Announcement

Collapse
No announcement yet.

Intro to Alternate Data Streams (virtually invisible files)

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Intro to Alternate Data Streams (virtually invisible files)

    NTFS Alternate Data Streams (ADS, first introduced in WinNT 3.1, and available on WinNT4 and Win2K) is a little known and mostly undocumented NTFS feature that provides a means of modifying file data without actually changing the original image of the file - that is, you can save multiple images of the one file, using just the one filename. In effect it is almost like hiding multiple files behind one parent file.

    The following demo creates three files, although only one is actually visible (even using command prompt "dir" listing). The first file created is the actual parent file, called "stream.txt" in this demo. This is the visible file. The two other files that get created with it are ADS files, and as such they are - for all intensive purposes - completely invisible, even though they hold unique data. Even anti-virus scanners don't (yet) scan in this area (although ones that scan files on disk-writes should detect them).

    How do you create an ADS stream file? Easy - just open it with ":StreamIdentifier" appended to the end of the parent filename (where "StreamIdentifier" can be any unique alphanumeric string). If you open an ADS file that doesn't have a parent, the parent will be created as a 0-byte file.

    Please don't abuse this. It is a fantastic feature to use for protecting your own programs and data files - for example, it makes it very hard for a trojan to corrupt your program files if the files are ADS files, as unless it knows the specific parent filename _AND_ StreamIdentifier the trojan won't be able to find your files. Also, it's kind of cute to look in your program directory and only see the exe and no other files! Another great use of ADS files is multiple backups! You could even write your own file-protection system such as the one used by Win2K - if a file is changed, you just go back to a previous ADS stream and restore that image. It's just too good to abuse! (but also too easy )

    Enjoy!


    Code:
    '[b]ADS_STREAMS.BAS[/b] - NTFS Alternate Data Streams demo, by Wayne Diamond
'Requires NT3.51, NT4, Win2K or higher.
 
#COMPILE EXE "streams.exe"
 
$STREAMDIR = "C:\Streams"
  
FUNCTION PBMAIN() AS LONG
ON ERROR RESUME NEXT
DIM TempStr AS STRING * 6
'// Create and change directory to $STREAMDIR
 MKDIR $STREAMDIR
 CHDRIVE LEFT$($STREAMDIR,1)
 CHDIR "\"
 CHDIR RIGHT$($STREAMDIR, LEN($STREAMDIR) - 2)
 
 '// Create the PARENT file
 TempStr = "Parent"
 OPEN $STREAMDIR & "\stream.txt" FOR BINARY ACCESS WRITE LOCK SHARED AS #1
  PUT #1, 1, TempStr
 CLOSE #1
 
 '// Create first STREAM file 'under' the parent file
 TempStr = "File 1"
 OPEN $STREAMDIR & "\stream.txt:s1" FOR BINARY ACCESS WRITE LOCK SHARED AS #1
  PUT #1, 1, TempStr
 CLOSE #1
 
 '// Create second stream file
 TempStr = "File 2"
 OPEN $STREAMDIR & "\stream.txt:s2" FOR BINARY ACCESS WRITE LOCK SHARED AS #1
  PUT #1, 1, TempStr
 CLOSE #1
 
 '// Now READ the data from our 3 files (note that only 1 of these files is visible in directory listings)
 OPEN $STREAMDIR & "\stream.txt" FOR BINARY ACCESS READ LOCK SHARED AS #1
  GET #1, 1, TempStr
 CLOSE #1
 IF TempStr <> "Parent" THEN
    STDOUT "This machine does not support NTFS Alternate Data Streams!"
    EXIT FUNCTION
 END IF
 STDOUT "Data in parent file: " & TempStr
 
 OPEN $STREAMDIR & "\stream.txt:s1" FOR BINARY ACCESS READ LOCK SHARED AS #1
  GET #1, 1, TempStr
 CLOSE #1
 STDOUT "Data in 1st stream file: " & TempStr
 
