From: H C [keydet89@yahoo.com] Sent: Thursday, December 06, 2001 1:35 PM To: forensics@securityfocus.com Subject: Executing data (binaries) in ADSs After receiving several emails requesting this information, I decided to make one post to the list on the subject of executing data hidden in ADSs. I say 'data', b/c binaries aren't the only things that can be hidden in and run from ADSs. Throughout this post, I'm going to include step-by-step examples specific to either NTFS4 or 5. I will also reference exactly where I first found the information published. To begin with, here's the first article I published on the subject: http://www.chi-publishing.com/isb/backissues/ISB_2001/ISB0601/ISB0601HC.pdf As pointed out in the above article, the authors of "Hacking Exposed" published the fact that the 'start' command can be used to run arbitrary executables hidden in ADSs. I found that the Perl interpreter makes no distinction between one file or another when it's passed a file name...it will run a script 'hidden' in an ADS as easily as it will a regular script. Later editions of "Hacking Exposed", as well as "Hacking Windows 2000 Exposed" make no mention of how to execute data hidden ADSs on NTFS5 (ie, Win2K). However, Gene Kaspersky and Denis Zenkin published 5 methods in their Windows2000 Magazine article: http://www.win2000mag.com/Articles/Print.cfm?ArticleID=19878 The examples I will use from this point on include only the use of a .exe file...the above article includes test results for a .vbs file, as well as .cmd (batch) file. Setup ------ Set up by creating a directory (c:\ads) on your drive, and then create your first ADS: c:\ads>type c:\winnt\system32\sol.exe > myfile.txt:sol.exe 1. Select Start, Run, and then type the following command into the Run box: file:///C:/ads/myfile.txt:sol.exe Note to forensics investigators: The use of this method appears in the Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU key for the user...so check the HKEY_CURRENT_USER hive, as well as HKEY_USERS\{SID}. Also, if you've got Process Tracking enabled on Win2K (testing done on Pro), the event that shows up in the Security EventLog for the above command includes: Image File Name: \ads\myfile.txt 2. Method 2 from the Kaspersky article only works for .vbs files...using wscript.exe to launch the script. 3. Methods 3 & 4 from the above article involve creating a shortcut pointed to the ADS we created during setup. As indicated, this works for shortcuts on the Desktop, as well as in StartUp directories. Oddly enough, the icon associated with the shortcut becomes that which is associated with the file in the ADS, rather than the file in the unnamed stream. 4. The final method, and the one that I found most interesting, is the use of the 'Run' key in the Registry. Simply create a new value, and have the data point to the file. 5. Finally, my personal favorite...Perl! The following file runs the ADS: ---------------------------------------------------- #! c:\perl\bin\perl.exe # file name: adsfun.pl use strict; my $filename = 'c:\ads\myfile.txt:sol.exe'; my $results = system($filename); ---------------------------------------------------- Simply run the above file by typing the command: c:\perl>adsfun.pl Now, try this: Type the following command: c:\perl>type adsfun.pl > myfile.txt:adsfun.pl Then run the file by typing: c:\perl>perl myfile.txt:adsfun.pl The two best tools for detecting ADSs are 'lads.exe' from Frank Heyne, and the script 'ads.pl' from my Perl page. The Perl script can be easily compiled. I can publish a complete break down of available freeware ADS tools, but will only do so if there is an interest. Also, keep in mind...ADS do NOT have to be attached to a file. You can create an ADS 'hidden' behind a directory listing like so: c:\ads>type c:\winnt\notepad.exe > :np.exe Now, keep in mind...this is a 'feature' of NTFS provided by Microsoft...yet MS doesn't provide any tools to detect the presence of ADSs. But did you know that MS *does* provide the means to create specific ADSs associated w/ specific files? Open Windows Explorer and choose an arbitrary file. Right-click the file and choose Properties, then the Summary tab. Type some data into the fields. What happens to this data? Well, Explorer puts it into ADSs tied to the file called ":?SummaryInformation" and ":?DocumentSummaryInformation". The symbol right after the colon is an unprintable ASCII character. __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com