Monday, November 26, 2007

Covert Channels: NTFS Alternate Data Streams

Alternate Data Streams (ADS) are a NTFS feature introduced in the Windows NT Operating System to provide compatibility with Macintosh Hierarchical File System (HFS) - that uses both data forks and resource forks to store content. Data forks are used for storing the document content, while the resource fork is used to identify the file type and store application metadata (icons, fonts, etc), hardlinks, encryption.

Alternate Data Streams provide additional descriptions for files or folder such as author, thumbnail preview, keywords and such, and can be used to attach an independent named data streams to a file or folder stored on a NTFS filesystem.

ADS are very poorly documented, and Windows comes with no default tools to spot such streams (previous to Vista/2008 "dir /r"), hence their popularity as a covert channel.

Using a NTFS Alternate Data Stream using pipes and "more":

c:\streams>copy con foo.txt
This is the data stream.
1 file(s) copied.

c:\streams>type foo.txt
This is the data stream.

c:\streams>echo "This is the Alternate Data Stream" > foo.txt:bar.txt

c:\streams>type foo.txt
This is the data stream.

Only a handfull of applications are ADS aware. "TYPE" is not, as we can see:

c:\streams>type foo.txt:bar.txt
The filename, directory name, or volume label syntax is incorrect.

But more is ADS aware:

more < style="font-weight: bold;">covert channel.

11/26/2007 10:36 AM 0 baz.txt
11/26/2007 10:21 AM 26 foo.txt

c:\streams>type c:\Windows\winhelp.exe > baz.txt:winhelp.exe

11/26/2007 10:48 AM 0 baz.txt
11/26/2007 10:21 AM 26 foo.txt
2 File(s) 26 bytes
2 Dir(s) 5,525,233,664 bytes free

So, how do we spot such covert channels? We can use the systernals "streams" command. Using the -s flag, it will recurse through subdirectories and identify Alternate Data Streams (we can also use -d to delete them). Since Windows doesn't come by default with ANY tool to identify such ADS, and this NTFS feature is very poorly documented, it's hard to spot them without actually knowing they're there.

c:\streams>streams -s c:\streams

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals -

:winhelp.exe:$DATA 256192
:bar.txt:$DATA 38

In some versions of windows, we can also execute an alternate data stream executable using the "start" command, and the executable will show up in the tasklist / taskmanager as the regular stream. That way, malware can hide in regular Windows programs such as notepad.exe

In Windows Vista Microsoft has added the "/r" flag to "dir" so we can easily spot ADS:

c:\streams>dir /r
11/26/2007 10:48 AM 0 baz.txt
256,192 baz.txt:winhelp.exe:$DATA
11/26/2007 10:21 AM 26 foo.txt
38 foo.txt:bar.txt:$DATA

We can also create and use ADS in our applications, using such code:

hStream = CreateFile( "datafile:alternatestream", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, 0,NULL );

Here's something fun: Using an alternate data stream with a folder (say the C:\Windows directory to write our "memories" ):

Note: Other filesystems such as Apple HFS, Solaris UFS (extended attributes), Solaris ZFS, Veritas VxFS and Novell NWFS also support filesystem forks, that pose a risk to the system (tools may not always be aware of forks, backup applictions can ignore them and data loss may occur and, of course, they can be used as covert channels).

Note: MOW (ThePowerShellGuy) has a great article on accessing Alternate Data Streams from PowerShell:

PowerShell : Accessing alternative data-streams of files on an NTFS volume


Anonymous said...

Used them for a long time, not for hiding anything (they are plain visible with right tools as you already said) but for putting application resources in them.