 OPEN $STREAMDIR & "\stream.txt:s2" FOR BINARY ACCESS READ LOCK SHARED AS #1
  GET #1, 1, TempStr
 CLOSE #1
 STDOUT "Data in 2nd stream file: " & TempStr
 
 STDOUT "---"
 STDOUT "Press any key to delete all 3 files ... ";
 WAITKEY$
 KILL $STREAMDIR & "\stream.txt"
 'As this is just a demo and we don't want to leave behind any rubbish, we'll tidy up after ourselves..
 'As the ADS files are invisible they can't really be deleted any other way
 KILL $STREAMDIR & "\stream.txt:s1"
 KILL $STREAMDIR & "\stream.txt:s2"
END FUNCTION

    [This message has been edited by Wayne Diamond (edited April 16, 2001).]
    -
    Tags: None
  • #2
    Here is a simple demo that basically returns a yes or no as to whether or not NTFS Alternate Data Streaming is supported by your system

    Code:
    #COMPILE EXE "ads-test.exe"
 
$ADS_STREAM_FILE = "c:\autoexec.bat:ADSTest"   'uses c:\autoexec.bat, as that is likely to exist
 
FUNCTION PBMAIN() AS LONG
ON ERROR RESUME NEXT
DIM strTemp AS STRING
 OPEN $ADS_STREAM_FILE FOR OUTPUT AS #1
  PRINT #1, "ADS"
 CLOSE #1
 OPEN $ADS_STREAM_FILE FOR INPUT AS #1
  LINE INPUT #1, strTemp
 CLOSE #1
 KILL $ADS_STREAM_FILE
 IF LEFT$(strTemp,3) = "ADS" THEN
    STDOUT "YES! NTFS Alternate Data Streams is working"
 ELSE
    STDOUT "Nope - NTFS Alternate Data Streams is not supported by this machine"
 END IF
END FUNCTION

    ------------------
    -

    Comment

    • #3
      I get "Nope" on my NT4, 2000, and 98 test systems.

      [Added later]

      Oops never mind... all of those systems use FAT, not NTFS.

      -- Eric

      ------------------
      Perfect Sync Development Tools
      Perfect Sync Web Site
      Contact Us: mailto:[email protected][email protected]</A>

      [This message has been edited by Eric Pearson (edited April 16, 2001).]
      "Not my circus, not my monkeys."

      Comment

      • #4
        Kevin,
        Yep it's for NTFS only sorry It works on my NT4 workstation, NT4 server, NT4 SBS server, and Win2K workstation -- not the Win98 box though, so naturally if youre going to use ADS streams to hide your data, make sure you initiate a quick test to make sure you can read/write from a stream file first - if you cant, then proceed as you normally would, otherwise just point at the streamed images instead

        Cheers,
        Wayne


        [This message has been edited by Wayne Diamond (edited April 16, 2001).]
        -

        Comment

        • #5
          Last example - putting it to more practical use. Most programs have supporting datafiles - such as configuration files, database files etc, so although you have a standalone program, after running it you may have a config file or two so that your settings are remembered.

          This demo uses ADS streams to hide its config files -- and cheekily uses its own executable as the parent file, so no other files need to be created
          If it fails to open the ADS stream file, it will revert to using the normal filenames, so it is FAT and NTFS (and OS) friendly, even though it will only hide its config files on NTFS.

          The crux of it is this:
          Code:
           '---
   OPEN ExeName & ":" & $CONFIGFILE FOR OUTPUT AS #1   'Try to open ADS stream file
   IF ERR <> 0 THEN OPEN $CONFIGFILE FOR OUTPUT AS #1  'If it failed, simply use normal filename instead - too easy!
 '---
          Code:
          #COMPILE EXE "adsprog.exe"
#INCLUDE "win32api.inc"
 
FUNCTION ExeName() AS STRING
ON ERROR RESUME NEXT
  LOCAL hModule AS LONG
  LOCAL buffer  AS ASCIIZ * 256
  hModule = GetModuleHandle(BYVAL 0&)
  GetModuleFileName hModule, Buffer, 256
  FUNCTION = Buffer
END FUNCTION
  
