The Dark Side of NTFS

我真的很喜歡這種標題~XD~，扯遠了。

抓回來的一堆ACG檔案，有些額外的資料想要跟檔案『綁』在一起。
之前用XML檔案的方式，遇到改檔名就破功。所以，才想到要把資料塞到Filesystem裡面。

在NTFS裡面有兩種儲存metadata的方式:

1. COM Structured Storage
2. ADS(Alternate Data Streams)

下面有幾篇文章介紹ADS:

• The Dark Side of NTFS
• 就是資安: Alternate Data Streams (一)
• 就是資安: Alternate Data Streams (二)
• 为什么下载的文件打开时会有警告,而且会被“锁定”?
• How To Use NTFS Alternate Data Streams
• Dissecting NTFS Hidden Streams(這篇的參考價值比較高)

ADS commandline tools

• LADS
• LNS
• streamtools
• streams

上面是用notepad檢視ADS內容，更簡單的檢視方式是用:

more < filename:stream

目前看來ADS有趣的多(?)。ADS新增很容易，也很好修改，不過刪除有點麻煩。

'Create File
echo Hello World! > 1.txt

'Add data stream 
echo http://www.google.com.tw > 1.txt:URL

'Edit data stream
echo http://tw.yahoo.com > 1.txt:URL

'Delete data stream
more < 1.txt > 1.txt.new
del 1.txt
ren 1.txt.new 1.txt

10 Things to know about ADS

1. There is no limit on the size of streams and there can be more than one stream linked to a normal file. ADS are not visible in explorer or via command prompt. In fact, their size is also not reported by Windows!
2. Streams can be attached not only to files but also to folders and drives!
3. The content of an ADS should not be considered limited to simply text data. Any stream of binary information can constitute a file which includes executables, Mpeg files, Jpeg files etc.
4. ADS have no attributes of their own. The access rights assigned to the default unnamed stream are the rights that control any operation on ADSs such as creation, deletion or modification. This means if a user cannot write to a file, that user cannot add an ADS to that file. A user with guest privileges can also create such streams in every file where he has write access.
5. Some Browser helper Objects (BHOs) have started storing their malicious files inside ADS and very few anti-spyware/malware actually detect it.
6. Windows File Protection prevents the replacement of protected system files; it does not prevent a user with the appropriate permissions from adding ADS to those system files. The System File Checker (sfc.exe) will verify that protected
   system files have not been overwritten, but will not detect ADS.
7. Microsoft Windows provides no tools or utilities either within the operating system software distribution or the Resource Kits for detecting the presence of ADS.
8. The stream can only be executed if called directly by a program with the full path to the file given. It is impossible to accidentally execute a stream.
9. None of the Internet protocols enabling file transfer such as SMTP, FTP etc. support streams. This means that ADS can't be sent via Internet. However, files containing ADS can be sent across a local LAN provided the target drive is in the NTFS format.
10. In certain cases, streams have been used to remotely exploit a web server. Some web servers are susceptible to having their file source read via the: $DATA stream. If a server side script such as PHP or ASP is running on a web server which is not patched properly, instead of getting output as a result of processing the script, the source code of the ASP/PHP file could be viewed by using a URL like this:
    
    http://www.abcd.com/index.asp::$DATA
    
    This is a critical vulnerability as the server-side source code could reveal sensitive information including how the site has been coded and how the information is flowing. This information could be used by the attacker to launch a specific attack on the server.