Wang Products
Articles

You can view/search all past articles by clicking here


Most Read Articles:
Click here to access our RSS/XML feed
 

Related Links



 
FAQ Article: Hiding files with ADS (Alternate Data Streams)

A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides hackers with a method of hiding root kits, files, or hacker tools on a breached system and allows them to be executed without being detected by the systems administrator.

ADS were introduced into the Windows NTFS file system starting in Windows NT 3.1 (if you use NT, XP, 2000, 2003 etc with a NTFS formatted hard drive, you will have ADS supported). Many applications use ADS to store file attributes and properties. For example if you make a text document, and right click and go into its properties you will see a summary page. This summary information is attached to the file via ADS.

Whilst ADS is useful for storing additional properties along with files - it can be used for so much more than that :) ADS is very appealing to anyone who would like to be able to "hide" files/data in Windows.

Think of ADS as hidden files that are attached to the visible ones. For example - say I create two files called "text1.txt" and "text2.txt". Using ADS I could hide text2.txt inside text1.txt without affecting the functionality of text1.txt or modifying the size of the file :) How awesome is that? :)

Hiding files using ADS is very easy to do and there is no need for extra programs/tools - all you need are common DOS commands like “type”. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another. For example:


type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe


If you do this from DOS or start menu "Run..." - the command above will "hide" a program called anyfile.exe inside the windows calculator program!

How do you extract the hidden ADS to run it? Again - this is very easy to do...you can even access the hidden ADS file without needing to "extract" it or do anything like that.

Using our example above, to run the hidden "anyfile.exe" all you would need to do (from DOS or start menu "Run...") is:


start c:\winnt\system32\calc.exe:anyfile.exe


Here is another example of how to hide a file called c:\hidden.txt inside a file called c:\normal.txt. Type this from DOS (or start menu "Run..."):


type c:\hidden.txt > c:\normal.txt:hidden.txt


When you want to view the hidden.txt file - all you need to do is:


notepad c:\normal.txt:hidden.txt


You can even edit the text and save it as normal - the ADS will be updated with the extra "hidden" text and the normal.txt file will remain unchanged! ADS are not limited to files either! there are ways to add ADS to directories :) For example (from DOS):


cd c:\test
echo "this is some hidden data" > :hidden.txt


This command has now attached an ADS to the c:\test\ directory itself :)

So - how easy is it to detect when a file has been hidden inside another using ADS? Amazingly enough...ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer! In the example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which is rarely noticed.

However, ADS is not undetectable - you just need the right tools to search your hard drive and find which files have ADS. Here are some tools you can use to detect ADS:



Try creating a file with an ADS, and then use the programs above to detect it - this is the best way to learn how they work.

As you can see, Alternate Data Streams are very cool and have a lot of potential - especially since the average PC user will have no clue how to detect them or access them.

Have fun...and behave!
Posted on: 10-05-2005
Article has been viewed 294950 times
 
Comments
Comment by krv - 17-05-2005

can u hide a .exe to a .jpg?



Comment by Wang - 17-05-2005

You should experiment and find the answer yourself! but yes, that should work just fine.



Comment by Dima - 18-05-2005

When you hide a file in another file, where does the disk space go?
I mean if I hide a 100KB file inside, lets say calc, where do these 100KB of data end up? Does the total harddrive space decrease by 100KB, or is there some file somewhere that grows a 100KB?




Comment by Wang - 18-05-2005

A very good question Dima - I actually do not the answer to this. Does anyone else know?



Comment by David - 04-06-2005

The size doesnt change but the size on disk does. Check the properties of the file after you merge the two. The size on disk will increase proportionally to the size of the second file you merge.



Comment by Newime - 24-07-2005

I did, I hid a .exe file inside a .jpg file, but when the jpg file runs, the executable file dont. How can I make the .exe file run as the .jpg file do?
Thanks
Newime



Comment by Wang - 26-07-2005

Hi, you would do something similar to the example in the article:

start c:mypicture.jpg:anyfile.exe

Along those lines.




Comment by Awais - 28-07-2005

this trick not working on my pc what i am misssing. i convert fat32 to ntfs and did something similar to the example in the article:





Comment by Newime - 05-08-2005

Okay I can run that in DOS it will run the hide file normally =)
But isnt a way how to run automatically (when run the .jpg) the exe, without typing that command?Like some sort of configuration or something.
Im really looking forward to your answer Wang
Thank you very much,
Newime



Comment by Wang - 06-08-2005

Hi, unfortunately I do not believe it is possible to do what you want to do (i.e. make it execute the hidden exe when you double click on the jpg file). This technique is really more for hiding data, than it is for fooling people into running a .exe when they think they are opening a jpg :)




Comment by Shiv - 27-08-2005

hi there im experimenting with hiding my file called lame2.bmp into my normal.txt file and according to CrucialADS i was successful. but now...how do i open it? / view my lame2.bmp?