$CONFIGFILE1 = "file1.cfg"
$CONFIGFILE2 = "file2.cfg"
   
FUNCTION PBMAIN() AS LONG
  ON ERROR RESUME NEXT
  '// Dummy Config file #1
  OPEN ExeName & ":" & $CONFIGFILE1 FOR OUTPUT AS #1    'Try ADS stream file
  IF ERR <> 0 THEN
     STDOUT "Wrote to normal file " & $CONFIGFILE1
     OPEN $CONFIGFILE1 FOR OUTPUT AS #1   'If failed, use normal file
  ELSE
     STDOUT "Wrote to ADS stream " & ExeName & ":" & $CONFIGFILE1
  END IF
  CLOSE #1
    
  '// Dummy Config file #2
  OPEN ExeName & ":" & $CONFIGFILE2 FOR OUTPUT AS #1
  IF ERR <> 0 THEN
     STDOUT "Wrote to normal file " & $CONFIGFILE2
     OPEN $CONFIGFILE2 FOR OUTPUT AS #1   'If failed, use normal file
  ELSE
     STDOUT "Wrote to ADS stream " & ExeName & ":" & $CONFIGFILE2
  END IF
  CLOSE #1
END FUNCTION

          [This message has been edited by Wayne Diamond (edited April 16, 2001).]
          -

          Comment

          • #6
            Wow! very nifty posibilities. I just made an ADS file and copied it to another drive and it even worked there. Where can I read up more on this little gem?

            ------------------
            Cheers!

            Comment

            • #7
              One thing I just found is that kill on an ADS file files with error 75. So how do you delete an ADS file from a normal parent file then. Also, how would you get a directory listing of ADS files attached to a parent file?

              ------------------
              Cheers!

              Comment

              • #8
                Mark,

                Use www.google.com, and just do such searches as "NTFS streams" (with speechmarks).

                Thanks for your sharp observation on the err75 when killing stream files.
                There are some special attributes to be aware of with streams:
                - You CANT use DIR$() to detect a stream file
                - You CANT use KILL() to kill a stream file, you must kill it's parent.
                - You CAN use FILECOPY() to copy a stream file to either a normal file, or another stream
                - Killing a parent automatically kills all stream files under that parent.
                - Renaming a parent automatically 'renames' all child stream files under that.
                - The only known way to enumerate streams under a file is by using BackupRead() with SeBackupPrivilege enabled (needless to say, you must be logged in as Admin)

                Here's another demo which demonstrates copying and deleting streams.
                1. It creates a parent file "stream1.txt", with a stream under it - "stream1.txt:Stream".
                2. It then does a simply, standard call to FILECOPY "stream1.txt", "stream2.txt" -- doing this automatically copies the streams of stream1.txt over to stream2.txt, so after this call we have four files:
                stream1.txt, stream1.txt:Stream, stream2.txt, stream2.txt:Stream
                3. It then calls KILL "stream1.txt", which automatically kills stream1.txt and all of it's child streams (which is just "stream1.txt:Stream" in this case)
                4. It then reads from "stream2.txt:Stream" and displays that data

                Code:
                #COMPILE EXE
#INCLUDE "win32api.inc"
 
$PARENTFILE = "stream1.txt"
 
FUNCTION PBMAIN() AS LONG
  ON ERROR RESUME NEXT
  DIM TempStr AS STRING
  'Create a parent, and a stream under it
  OPEN $PARENTFILE  FOR OUTPUT AS #1
   PRINT #1, "PARENT - Im the parent - kill me and you'll take my children with me!"
  CLOSE #1
  OPEN $PARENTFILE & ":Stream" FOR OUTPUT AS #1
   PRINT #1, "CHILD - Im the stream - you cant kill me, youll have to kill my parent!"
  CLOSE #1
   
  'Now copy the parent file - stream1.txt, to stream2.txt.  Note how its stream(s) are copied across with it, so "stream1.txt:Stream" is copied automatically as "stream2.txt:Stream"
  FILECOPY $PARENTFILE, "stream2.txt"
  
