTP, we will upload the files,
which we will place in additional streams
data. Once it's finished on
run the remote machine from the command
a string scanner that will scan the network for
presence of other cars. Note,
that the authors of the Metasploit Framework have provided their
creation with the signature METASPLOIT, so that the creators
security programs could define a package,
outgoing from MF. Pay attention to the package,
coming from the attacker:

Here 192.168.1.102 is the attacker's computer
which has Metasploit Framework, and 192.168.1.101 is
vulnerable computer with Win2K Prof. In this case, the Axis
delivered without patches and service packs,
for demonstration purposes only
:). Please note that ADS alone is not
too useful, they naturally delight
attacker only if there is
access to the machine, system vulnerability in
operating system. On a real network, you
you are unlikely to find an unpatched W2K, so
have to look for other principles
penetration.

Below we see that the attack was successful on
the attacking machine has a reverse shell open,
given away by the victim. The default for this
Metasploit vulnerability uses port 4321,
however it can be changed:

Having penetrated the car, you must transfer there
files. For this we use TFTP, in this
if we get ipeye.exe.

In the same way, download psexec.exe, pslist.exe and
klogger.exe. Let's make a listing of the directory C: \ Compaq \,
where everything swore:

Now let's push ipeye.exe from the stream,
associated with an existing file
test_file.

Then the same can be done with the stirrup
other files necessary for work.
Please note that the alternative
the flow can be organized not only for
files, but also for directories, the same C: \ k
example. Let's launch the scanner we are talking about
spoke at the beginning, ipeye.exe, on the infected
computer:

c: \ Compaq \ test_file: ipeye.exe

(To be continued)

The NTFS file system has many interesting features, one of which is the availability of alternate data streams (ADS). Their essence is that each file in NTFS is a set of streams in which data is stored. By default, all data is in the main stream, but additional, alternative data streams can be added to the file if necessary.

Note. Alternate data streams in NTFS appeared a long time ago, back in Windows NT. They were created for compatibility with the HFS file system, which was then used on MacOS. HFS kept file data on a dedicated resource stream.

Files in NTFS are divided into attributes, one of which is $ DATA, or data attribute. Streams are additional properties of the $ DATA attribute. By default, there is one, the main thread $ DATA: ″ ″... As you can see, it has no name, therefore it is called unnamed... Also, if you wish, you can create additional, named streams, for example. $ DATA: ″ Stream1 ″... Each file in NTFS can have several data streams containing different, unrelated data.

All data written to the file goes to the main data stream by default. When we open the file, we see exactly the main stream, while the alternative streams are hidden from the user and are not displayed using conventional means. They cannot be seen standard ways, although some programs can read the data hidden in them. You can also use the command line to work with streams.

For example, let's open a console and use the echo command to create text file streams.txt and write the text into it:

echo This is main stream> streams.txt

And with the following command, write the text to the alternate stream stream1:

echo This is alternate stream> streams.txt: stream1

If you now open the streams.txt file in any text editor, then we will see only the first entry, the text "This is alternate stream" will remain hidden. You can read the information hidden in stream1 with the command:

more

Alternative streams can be added not only to individual files, but also to directories. For example, let's add an alternative stream stream2 containing the text "Hide stream in Streams" to the current Streams directory:

echo Hide stream in Streams>: stream2

And we will display the stream stream2 with the following command:

more<:stream2

The content of alternate streams can be opened in more than just the console. For example, Notepad can also access data hidden in streams if you specify the name of an alternate stream in the file name separated by a colon. Let's repeat the previous example, slightly changing the name of the stream to stream1.txt:

echo This is alternate stream> streams.txt: stream1.txt

And open an alternate stream in notepad with the command:

notepad streams.txt: stream1.txt

Note. Standard Notepad requires the txt extension in the stream name, otherwise it will not be able to open it. More advanced editors, for example the same Notepad ++, can show the content of the alternate stream regardless of its name.

The presence of alternative streams in the file is not displayed in any way in Explorer and others file managers... To find them, the easiest way is to use the command dir / R(beginning with Windows Vista), which shows all data streams, including alternative ones.

