The ADS streams (Alternate Data Stream).

The NTFS file system, used by Microsoft has a feature that is undocumented and unknown to many developers, Directors.

This feature is called Alternate Data Streams and allows data such as text, graphics or executable to be stored in hidden files code. These are related to a normal visible file.

The main use of these flows were to enable the Macintosh Hierarchical File System file system support (HFS) and so to allow a Windows NT system to be file server for Macintosh clients.

These ADS streams can be of any type, not just text, but also images and even executables. The representation is done with the concatenation of the metadata, separated by two points. In the example below, When the file «» Autoruns.exe » will be launched, This is the program «» Notepad.exe "that will be executed :

C:\UsersCoolmanDownloadsAutorunsAutoruns.exe:Notepad.exe

Alternate Data Streams flows present a risk to the security level, because they are completely hidden, They offer a possibility of diversion for the Trojans (Trojan) and denial of service DDoS attacks.

ZHPDiag allows a search of some ADS streams (Alternate Data Streams). The search box is located mainly in the files that are launched at startup like for example those from modules :

O4- Applications started automatically by the registry,
O23- Services that are started automatically,
Ø38- Scheduled tasks started in automatic,
O108- Contextual menu shortcuts keys,

The research of some ADS streams also extends to certain folders of the users like for example the download area and the Windows desktop.

In the report preview

—\\ Additional scan (3) – 1s
ADS now [:Zone123.PNG] – C:\UsersCoolmanDesktopSFT.exe:Zone123.PNG =>.SUP. FileADS
ADS Now [:trash111.exe] – C:\UsersCoolmanDownloadsAutorunsAutoruns.exe:trash111.exe =>.SUP. FileADS
ADS Now [:1ut2ml3x14tuuug1Hyamue2s4c] – C:\UsersCoolmanCard One 12203.jpeg:1ut2ml3x14tuuug1Hyamue2s4c =>.SUP. FileADS

 

 


Total views 9 088 (Today 3 )