  'Now kill the original. By doing this, we're also killing "stream1.txt:Stream"
  KILL $PARENTFILE

  'But because we copied the parent across first, we can still access our newly-copied stream!
  OPEN "stream2.txt:Stream" FOR INPUT AS #1
   LINE INPUT #1, TempStr
   STDOUT "TempStr=" & TempStr
  CLOSE #1
   
  STDOUT "Press any key to clean up..."
  WAITKEY$
  'Wait for user to press a key (allows them to inspect the directory for changes etc).
  'Then the two parent files (which automatically kills their child streams)
  KILL $PARENTFILE
  KILL "stream2.txt"
END FUNCTION

                ------------------
                -

                Comment

                • #9
                  This is possibly the only C++ source of enumerating child streams out of a file.
                  It seems fairly simple, and every declaration required is already in win32api.inc, but its too C++ish for me to port -- if anyone is able to port this to PB, I would be forever grateful!

                  Code:
                  #include <windows.h>
#include <stdio.h>
#pragma hdrstop
#define err doerr( __FILE__, __LINE__ )
 
void doerr( const char *file, int line )
{
	DWORD e;
	e = GetLastError();
	if ( e == 0 )
		return;
	printf( "%s(%d): gle = %lu\n", file, line, e );
	exit( 2 );
}
 
void enableprivs()
{
	HANDLE hToken;
	byte buf[sizeof TOKEN_PRIVILEGES * 2];
	TOKEN_PRIVILEGES & tkp = *( (TOKEN_PRIVILEGES *) buf );

	if ( ! OpenProcessToken( GetCurrentProcess(),
		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
		err;

	// enable SeBackupPrivilege, SeRestorePrivilege

	if ( !LookupPrivilegeValue( NULL, SE_BACKUP_NAME, &tkp.Privileges[0].Luid ) )
		err;
	if ( !LookupPrivilegeValue( NULL, SE_RESTORE_NAME, &tkp.Privileges[1].Luid ) )
		err;
	tkp.PrivilegeCount = 2;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	tkp.Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
	AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp,
		NULL, NULL );
}
 
void dumphdr( WIN32_STREAM_ID & wsi )
{
	const char *p;
	printf( "\nstream [%lu] \"%S\":\n", wsi.dwStreamNameSize,
		wsi.dwStreamNameSize? wsi.cStreamName: L"" );
	switch ( wsi.dwStreamId )
	{
	case BACKUP_DATA:
		p = "data";
		break;
	case BACKUP_EA_DATA:
		p = "extended attributes";
		break;
	case BACKUP_SECURITY_DATA:
		p = "security";
		break;
	case BACKUP_ALTERNATE_DATA:
		p = "other streams";
		break;
	case BACKUP_LINK:
		p = "link";
		break;
	default:
		p = "unknown";
		break;
	}
	printf( "  type: %s\n", p );
	printf( "  size: %I64d\n", wsi.Size.QuadPart );
}
 
int main( int argc, char *argv[] )
{
	HANDLE fh;
	if ( argc != 2 )
	{
		printf( "usage: dump_ntfs_streams {file}\n" );
		return 1;
	}
	// SeBackupPrivilege is not necessary to enumerate streams --
	// but it helps if you are an admin/backup-operator and need
	// to scan files to which you have no permissions
	enableprivs();
	fh = CreateFile( argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING,
		FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_POSIX_SEMANTICS, NULL );
	if ( fh == INVALID_HANDLE_VALUE &#0124; &#0124; fh == NULL )
		err;
	byte buf[4096];
	DWORD numread, numtoskip;
	void *ctx = NULL;
	WIN32_STREAM_ID & wsi = *( (WIN32_STREAM_ID *) buf );
	numtoskip = 0;
	while ( 1 )
	{
		// we are at the start of a stream header. read it.
		if ( ! BackupRead( fh, buf, 20, &numread, FALSE, TRUE, &ctx ) )
			err;
		if ( numread == 0 )
			break;
		if ( wsi.dwStreamNameSize > 0 )
		{
			if ( ! BackupRead( fh, buf + 20, wsi.dwStreamNameSize, &numread, FALSE, TRUE, &ctx ) )
				err;
			if ( numread != wsi.dwStreamNameSize )
				break;
		}
		dumphdr( wsi );
		// skip stream data
		if ( wsi.Size.QuadPart > 0 )
		{
			DWORD lo, hi;
			BackupSeek( fh, 0xffffffffL, 0x7fffffffL, &lo, &hi, &ctx );
		}
	}
	// make NT release the context
	BackupRead( fh, buf, 0, &numread, TRUE, FALSE, &ctx );
	CloseHandle( fh );
	return 0;
}