You might think that the use of alternate streams is limited to textual data. This is not at all the case, and absolutely any information can be stored in alternative streams. For example, let's create a file picture.txt and add the pic1.jpg stream to it, into which we place the image of the same name:

echo Picture> picture.txt
type pic1.jpg> picture.jpg: pic1.jpg

Thus, outwardly we have a regular text file, and to open an image from an alternate stream in graphic editor Paint we use the command:

mspaint picture.txt: pic1.jpg

Similarly, you can add any data to any type of file - add images to text files, add text information etc. Interestingly, alternative content does not increase the apparent file size, for example, adding a 30GB HD video to a 1KB text file, Explorer will still show the file size of 1KB.

You can also hide executable files in alternative streams. For example, let's take the test.txt file and add the Notepad application (notepad.exe) to the alternate note.exe stream:

type notepad.exe> ​​test.txt: note.exe

And to launch a hidden notepad, use the command:

start. \ test.txt: note.exe

By the way, this opportunity is used by some malicious programs, adding executable code to alternative NTFS streams.

Streams utility

There are several third-party utilities for working with alternate streams, for example the Streams console utility from Sysinternals. It can detect the presence of alternate streams and delete them. The utility does not require installation, it is enough to unpack it and run it. For example, let's check the presence of streams in the Streams folder with the command:

Streams.exe -s C: \ Streams

And remove the alternate streams from the streams.txt file:

Streams.exe -d C: \ Streams \ streams.txt

PowerShell

PowerShell also knows how to work with alternate streams - create, detect, display their content, and even delete. For example, let's create a text file:

New-Item -Type file -Path C: \ Streams \ stream.txt

Let's add an entry to the main stream:

Set-Content -Path C: \ Streams \ stream.txt -Value ″ Main stream ″

And to an alternate stream named Second:

Set-Content -Path C: \ Streams \ stream.txt -Value ″ Second stream ″ -Stream Second

Then we will display the contents of the main

Get-Content -Path C: \ Streams \ stream.txt

and alternate streams:

Get-Content -Path C: \ Streams \ stream.txt -Stream Second

In order to detect the presence of alternate streams, you can use the command:

Get-Item -Path C: \ Streams \ stream.txt -Stream *

And you can remove unnecessary streams with the command:

Remove-Item -Path C: \ Streams \ streams.txt -Stream *

Usage

Alternate streams are used both by Windows itself and by some programs. For instance, Internet Explorer divides the network into 4 security zones and, when uploading files, adds labels to them that contain information about the zone from which they were downloaded.

These labels are stored in the alternate stream and represent a number from 0 to 4:

Internet (3)
Local network (1)
Trusted sites (2)
Dangerous Sites (4)
Local computer (0)

To verify this, let's go to the downloads folder, take the file downloaded from the Internet and check it for the presence of alternative streams. As you can see, it contains a stream named Zone.Identifier which contains the line ZoneID = 3.

This means that the file belongs to the untrusted zone of the Internet, and you need to be careful when opening it. Some programs, such as Word, read this data when you open the file and issue a warning.

Also, the File Classification Infrastracture (FCI) infrastructure is based on the use of alternate streams. From third-party programs alternate streams use some antivirus software, in particular, Kaspersky Anti-Virus stores in them the checksum obtained as a result of the scan.

However, the use of alternative streams is not limited to this, you yourself can come up with any use for them. For example, with their help, you can hide personal information from prying eyes. Files containing alternate streams can be freely copied or moved from disk to disk, all streams will be copied along with the file.

And yet, when using alternate streams, remember that they are rigidly tied to the NTFS file system. In order to use them, the files must be located on disks with NTFS, respectively, you can work with them only from under Windows. If you move the file to any other file system, then all streams except the main one will be lost. Alternative streams are also truncated when transferring files via FTP or when sending as an email attachment.
Taken from http://windowsnotes.ru/other/alternativnye-potoki-dannyx-v-ntfs/

More:
ADS is a built-in file feature NTFS systems which cannot be turned off in any way.