Comment by Wang - 27-08-2005

Hi Shiv - you could try going into your image viewer application, then go to the open dialog and go to the directory where normal.txt is and tell it to open normal.txt:lame2.bmp - that should work, as far as I recall.



Comment by shiv - 27-08-2005

i tried using windows paint program to open the normal.txt but was unsuccessful. invalid file type. :( Q2: do i always have to use cmod to open the (hidden) files?



Comment by shiv - 30-08-2005

just to clarify. Do i have to use the same prog with which i hid something to open it? ie. a) hide something in notepad text, id have to open it with notepad... b) hide something in paint, id have to open it with paint, c) hide a jpeg open it with a jpeg? hopefully what im saying is making sense. do those 3 examples work like that?



Comment by Shiv - 01-09-2005

help with the 2 posts above :P thx



Comment by Wang - 01-09-2005

You should be able to hide any type of file within any other type of file. For example, it is perfectly acceptable to hide a jpg image within a text file.

Once you have the jpg hidden in the ADS of the text file you can then view the jpg image by going to a dos prompt and typing:

start c:file.txt:hidden.jpg

(please note you MUST provide the full path to the text file, and you should replace the hidden.jpg text above with the name of the ADS you created).



Comment by Shiv - 03-09-2005

i just typed in start N:normal.txt:lame2.bmp and nothing loads. i just goes to a new line with N:

thx



Comment by Wang - 04-09-2005

Make sure you have the backslash after N: (these comments remove the slashes, so just making sure you do have one). Also try something other than bmp to make sure its not some oddity with file associations. I tried jpeg via this method and it opened up in photoshop fine.



Comment by Chris - 17-09-2005

Great tutorial. Really useful information that I have never heard of before!



Comment by shiv - 07-10-2005

can whole folders be hidden? or does ADS only work for individual files?



Comment by shiv - 12-10-2005

whats the purpose of the echo command? and if its a useful purpose how do i utilize it?



Comment by shiv - 12-10-2005

how would i extract/seperate the hidden file from normal.txt for example?



Comment by Wang - 18-10-2005

The echo command is used to print/pipe the text into the file...its just a quick way of putting data into the ADS, and is not required. Read the article for more methods.

To my knowledge folders can not be hidden in ADS, however you can hide files in directories using ADS. Hope that makes sense :)



Comment by shiv - 21-10-2005

how would i extract/seperate the hidden file/s from normal file?



Comment by shiv - 27-10-2005

BTW Wang, excellent article on ADS. and thank you for following up with all our questions. :D however tedious they may be p though we are learning....for me...slowly and steady, hehe :P KUDOS to Wang!



Comment by unixnet - 28-11-2005

Hi Wang, its excellent article. My dos-prompt in xp has been disabled by system admin. Do you know any way to run the jpg:exe directly in windows without using start xx in dos environment?



Comment by jpgmn - 21-02-2006

Great article Wang!
I have one question.
If you hide the file b.txt into the file a.txt and send the a.txt to other computer, b.txt is lost. Correct?

Cheers!




Comment by Wang - 25-02-2006

Correct - the ADS is only present on your machine. This technique can not be used to hide files for sending to other people (as far as I am aware).



Comment by Spike - 25-02-2006

I know of at least one popular file archive format for Windows that retains ADS of archived files, but I havent seen any option to block the attached ADS when un-archiving such files.

prevent ADSdeactivate . I am not aware of a switch in the un-archiving step that prevents ADS from being unarchived at the same time.



Comment by Hello Boy - 01-05-2006

Want to know after hiding .exe in jpg. how does .exe file execute .
Any other Tool that works by clicking on jpg and hidden exe execute



Comment by Geko - 03-07-2006

Hey wang! :) Great article

I have a one simple question. Is there any possible way to send someone a packed file? Without loosing a hidden one?

Cheers



Comment by Im seven - 04-12-2006

I can see its more then me that want to know how you can make the .exe file to run when you open the .jpg without type any command in dos. Is it possible? how? Maybe in a other file? .mp3, .doc etc... ?



Comment by Sandra - 17-05-2007

Hey Wang
How can i see which files have been put secretly (i have some shit on my pc you should now )into other files as you explained?
In other words :how can i reveal all the secrets?
many thanks



Comment by dragon_kid - 23-05-2007

i dont understand this stuff can some1 plz tell me the command to hide a .exe to a .jpg



Comment by dragon_kid - 08-06-2007

ok i understand the command now i just need to know if i had the exe. in the jpeg. file will the exe run in the background



Post a comment

Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.


Your Name
Comment
  Please enter the code from the image below into the code box
Code
 
 

articles | security | software | music | links | request article | tea | contact us

Copyright © 2000 - 2005 www.wangproducts.com. All Rights Reserved.

Valid XHTML 1.0! Valid CSS!

Wang Products Articles Security News and Articles/FAQs Wang Products Software Guitar MP3 tracks by Wang Links