Upload
vuongcong
View
237
Download
5
Embed Size (px)
Citation preview
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Overview Introduction
Importance
Origin
NTFS Stream Basics
Usages
Demo
Issues
API
Tools
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Introduction A file is more than one file…
A file can act as container for other files
One visible
None or several invisibles
Any kind of content of any size
A file is basically the first stream of a file
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Importance ADS is part of the NTFS infrastructure
◦ Is a mechanism that cannot be disabled
ADS can contain data
◦ Content must be taken into account by backup…
ADS can contain code
◦ Existence must be taken into account by antivirus…
◦ Potential danger (WNT.Stream virus)
ADS are almost unknown
ADS are almost invisible
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Origin ADS exist since the inception of Windows NT 3.1, enabling
Windows and Macintosh clients to share files.
◦ Data (content) and resource (management) forks
Windows servers host resources through the FSFM service.
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
NTFS Basics - MFT Information about files on a NTFS partition is located in a construct
called the Master File Table
◦ One record hosts a collection of attributes that document a file
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
NTFS Basics - Streams A File is a collection of attributes
◦ All are stored as (logically) separated streams
◦ Some are mandatory (name, time stamps…)
◦ Some are optional (security descriptor)
◦ Some may appear more than once (LFN/8.3, data…)
Standard info LFN 8.3 Security Data …
Code Code Encryption
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
NTFS Basics – File Content The content of a file is one stream among others
Strictly speaking, NTFS doesn't manage files, it manages streams
$STANDARD_INFORMATION General attributes (read-only, archive, time stamps, file creation, last modified).
$FILE_NAME A file can have two filename attributes when a file with a long name has an automatically generated "8.3 name“.
$SECURITY_DESCRIPTOR Access Control List (DACL), Audit Control List and Integrity Level (SACL).
$DATA Files have one default (unnamed/anonymous) data attribute (content of a file) and can have several (named) data attributes.
Directories have one (default/unnamed/anonymous) data attribute (content of a directory) and can have several (named) data attributes.
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Properties Streams share many properties
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Windows usage Windows Explorer Zone Model
◦ The trust level of some downloaded files is stored inside a text file saved as an ADS and named „Zone.Identifier“
[ZoneTransfer]
ZoneId=3
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Windows usage Icons for Favorites are saved in an ADS of the URL files
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Windows usage Changes of entries in the Journal File are store in an ADS named $J
\$Extend\$UsnJrnl
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$DATA $J (nonresident)
logical sectors 23039352-23090447 (0x15f8d78-0x160550f)
logical sectors 26399296-26400295 (0x192d240-0x192d627)
logical sectors 60720016-60728719 (0x39e8390-0x39ea58f)
logical sectors 184110184-184110951 (0xaf94c68-0xaf94f67)
logical sectors 60967328-60968351 (0x3a249a0-0x3a24d9f)
logical sectors 58715456-58716479 (0x37fed40-0x37ff13f)
logical sectors 58572096-58580287 (0x37dbd40-0x37ddd3f)
$DATA $Max (resident)
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Windows XP usage XP generalizes the “Office Summary” to all files
◦ Office Summary are stored in OLE streams
◦ Others Summary are stored in ADS streams
“DocumentSummaryInformation”
“SebiesnrMkudrfcoIaamtykdDa”
“SummaryInformation”
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Windows 2000 usage Thumbnails Explorer View
◦ “encryptable” ADS is added to the “Thumbs.db” files
Indexing Service
◦ “♣Q30lsldxJoudresxAssqpcawXc" ADS stream is added to image files
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Demo Syntax
Create an ADS into a file
Create an ADS into a directory
Open a file located in an ADS
Run a program located in an ADS
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
API Documented
◦ CreateFile, ReadFile and WriteFile
◦ BackupRead, BackupSeek and BackupWrite
◦ Starting with W2K3
FindFirstStream
FindNextStream
◦ IZoneIdentifier COM interface
Undocumented
◦ NtQueryInformationFile
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Management Tools No real Windows built-in tool
Nfi – Windows Resource Kit
File Monitor - www.sysinternals.com
Streams – www.sysinternals.com
Sfind – www.foundstone.com
CmdStream/ShowStream
…
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Evolution Support the enumeration of ADS (starting with Vista)
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Issues Backup & restore
Forensic
DOS Attack
Code Execution
Detection and removal
Window Resource Protection (WRP)
Misuse of valid ADS
Anti Virus
File Version System Control (eg. SVN)
Windows Scripting Host
User Account Control (UAC)
Unsupported on other file systems
Windows Alternate Data Streams
www.winitor.com – Marc Ochsenmeier
How code and data can be hidden within files and directories
March 2012
Summary ADS exist
ADS cannot be disabled
ADS can be used
ADS can be misused