ADS allows you to add any files to other files and even directories (!). The OS itself uses this from time to time, adding the "Zone.Identifier" stream to the files downloaded from the Internet

Zone.Identifier, by the way, can be edited in order to get rid of the warnings “this file was downloaded from the Internet. Open in Safe Mode? "

You can add a stream to any file like this:
type file1> file2: file3

try to find
dir / r

run exe like this:
start file2: file3

if it didn't work, then like this:
mklink file4 file2: file3
start file4

This, for example, will bind the calculator to the root drive C (!) And launch it through the link

The article was written for the magazine "Hacker" in 2004. It came out in issue 09/04 (69) under the title "Destructive Streams".

Capturing another NT system and installing your own homemade spy software into it, you need to solve the problem of storing the collected information on the victim's computer. Usually the log is written to a simple file in the directory with big amount files, for example, in system32.

NTFS features

It is common, but far from The best way hide information on the local computer. There is a chance that the user will notice an extra, constantly updated file that suddenly suddenly appeared in his system directory. Append a log to an existing file? First, you need to find such a file, adding information to which will not spoil its contents. How about saving the information in a place that will not be visible from Explorer, the command line, or any file manager? This opportunity is provided to us by the NTFS file system. It is rarely seen on ordinary home PCs, since most users still prefer FAT32, even those under XP. But on the other hand, in the local network of any company running under Win2k / XP, NTFS is almost certainly used, because this file system provides such features as assigning access rights to users, encrypting and compressing files. In addition, NTFS is much more reliable than FAT32. So the data hiding method that I will describe is ideal for industrial espionage. With the arrival of Longhorn, NTFS has a chance to make its home on hard drives as well, as the upcoming NTFS-based WinFS file system promises additional features to organize and search for information that should attract ordinary users.

Attach any data to the file

The method is to save data not to a file, as usual, but to an NTFS file stream. A stream can be attached to another file (while its size does not change, and the data remains intact, which means that the utilities that check the checksums of files will not notice the changes), to a directory or to a disk. Alternative file streams NTFS is one of the features of NTFS that has been present in it since the earliest Windows versions NT. It consists in the fact that one file can have several streams containing data, and only the main stream is available to the user, in which the contents of the file are stored. There is something similar in the HFS file system on Macintosh. There streams are called forks. Until recently, they were used as a repository for file resources or contained information about the file type. With the advent of macOS X, Apple recommended putting resources in separate files, and file types are determined by extensions. But forking support still remains. On Windows, streams are usually used to store some kind of additional information about the file. For example, a stream might contain a summary of a document. If the system is on a disk with NTFS, then the file explorer.exe probably contains a summary. Depending on the content of the summary, streams named SummaryInformation, DocumentSummaryInformation, and some others may be attached to the file. On my computer, I found a stream named $ MountMgrRemoteDatabase attached to drive C.

The user can learn about streams attached to a file only in some cases, for example, when copying a file with an attached stream to a FAT / FAT32 disk. These file systems do not support them, so the system will ask you to confirm the loss of information in the streams by specifying their names. Of course, this situation will never arise if the stream is attached to a disk or to a system folder. It is not necessary to use streams for spy purposes. If you are a developer of shareware programs, then you can easily use streams to store information about registration, the number of days before the expiration date, in a word, everything that should be hidden from the user of your program.