                  ------------------
                  -

                  Comment

                  • #10
                    [UPDATED 05-Jul-2001 - Added CloseHandle on the handle return from OpenProcessToken]
                    [UPDATED 20-Apr-2001 - For stream directories]
                    Here's the PB translation (made it close to the original C program)

                    Code:
                    #INCLUDE "win32api.inc"
 
TYPE T_TOKEN_PRIVILEGES
  PrivilegeCount AS DWORD
  Privileges AS BYTE PTR ' array size may vary
END TYPE
 
#IF NOT %DEF(%TOKEN_ADJUST_PRIVILEGES)
%TOKEN_ADJUST_PRIVILEGES = &H0020
#ENDIF
 
#IF NOT %DEF(%TOKEN_QUERY)
%TOKEN_QUERY = &H0008
#ENDIF
 
FUNCTION strFromUnicode( BYVAL dwConvert AS DWORD ) AS STRING
  LOCAL lLength AS LONG
  LOCAL sBuffer AS STRING
 
  lLength = lstrlenW( BYVAL dwConvert )
  sBuffer = SPACE$( lLength )
 
  CALL WideCharToMultiByte ( 0, _
                      %NULL, _
                      BYVAL dwConvert, _
                      lLength, _
                      BYVAL STRPTR(sBuffer), _
                      LEN(sBuffer), _
                      BYVAL %NULL, _
                      BYVAL %NULL )
 
  FUNCTION = sBuffer
 
END FUNCTION
 
FUNCTION enableprivs() AS LONG
    LOCAL hToken AS LONG
    LOCAL tToken AS T_TOKEN_PRIVILEGES
 
    tToken.Privileges = HeapAlloc( GetProcessHeap(), %HEAP_ZERO_MEMORY, LEN(LUID_AND_ATTRIBUTES) * 2)
    IF tToken.Privileges = %NULL THEN
        FUNCTION = %NULL
        EXIT FUNCTION
    END IF
 
    DIM tLuid(0:1) AS LUID_AND_ATTRIBUTES AT tToken.Privileges
 
    IF ISFALSE( OpenProcessToken( GetCurrentProcess(), _
                                    %TOKEN_ADJUST_PRIVILEGES OR %TOKEN_QUERY, _
                                    hToken ) )  THEN
        FUNCTION = %FALSE
        GOTO Clean_Up
    END IF
 
    ' enable SeBackupPrivilege, SeRestorePrivilege
    IF ISFALSE( LookUpPrivilegeValue( BYVAL %NULL, $SE_BACKUP_NAME, BYVAL VARPTR(tLuid(0)) ) ) THEN
        FUNCTION = %FALSE
        GOTO Clean_Up
    END IF
 
    IF ISFALSE( LookUpPrivilegeValue( BYVAL %NULL, $SE_RESTORE_NAME, BYVAL VARPTR(tLuid(1)) ) ) THEN
        FUNCTION = %FALSE
        GOTO Clean_Up
    END IF
 
    tToken.PrivilegeCount = 2
    tLuid(0).Attributes = %SE_PRIVILEGE_ENABLED
    tLuid(1).Attributes = %SE_PRIVILEGE_ENABLED
 
