Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Tuesday, February 21, 2017
 Need Help?
Members Online
Total Online: 54
Guests Online: 51
Members Online: 3

Registered Members: 98675
Newest Member: Mahxzxx
Latest Articles

File Stegano using ADS

Arrow Image Using Alternate Data Streams (ADS) for NTFS to hide an .exe or data inside the ADS of another file

Alternate Data Streams are a largely unused functionality of the Windows NTFS file system. It was initially implemented for support for Macs HFS. The Macintosh Hierarchical File System consists of both a data fork and a resource fork. The data fork is the part that stores the user's data while the resource fork stores information about the file such as what application was used to create it and thus should be used to open it. Windows, on the other hand only uses the file's extension to determine what application it should use to open it.

NTFS uses this Mac support by storing the resource fork portion in a hidden stream. This is the Alternate Data Stream. I am not aware of any other program that uses ADS for any legit purposes, however, I may be wrong. As an FYI, *nix file systems do not support ADS.

Now that the boring stuff is over, lets get into it's practical hacking application. ADS can be used to hide text, other data such as mp3s or videos, and even executables in the alternate stream of a normal file. It becomes a form of steganography. The cool thing is, the file size does not change. This means that if you put two files side by side, one containing regular data and the other containing the same data plus data hidden in the ADS, the two file sizes will be identical. This is unlike image stegano, where a picture hidden inside another picture will change the file size.

Another great feature is that you can view the file using notepad, Word, a hex editor, etc, and you would have no idea that there was information hidden inside the ADS.

From a Forensic standpoint, the only way to identify files that have info in their ADS is to run Encase, FTK, or a stand-alone ADS scanner like LADS against the files.

Let try it out:

Create a text file that contains Hello World:

C:\\>echo "Hello World" > ADS.txt

C:\\>more < ADS.txt
"Hello World"

Creating some hidden text in the ADS:

C:\\>echo "This is an ADS example" > ADS.txt:ads

C:\\>more < ADS.txt:ads
"This is an ADS example"

As you can see, opening up the file in the normal way will display the normal text. However, if you open up the file and indicate the name of the ads you created after the file name, your ADS stream will open up.

Now, lets hide an executable in a regular text file:

Create a text file with some text

C:\\>echo "ADS .exe test" > ADS2.txt

C:\\>type ADS2.txt
"ADS .exe test"

Lets now hide the calculator executable inside our text file

C:\\>type c:\\WINDOWS\\system32\\calc.exe > ADS2.txt:calc.exe

We can now start the calculator using the start command

C:\\>start .\\ADS2.txt:calc.exe

Yahtzee!!! The calculator pops up! Think about some other types of files you can hide inside a benign text file? There are so many practical uses.

Enjoy the many practical ways you can use this technology on your system or someone else's ;)


mastergameron July 08 2007 - 20:17:13
Doesn't work on vista Sad
LanceUppercuton July 08 2007 - 20:59:55
hmmm...hiding text in a file works in Vista (I just tested it)...however, I can\'t seem to get the executable functionality to work Sad I'll have to look into this. Oh, I found out that if you do C:\\>dir \/r ADS2.txt in Vista, it will list the ADS\'s that exist in the file...pretty cool
midoon July 09 2007 - 11:35:27
nice article Smile ive rated it very good Pfft
LanceUppercuton July 09 2007 - 16:43:43
Thanks mido Smile
lukem_95on July 09 2007 - 19:03:57
I never even knew about this, nice article, could have been better explained though.
DigitalFireon July 10 2007 - 03:44:24
Very interesting LanceUppercut... And figured out ads is an example. you can hide shit in like file.txtGrinigitalfire huh what do you know.
DigitalFireon July 10 2007 - 03:45:12
*hide shit in like f i l e . t x t : d i g i t a l f i r e
Uber0non July 30 2007 - 11:21:45
Hey, this really is an awesome trick :love: thanks Lance!
Shorty626FLon December 19 2007 - 01:15:33
Amazing Grin
c4p_sl0ckon January 15 2009 - 11:28:45
Great trick! Grin Too bad it does not work with exe's on Vista. Sad
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.