Working with streams

There are similarities and differences in working with files and streams. There are not many similar things. Both files and their streams are created and deleted by the same WinAPI functions CreateFile and DeleteFile. Reading and writing are implemented by the ReadFile and WriteFile functions, respectively. This is where the similarities end; further there are some differences. Stream names can contain special characters that cannot be part of a normal file name: such as “*”, “?”, “<”, “>”,“ | ” and the quote character. In general, any stream name is saved in Unicode format. Service characters from the range 0x01 - 0x20 can also be used. There is no standard function for copying and transferring a stream: MoveFile and CopyFile do not work with streams. But no one bothers to write their functions. Streams lack their own attributes, creation and access dates. They are inherited from the file to which they are attached. If there is any data in the file itself, then it can also be represented as a stream. Stream names are displayed as "filename: stream_name: attribute". The standard attribute of the stream that contains the data is called $ Data. There are many other attributes whose names also start with the “$” sign. The contents of the file are in an unnamed stream (filename :: $ DATA). A bug was associated with this property of the file system to present the contents of a file as a stream Microsoft versions IIS, when a hacker, who wanted to find out the text of a script on a vulnerable server, simply added “:: $ DATA” to its name, and the server, instead of executing the script, issued its source code. Working with streams is similar to working with files. Take a look at Listing 1. This is a simple example of a program that creates a stream file and writes information to it. After starting the program, an empty file "testfile" will appear in its directory. You can see the contents of the attached stream by typing in command line More< testfile:stream». Как видишь, имя потока указывается после имени файла, отделенное от него знаком двоеточия. Самое трудное при работе с потоками – это получить их список для конкретного файла. Стандартной функции нет, и поэтому придется писать ее самому. Напишем небольшую console program, which would return a list of streams by filename. The guys from Sysinternals have such a program, with open source and it works, but I didn't like their way. They use Native API calls and therefore their code is large and difficult to understand. We will write our own program that will work from the command line, with a simpler algorithm and with standard API functions.

Get the list of streams

The algorithm is based on the use of the BackupRead function. It is designed for Reserve copy files. When you do backup file, it is important to save as much data as possible, including file streams. The information is taken from the WIN32_STREAM_ID structure. From there you can get the name of the stream, its type and size. We only need streams of type BACKUP_ALTERNATE_DATA. All functions and structures are described in header file winnt.h. First, you need to open the file for reading using CreateFile. In the dwFlagsAndAttributes parameter, you must specify the FILE_FLAG_BACKUP_SEMANTICS flag, which will allow you to open not only files, but also directories. Then we start a while loop that reads information about the file into the sid structure, from which we will get information about each thread. Before the next loop pass, clear the structure and move the file pointer to the next stream using the BackupSeek function. After all streams have been found, clear the lpContext containing service information and close the file. The source code of the program is shown in Listing 2. You can take the already compiled program from our disk. You don't need to write special programs to work with streams. You can do some things directly from the command line. See the sidebar for a few examples.

Detection

Once you attach a stream of information to something, it's hard to get to its contents without knowing its name. If a stream is attached to a logical volume, then in Windows there is no standard tools to find it. Since the stream name may contain characters that are not valid for regular file names, this creates additional difficulties when trying to find out the contents of the stream using the command line. The content of the document summary is usually stored in a stream with a title that contains the character code 0x05. This character can be typed in the console (Ctrl + E), but if it were a 0x10 or 0x13 character (carriage return and line feed), then it would be impossible to type them. In theory, you can find out about attached streams by accident using some software that is likely to be on your computer. There is an option in WinRAR, and if it is enabled, you may notice that the size of a small file placed in the archive not only does not decrease, but even increases (due to the fact that data in streams is also placed in the archive). This may raise suspicion. The program for tracking calls to the file system - FileMonitor from the same Sysinternals - does not distinguish between calls to files or streams. Accordingly, a careful study of the disk access log of a suspicious program (your keylogger) will give both the name of the stream where the log is written and the name of the file to which it is attached.

Viruses

In September 2000, the first virus appeared that used alternative file streams for its distribution. W2k.Stream was the first representative of a new type of viruses - stream companion. It searches its directory for the .exe files, and if it finds it, it starts the infection process. An additional stream is attached to the file, into which the virus transfers the contents of the original file, and then the virus body is copied to the main stream of the file. After launching an infected file, the virus tries to infect files in its directory again and then launches the program from an additional thread. Indeed, using the CreateProcess function, you can start a process from a thread. Moreover, the file with the stream can be safely deleted, but the process will remain. Just a fairy tale for Trojans! Despite the fact that almost four years have passed since the appearance of W2K.Stream, not all antiviruses are able to detect malicious code in file streams. Therefore, the emergence of new worms and viruses that use them can pose a serious threat.