    FUNCTION = AdjustTokenPrivileges( hToken, %FALSE, BYVAL VARPTR(tToken), 4 + (LEN(LUID_AND_ATTRIBUTES) * 2), _
                                        BYVAL %NULL, BYVAL %NULL )
Clean_Up:
    CALL HeapFree( GetProcessHeap(), 0, BYVAL tToken.Privileges )
    IF hToken THEN
        CALL CloseHandle( hToken )
    END IF   
 
END FUNCTION
 
SUB dumphdr( BYREF wsi AS WIN32_STREAM_ID )
    LOCAL p AS STRING
    LOCAL quadpart AS QUAD PTR
 
    STDOUT $CRLF + "stream " + FORMAT$(wsi.dwStreamNameSize) + ": ";
    IF wsi.dwStreamNameSize THEN
        STDOUT "'" + strFromUnicode( VARPTR(wsi.cStreamName) ) + "'"
    ELSE
        STDOUT "''"
    END IF
 
    SELECT CASE wsi.dwStreamId
        CASE %BACKUP_DATA
            p = "data"
        CASE %BACKUP_EA_DATA
            p = "extended attributes"
        CASE %BACKUP_SECURITY_DATA
            p = "security"
        CASE %BACKUP_ALTERNATE_DATA
            p = "other streams"
        CASE %BACKUP_LINK
            p = "link"
        CASE ELSE
            p = "unknown"
    END SELECT
 
    STDOUT "   type: " + p
    quadpart = VARPTR(wsi.qSize)
    STDOUT "   size: " + FORMAT$(@quadpart)
 
END SUB
  
FUNCTION GetCommandPath( szCmdPath AS ASCIIZ, szFileName AS ASCIIZ ) AS LONG
    'returns Directory in szCmdPath and strips Filename to szFileName
    LOCAL lPosDir AS LONG
 
    lPosDir = INSTR(-1, szCmdPath, "\")
    IF lPosDir = 0 THEN FUNCTION = %FALSE: szFileName = szCmdPath: EXIT FUNCTION
 
    szFileName = MID$( szCmdPath, lPosDir+1 )
    szCmdPath = MID$( szCmdPath, 1, lPosDir )
    IF LEN(szFileName) = 0 THEN
        szFileName = szCmdPath
    END IF
 
    FUNCTION = %TRUE
END FUNCTION
   
FUNCTION PBMAIN() AS LONG
    LOCAL fh AS LONG
    LOCAL szCurdir AS ASCIIZ * %MAX_PATH
    LOCAL szCmdDir AS ASCIIZ * %MAX_PATH
    LOCAL szCmd AS ASCIIZ * %MAX_PATH
    LOCAL szFileName AS ASCIIZ * %MAX_PATH
 
    szCmd = COMMAND$
    szCurDir = CURDIR$
 
    IF LEN(szCmd) = 0 THEN
        STDOUT "usage: enum_streams <filename>"
        EXIT FUNCTION
    END IF
 
    IF GetCommandPath( szCmd, szFileName ) THEN
        CHDIR szCmd
    END IF
    ' SeBackupPrivilege is not necessary to enumerate streams --
    ' but it helps if you are an admin/backup-operator AND need
    ' to scan files to which you have no permissions
    IF enableprivs() THEN
        LOCAL llast AS LONG
         
        'dont see any need for %FILE_FLAG_POSIX_SEMANTICS
        fh = CreateFile( szFileName, %GENERIC_READ, 0, BYVAL %NULL, %OPEN_EXISTING, _
                            %FILE_FLAG_BACKUP_SEMANTICS, %NULL )
        IF fh = %INVALID_HANDLE_VALUE THEN
            STDOUT "Could not open file: " + szFileName
            EXIT FUNCTION
        END IF
 
        DIM buf(4096) AS BYTE
        LOCAL numread AS LONG, numtoskip AS LONG
        LOCAL wsi AS WIN32_STREAM_ID PTR
 
        wsi = VARPTR(buf(0))
        LOCAL ctx AS LONG
 
        DO
            'we are at the start of a stream header - read it
            IF ISFALSE( BackUpRead( fh, BYVAL VARPTR(buf(0)), 20, numread, %FALSE, %TRUE, ctx ) ) THEN
                STDOUT "Error reading file!"
                CALL CloseHandle( fh )
                GOTO Clean_Up
            END IF
 
