4.3 / 5 - (3 votes)
.

ADS (Alternate Data Stream) flows.

The NTFS file system, used by Microsoft, has a functionality that is poorly documented and unknown to many developers and administrators.

This functionality is called Alternate Data Streams and allows data such as text, graphics or executable code to be stored in hidden files. These are linked to a normal visible file.

The main purpose of these flows was to enable support for the Macintosh Hierarchical File System (HFS) and thus allow a Windows NT type system to be a file server for Macintosh clients.

These ADS streams can be of any type, not just text, but also images and even executables. The representation is done with the concatenation of the metadata, separated by a colon. In the example below, when the file “autoruns.exewill be launched, this is the program “notepad.exe” which will be executed:

C:\Users\Coolman\Downloads\Autoruns\Autoruns.exe:notepad.exe

Alternate Data Streams present a security risk because they are completely hidden, they offer a possibility of hijacking for Trojan Horses and DDoS denial of service attacks.

ZHPDiag allows a search for certain ADS (Alternate Data Streams) streams. The search area is mainly located in files which are launched at startup, such as those from modules:

O4 – Applications started automatically by the registry,
O23 – Services started automatically,
O38 – Scheduled tasks started automatically,
O108 – Context menu shortcut keys,

The search for certain ADS feeds also extends to certain user folders such as the download area and the Windows Desktop.

Preview in report

—\\ Additional Scan (3) – 1s
ADS Present [:Zone123.png] – C:\Users\Coolman\Desktop\SFT.exe:Zone123.png =>.SUP.FileADS
ADS present [:trash111.exe] – C:\Users\Coolman\Downloads\Autoruns\Autoruns.exe:trash111.exe =>.SUP.FileADS
ADS present [:1ut2ml3x14tuuug1Hyamue2s4c] – C:\Users\Coolman\Card One 12203.jpeg:1ut2ml3x14tuuug1Hyamue2s4c  =>.SUP.FileADS

 

 

About the Author

Back to top