Other viruses using streams

Besides W2K.Stream, streams have found application in other viruses and worms. The first worm to use file streams was I-Worm.Potok. This little animal attaches several threads to the odbc.ini file in the Windows directory and stores scripts there for sending itself by mail. Another virus is W2k.Team. You can find a description of these and other similar viruses at http://www.viruslist.com/

Working with streams from the console

Creating a file with a stream:
type nul> somefile.txt: Stream

Stream recording:
echo "Something" >> somefile.txt: Stream

Reading from a stream:
more< somefile:Stream

Copying the contents of an existing file to a stream:
type file1.txt >> somefile.txt: Stream

Copying stream content to file:
more< somefile.txt:Stream >> file2.txt

Removing streams

There is an opinion that a stream can be deleted only together with the file to which it is attached. This is wrong. If you know the name of the stream, then you can always delete it using the standard DeleteFile function.

Listing 1. An example of creating a stream.

#include int main () (DWORD dwRet; HANDLE hStream = CreateFile ("testfile: stream", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, NULL, NULL); WriteFile (hFile, "This is a stream", 17, & dwRet, NULL); CloseHandle (hStream); return 0;)

Listing 2. X-Stream: A program showing a list of streams

#include #include #include #include int _tmain (int argc, _TCHAR * argv) (WIN32_STREAM_ID sid; ZeroMemory (& sid, sizeof (WIN32_STREAM_ID)); DWORD dw1, dw2, dwRead; INT numofstreams = 0; // Buffer for stream name in Unicode format WCHAR wsVStxt = NULL; / * * Open the file for reading with the * FILE_FLAG_BACKUP_SEMANTICS parameter, which allows us * to open not only files, but also directories with disks. * / HANDLE hFile = CreateFile (argv, GENERIC_READ, FILE_SHARE_READ, NULL, FILE_SHARE_READ, NULL, FILE_FEXLISTING, NULL, FILE_FEXLISTING, NULL ); if (hFile == INVALID_HANDLE_VALUE) (printf ("\ nError: Could" t open file, directory or disk% s \ n ", argv); exit (0);) DWORD dwStreamHeaderSize = (LPBYTE) & sid.cStreamName - (LPBYTE) & sid + sid.dwStreamNameSize; printf ("\ nStreams information for% s: \ n", argv); while (BackupRead (hFile, (LPBYTE) & sid, dwStreamHeaderSize, & dwRead, FALSE, TRUE, & lpContext)) (/ / If the stream type is incorrect, then we break the loop if (sid.dwStreamId == BACKUP_INVALID) break; ZeroMemory (& wszStreamName, sizeof (wszStreamName)); // Get the stream name if (! BackupRead (hFile, (LPBYTE) wszStreamName, sid.dwStreamNameSize, & dwRead, FALSE, TRUE, & lpContext)) break; if (sid.dwStreamId == BACKUP_DATA || sid.dwStreamId == BACKUP_ALTERNATE_DATA) (numofstreams ++; printf ("\ n \ nStream \ t \ t #% u", numofstreams); switch (sid.dwStreamId) (case BACKUP_DATA: print ("\ nName: \ t \ t :: $ DATA"); break; case BACKUP_ALTERNATE_DATA: printf ("\ nName: \ t \ t% S", wszStreamName); break;) printf ("\ nSize: \ t \ t% u \ n ", sid.Size);) // Move to the next thread BackupSeek (hFile, sid.Size.LowPart, sid.Size.HighPart, & dw1, & dw2, & lpContext); // Clear the structure before the next loop pass ZeroMemory (& sid, sizeof (sid)); ) // Clear the lpContext containing service information // for the BackupRead function BackupRead (hFile, NULL, NULL, & dwRead, TRUE, FALSE, & lpContext); // Close the file CloseHandle (hFile); return 0; )

On the topic of file streams, there is also the following:

  • NTFS Stream Explorer 2.00 A program for working with NTFS streams and

Alternative data streams in NTFS

The NTFS file system has many interesting features, one of which is the availability of alternate data streams (ADS). Their essence is that each file in NTFS is a set of streams in which data is stored. By default, all data is in the main stream, but additional, alternative data streams can be added to the file if necessary.

Note. Alternate data streams in NTFS appeared a long time ago, back in Windows NT. They were created for compatibility with the HFS file system, which was then used on MacOS. HFS kept file data on a dedicated resource stream.