            IF numread = 0 THEN EXIT DO
 
            IF @wsi.dwStreamNameSize > 0 THEN
                IF ISFALSE( BackUpRead( fh, BYVAL VARPTR(buf(0)) + 20, @wsi.dwStreamNameSize, numread, %FALSE, %TRUE, ctx ) ) THEN
                    CALL CloseHandle( fh )
                    STDOUT "Error reading file!"
                    GOTO Clean_Up
                END IF
                IF numread <> @wsi.dwStreamNameSize THEN EXIT DO
            END IF
 
            CALL dumphdr( @wsi )
            'skip stream data
            LOCAL quadpart AS QUAD PTR
            quadpart = VARPTR(@wsi.qSize)
            IF @quadpart > 0 THEN
                LOCAL lo AS LONG, hi AS LONG
                CALL BackUpSeek( fh, &Hffffffff&, &H7fffffff&, lo, hi, ctx )
            END IF
        LOOP
 
        'make NT release the context
        CALL BackUpRead( fh, BYVAL VARPTR(buf(0)), 0, numread, %TRUE, %FALSE, ctx)
 
        CALL CloseHandle( fh )
         
    ELSE
        STDOUT "Could not enable SE_BACKUP_NAME and SE_RESTORE_NAME privileges"
    END IF
 
Clean_Up:
    'restore Current dir
    CHDIR szCurDir
END FUNCTION


                    [This message has been edited by Florent Heyworth (edited July 05, 2001).]

                    Comment

                    • #11
                      !!!!!!!!!!!!!!!!!!!!!!!! FLORENT!!! You are the man! -- I am forever in your debt (although I think I was before anyway )
                      Im absolutely lost for words -- I'll come back here and edit this post in a few hours after a few drinks. Ive been wanting to do this in PB for sooo long but even simple C++ is beyond me - your superb PB port compiled perfectly and ran beauuuutifully, identifying the streams I had set <im so stoked>
                      Happy Easter again!!


                      ------------------
                      -

                      Comment

                      • #12
                        Florent, I've been playing around with your ported source for the last couple of days now and I must say it truly is a beautiful thing! I have one last question... here's another kinky side of ADS - not only can you link NTFS ADS streams to files, but you can also actually link them to Directories. The interesting thing with this is that because you can't delete a stream without deleting the parent that it's linked to, if you link your stream to C:\ it is virtually impossible to 'delete' your stream without taking out all of C:\ ! (in theory anyway). Imagine if a trojan/virus started filling up an ADS stream that was linked to C:\ ? Im not sure what would happen, but because Explorer etc don't reflect disk availability size change from streams, I think it could be quite nasty... :-/

                        Example: from Windows, go Start | Run: notepad C:\:mystream
                        Because Notepad is ADS-friendly you can do that, and you can read/write from that ADS stream with ease. A good place to store passwords perhaps

                        My question - your source works amazingly well for ADS streams linked to FILES, but not for directories... any idea why? I'm thinking it may be something to do with the CreateFile call?
                        Anyway Florent I hope you find some time off to enjoy the weekend!

                        Best regards,
                        Wayne



                        ------------------
                        -

                        Comment

                        • #13
                          Hi Wayne

                          the reason is that the GetCommandPath function assumed it'd work
                          with files and not directories. I've made a small change to
                          the GetCommandPath function in the code - you'll need to copy
                          it again.

                          The code should handle directories as well. Simply call the
                          program with a string argument for a directory omitting the
                          last slash as in enum.exe c:\streams NOT enum.exe c:\streams\

                          Yes the GetCommandPath is simplistic - feel free to substitute
                          a more clever one .

                          Cheers

                          Florent

                          ------------------

                          Comment

                          Previous template Next
                          Working...
                          X

                          We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, and to analyze site activity. For additional details, refer to our Privacy Policy.

                          By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

                          I Agree