Alternative Data Streams

Warning: Use of undefined constant ri_rand_compare - assumed 'ri_rand_compare' (this will throw an Error in a future version of PHP) in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/random-image-widget/random_image.php on line 129 Warning: Use of undefined constant ri_rand_compare - assumed 'ri_rand_compare' (this will throw an Error in a future version of PHP) in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/random-image-widget/random_image.php on line 130 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 1384 Warning: preg_match_all(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 700 Warning: Invalid argument supplied for foreach() in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 707 Warning: preg_match_all(): Compilation failed: invalid range in character class at offset 4 in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 700 Warning: Invalid argument supplied for foreach() in /home/httpd/vhosts/scratchbook.ch/httpdocs/wp-content/plugins/lightbox-plus/classes/shd.class.php on line 707

You may be interested to know about another „SECRET“ that the boys in Redmond try not to advertise. It is called Alternative Data Streams, and it basically allows you to „hide“ files within other files.

M$ provides no tools (other than low level SDK functions) to even know that these Alternative Data Streams exist. Niether „Explorer“, nor „dir“, nor „attrib“, nor any other resource kit app will help you discover these streams. In fact, to the best of my knowledge, most virus detection programs only scan the primary stream, and not any of the associated alternative streams. In addition, once an ADS has been associated with a file, it copies right along with the file when going from NTFS to NTFS.

To see a non destructive example, drop down to the CMD line and try the following. (Win NT/2k/XP w/ NTFS … no FAT)

First create a basic host file … lets say a text file in the root dir on the c drive

C:>echo Hello World > MyTest.txt

Then attach, your favorite exe (or whatever you want), as an ADS (solitare ?)

C:>type c:WINNTsystem32sol.exe > MyTest.txt:MyProg.Exe

Inspect your file all you want. Even delete the original program if you really want to (sol.exe).

Now run your hidden version of solitare anytime you’d like.

C:>start c:MyTest.txt:MyProg.exe

(Look at Task Manager and check out Solitare’s new process name)

Scary … isn’t it? Do you know what’s on your hard drive?

found at: [Link]