Files in NTFS are divided into attributes, one of which is $ DATA, or data attribute. Streams are additional properties of the $ DATA attribute. By default, there is one, the main thread $ DATA: ″ ″... As you can see, it has no name, therefore it is called unnamed... Also, if you wish, you can create additional, named streams, for example. $ DATA: ″ Stream1 ″... Each file in NTFS can have several data streams containing different, unrelated data.

All data written to the file goes to the main data stream by default. When we open the file, we see exactly the main stream, while the alternative streams are hidden from the user and are not displayed using conventional means. They cannot be seen in standard ways, although some programs can read the data hidden in them. You can also use the command line to work with streams.

For example, let's open the console and use the echo command to create a text file streams.txt and write the text into it:

echo This is main stream> streams.txt

And with the following command, write the text to the alternate stream stream1:

echo This is alternate stream> streams.txt: stream1

If we now open the streams.txt file in any text editor, we will see only the first record, the text "This is alternate stream" will remain hidden. You can read the information hidden in stream1 with the command:

more

Alternative streams can be added not only to individual files, but also to directories. For example, let's add an alternative stream stream2 containing the text "Hide stream in Streams" to the current Streams directory:

echo Hide stream in Streams>: stream2

And we will display the stream stream2 with the following command:

more<:stream2

The content of alternate streams can be opened in more than just the console. For example, Notepad can also access data hidden in streams if you specify the name of an alternate stream in the file name separated by a colon. Let's repeat the previous example, slightly changing the name of the stream to stream1.txt:

echo This is alternate stream> streams.txt: stream1.txt

And open an alternate stream in notepad with the command:

notepad streams.txt: stream1.txt

Note. Standard Notepad requires the txt extension in the stream name, otherwise it will not be able to open it. More advanced editors, for example the same Notepad ++, can show the content of the alternate stream regardless of its name.

The presence of alternative streams for a file is not displayed in any way in Explorer and other file managers. To find them, the easiest way is to use the command dir / R(starting with Windows Vista), which shows all data streams, including alternative ones.

You might think that the use of alternate streams is limited to textual data. This is not at all the case, and absolutely any information can be stored in alternative streams. For example, let's create a file picture.txt and add the pic1.jpg stream to it, into which we place the image of the same name:

echo Picture> picture.txt
type pic1.jpg> picture.jpg: pic1.jpg

Thus, outwardly, we have a regular text file, and to open an image from an alternate stream in the Paint graphics editor, we will use the command:

mspaint picture.txt: pic1.jpg

Similarly, you can add any data to any file type - add images to text files, add text information to media files, etc. Interestingly, alternative content does not increase the visible file size, for example, adding 30GB HD video to a 1kB text file , the explorer will still show the file size 1kB.

You can also hide executable files in alternative streams. For example, let's take the test.txt file and add the Notepad application (notepad.exe) to the alternate note.exe stream:

type notepad.exe> ​​test.txt: note.exe

And to launch a hidden notepad, use the command:

start. \ test.txt: note.exe

By the way, some malicious programs use this opportunity by adding executable code to NTFS alternate streams.

Streams utility

There are several third-party utilities for working with alternate streams, for example the Streams console utility from Sysinternals. It can detect the presence of alternate streams and delete them. The utility does not require installation, it is enough to unpack it and run it. For example, let's check the presence of streams in the Streams folder with the command:

Streams.exe -s C: \ Streams

And remove the alternate streams from the streams.txt file:

Streams.exe -d C: \ Streams \ streams.txt

PowerShell

PowerShell also knows how to work with alternate streams - create, discover, display their content, and even delete. For example, let's create a text file:

New-Item -Type file -Path C: \ Streams \ stream.txt

Let's add an entry to the main stream:

Set-Content -Path C: \ Streams \ stream.txt -Value ″ Main stream ″

And to an alternate stream named Second:

Set-Content -Path C: \ Streams \ stream.txt -Value ″ Second stream ″ -Stream Second

Then we will display the contents of the main

Get-Content -Path C: \ Streams \ stream.txt

and alternate streams:

Get-Content -Path C: \ Streams \ stream.txt -Stream Second

In order to detect the presence of alternate streams, you can use the command:

Get-Item -Path C: \ Streams \ stream.txt -Stream *

And you can remove unnecessary streams with the command:

Remove-Item -Path C: \ Streams \ streams.txt -Stream *

Usage

Alternate streams are used both by Windows itself and by some programs. For example, Internet Explorer divides the network into 4 security zones and, when downloading files, adds tags to them that contain information about the zone from which they were downloaded.

These labels are stored in the alternate stream and represent a number from 0 to 4:

Internet (3)
Local network (1)
Trusted sites (2)
Dangerous Sites (4)
Local computer (0)

To verify this, let's go to the downloads folder, take the file downloaded from the Internet and check it for the presence of alternative streams. As you can see, it contains a stream named Zone.Identifier which contains the line ZoneID = 3.

This means that the file belongs to the untrusted zone of the Internet, and you need to be careful when opening it. Some programs, such as Word, read this data when you open the file and issue a warning.

Also, the File Classification Infrastracture (FCI) infrastructure is based on the use of alternate streams. From third-party programs, alternative streams are used by some anti-virus programs, in particular, Kaspersky Anti-Virus stores in them the checksum obtained as a result of the scan.

However, the use of alternative streams is not limited to this, you yourself can come up with any use for them. For example, with their help, you can hide personal information from prying eyes. Files containing alternate streams can be freely copied or moved from disk to disk, all streams will be copied along with the file.

And yet, when using alternate streams, remember that they are rigidly tied to the NTFS file system. In order to use them, the files must be located on disks with NTFS, respectively, you can work with them only from under Windows. If you move the file to any other file system, then all streams except the main one will be lost. Alternative streams are also truncated when transferring files via FTP or when sending as an email attachment.

& nbsp & nbsp Most users of modern operating systems of the Windows family have come across a situation when the help file in the CHM (Compiled Help Module) format opens only partially - you can only view the table of contents without the contents of its items:

In addition, when you try to open a CHM file contained in the shared network folder using a UNC (Universal Naming Convention) path, for example \\ server \ h \ help.chm its sections are not displayed. In other words, you can normally view .chm files only if they have not been received over the network.

A similar picture is observed when you try to open an executable file that was downloaded from the network. You will see a security warning:

Moreover, the same file, extracted from the archive, which was also downloaded from Internet networks, on the this computer can open without any problem. In fact, the only difference is that the file being opened was created locally, in the process of unzipping, and not downloaded over the network. In other words, Windows has the ability to determine the network origin of the file, and respond to it using certain security settings.

A mechanism for determining the network origin of files.

In the NTFS file system, each file (or directory) is represented as a set individual elements called attributes... Elements such as file name, security settings, and even data are all attributes of the file. Each attribute is identified by an attribute type code and, optionally, an attribute name. So, for example, the file name is contained in the attribute Filename, the content is in the attribute DATA, information about the owner and access rights - in the attribute Security Descriptor etc. The content of each file ($ DATA attribute) is a set streams in which the data is stored. For each file or directory in NTFS, there is at least one main stream, in which the data is actually stored. However, in addition to the main stream, a file or directory can be associated with and alternative (A lternate D ata S tream - ADS), which may also contain some data that has nothing to do with the data of the main stream. The main stream of the file has no name and is denoted as $ DATA: ""... Alternative streams must have a name, for example - $ DATA: "StreamData"- an alternate stream named StreamData

When the functions of writing data to a file are executed, they are placed in the main data stream. When we open, for example, a text file with notepad, we get access to the data of the main thread. The data of alternative streams, when using the standard access, is not displayed, however, there are not even any signs of their presence. However, the alternate stream data associated with specific file or directory, can be accessed with special programs or by using special syntax on the Windows command line.

For example, writing text to the file test.txt with the command echo:

echo Main stream Data> test.txt- write the text "Main stream Data" to the file test.txt, which means writing to the main unnamed stream.

But you can change the command:

echo Alternate stream Data> test.txt: stream1- write the text "Alternate stream Data" to an alternative stream named stream1 file test.txt

Now you can open, for example, with notepad each of the threads:

notepad test.txt- the content of the main stream will open with the text "Main stream Data"

notepad test.txt: stream1- the content of the alternate stream will open with the text "Alternate stream Data"

Alternative streams, while invisible to standard tools for working with file system objects, are nevertheless very often used to store additional information about files and other service information. So, for example, when downloading files from the Internet, browsers add to them an alternative stream named Zone.Identifier, which can be opened with notepad, as in the example above

notepad% USERPROFILE% \ Downloads \ ChromeSetup.exe: Zone.Identifier- open an alternative stream with a name in the notebook Zone.Identifier ChromeSetup.exe The path to the file can be omitted by first executing the command to go to the directory of the loaded files of the current user (if standard layout service user folders):

cd% USERPROFILE% \ Downloads- go to the directory of downloadable files.

notepad ChromeSetup.exe: Zone.Identifier- open an alternate stream named Zone.Identifier for the installation file Google browser Chrome named ChromeSetup.exe in the current directory.

As you can see, the content of the alternate stream contains the lines:

- sign of the section with the description of the data transmission zone
ZoneId = 3- zone identifier.

This information makes it possible to determine the origin of the file by the identifier number. ZoneId:

0 - local computer(Local).
1 - local the local network(Intranet)
2 - Trusted Sites
3 - Internet (Internet)
4 - dangerous sites (Restricted Sites)

This zone definition, for example, matches the security settings of Internet Explorer:

In this case, you can determine that the file ChromeSetup.exe was obtained from the Internet (zone ID = 3). When you run such a file, you will receive a security warning about an untrusted source. Application security works the same way Microsoft Office when warned about the dangers of opening files that have been downloaded from the Internet. For the same reason, the content of help files in the CHM format does not open - the content of the alternate stream allows you to classify them as dangerous, regardless of the real or nonexistent danger.

Try to change with the same notepad, the ZoneId value to 0 that will match the local origin of the file, and the security warning will disappear, as will problems opening office documents or help topics in .chm files.

Similar behavior of security systems will be in those cases if you delete the content of the alternative stream (make it empty), or even delete the alternative stream itself.

Starting in Windows 7, you can use the command to get a list of alternate file streams DIR with parameter / R:

dir / r% UserpRofile% \ Downloads- display a list of files and alternate streams in a directory Downloads current user.

To work with alternate streams in any version of Windows, you can use the utility streams.exe from the composition software package Microsoft Sysinternals Suite. The package contains many small programs for diagnostics, optimization and administration, including a utility that allows you to make up for the shortcomings in working with alternative streams.

Command line format:

streams.exe [-s] [-d] file or directory

Command line parameters:

-s- process subdirectories.
-d- delete alternative streams.
-nobanner- do not display start banner and copyright information.

Examples of using:

streams.exe /?- display help on using the program.

streams myfile.txt- display information about file streams myfile.txt

streams –d myfile.txt- remove alternate file streams myfile.txt

streams -d -s D: \ Downloads \ *. *- remove alternate streams of all files and subdirectories in a directory D: \ Downloads \

IN operating systems Windows 8 and later, PowerShell also allows alternate streams:

Get-Item -Path -Path C: \ FirefoxSetup.exe -Stream *- display information about the streams of the file C: \ FirefoxSetup.exe.

Get-Content -Path C: \ FirefoxSetup.exe -Stream Zone.Identifier- display the content of the alternate stream Zone.Identifier file C: \ FirefoxSetup.exe

Remove-Item -Path C: \ FirefoxSetup.exe -Stream *- remove all alternate streams associated with the file C: \ FirefoxSetup.exe

Remove-Item -Path C: \ FirefoxSetup.exe -Stream Zone.Identifier- remove alternate stream Stream Zone.Identifier associated with the file C: \ FirefoxSetup.exe.

Security zone information is widely used in group policies, and in particular, the Windows Attachment Manager, which acts as protection against malware that may be contained in mail attachments or files downloaded from the Internet. Microsoft has a detailed article on how to customize and troubleshoot Attachment Manager:
Describes how the Attachment Manager, which is included with Microsoft Windows, works.

In conclusion, I will add that alternate streams are a property of the NTFS file system, and, for example, are not supported in FAT32. Accordingly, when copying files from NTFS to any other file system, the alternate streams are discarded.