Jump to content

Alternate Data Streams Viewer


trancexx
 Share

Recommended Posts

In layman's terms...

NTFS file system allows for file to be associated with more than one file stream. Streams other than the main are called Alternate Data Streams. Normally the users on Windows systems aren't aware of them because windows explorer can't show them. They aren't meant to be seen and have purpose of carrying additional information about the file they are "attached" to.

For example if you download something from internet and try to run it, by default you should have shell window popping-up informing you about the risks of running downloaded material. That information is attached to the file right after it's been downloaded and it's saved as :Zone.Identifier ADS.

Also some malware creators use ADS to hide and perform different actions from there. For example it's nothing unusual to find malignant executable module in ADS of seemingly benign executable.

NTFS implementation for Compound Files also uses ADS, even exclusively.

Anyway, the script I'm posting here allows you to list and view all streams of the file that you load. Three methods are used to enumerate streams depending on your wishes. You can choose to use NtQuery, BackupRead or FindStream method and maybe compare speed and availability of each method depending on your system specifications.

NtQuery method is used by KaFu in his SMF, so that's not new, but other two methods are new to AutoIt AFAIK, unless used privately of course.

There is a GUI around the three functions to show what they do, that part isn't really that important. You will notice that I'm displaying up to 1024 bytes of the selected stream.

The script:

ADS_Viewer.au3

edit: New script.

Edited by trancexx

♡♡♡

.

eMyvnE

Link to comment
Share on other sites

Thank you for sharing :) (I also like the "hidden" animation)

I always wondered where these informations were stored, isn't it called meta data or it's another thing?

Br, FireFox.

Edited by FireFox
Link to comment
Share on other sites

  • 2 months later...

I just found this today, thanks for the contribution trancexx.

The reason I came upon this thread is that I was looking for a way to get rid of the 'ZoneIdentifier' stream that is attached to every da*n file I download from the browser, and is the cause of that annoying "This came from another computer" message and the need to Unblock files manually.

I just wanted a simple way to delete this extra information, and it turned out to be easier than I had expected.  Simply deleting the filename followed by ":Zone.Identifier" fixed the issue. There's apparently some 'legit' file checks in AutoIt, so FileDelete needed to be replaced by a manual call to DeleteFile.  But otherwise, its a pretty simple thing to do.  Here's my little addition:

; ==============================================================================================
; Func _ZoneId_ADSStreamDelete($sFilename)
;
; Simple function to delete the Zone.Identifier stream that is added to downloaded files
;
; Alternatives:
; Use Group Policy Editor (gpedit.msc) and follow the instructions at
; "SaveZoneInformation Revisited", post #2 - link below
;
; Also, adding the following key & value to the registry works:
;  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments"
;   with the following DWORD value
;    "SaveZoneInformation"
;   set to 1
;
; References:
; "SaveZoneInformation Revisited"
; http://www.msfn.org/board/topic/123163-savezoneinformation-revisited/page__p__958516#entry958516
;  - Using Group Policy Editor
;
; “This file came from another computer…” ... Response by user61000
; http://superuser.com/a/227624
;  - Also other useful information, links and resources
;
; See also:
; "Alternate Data Streams" - Jerry Dixon's Blog
; https://blogs.msdn.com/b/jerrydixon/archive/2007/09/20/alternate-data-streams.aspx
;  - Simple command-line way to add and read specific streams
;    (i.e. "echo nonsense > file:ADSStuff", or  "more < file:Zone.Identifier")
;
; "StrmExt.dll on x64 Windows"
; http://www.boredomsoft.org/strmext.dll-on-x64-windows.bs
;  - Stream Page extension for File Properties [x86 version is linked there as well]
;
;
; Author: Ascend4nt
; ==============================================================================================

Func _ZoneId_ADSStreamDelete($sFilename)
    Local $aRet, $sZoneIDFileName

    ; Streams are assembled as "filename" + ":" + "Stream_ID"
    $sZoneIDFileName = $sFilename & ":Zone.Identifier"

    ; Make sure the stream exists
    If FileExists($sZoneIDFileName) Then
        ; While FileExists() works, FileDelete() doesn't, probably due to some internal sanity checks
        $aRet = DllCall("kernel32.dll", "bool", "DeleteFileW", "wstr", $sZoneIDFileName)
        If @error Then Return SetError(2, @error,0)
        Return $aRet[0]
    EndIf
    Return 0
EndFunc

; Example

$sFilename = FileOpenDialog("Filename", @DesktopDir, "All (*.*)", 1)
If @error Then Exit
MsgBox(0, "Results of ADS Zone Removal", "_ZoneId_ADSStreamDelete Return [0/1] =" &_ZoneId_ADSStreamDelete($sFilename))

-

Additionally, I found that there's workarounds to this annoying problem - one is to use the Group Policy Editor.  Another is to add a value to the registry.  To make it simple, here's code for a .reg file:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001

_-

Registry info is from here.  I also have other links inside the source code above.

What I thought was neat was that you can mess with streams from the command prompt, e.g.:

  • Add an 'ADSStuff' stream, with just "nonsense" for the data:
echo nonsense > file:ADSStuff
  • Display the stream information for a file (you need to be specific):
more < file:Zone.Identifier
Edited by Ascend4nt
Link to comment
Share on other sites

I made an example to create a streams. Because I do not understand how it works.

echo Jerry > names.txt
echo Tammy > names.txt:wife
echo Evan > names.txt:son

more < names.txt
more < names.txt:wife
more < names.txt:son
pause

I liked "drag-and-drop" example

Edited by AZJIO
Link to comment
Share on other sites

  • 1 month later...

While all the methods work great I found FindStream method the fastest method. If at least FindStream could find ADS on folders too the script would be perfect.

It can do that of course. All three methods can do that.

It's just that I didn't think of that. Considering it's my fault I'll update the script, it's really just a touch or two.

♡♡♡

.

eMyvnE

Link to comment
Share on other sites

While testing it, I thought I'd found a bug in it, but realized it was just unexpected Windows behaviour.. Trying:

echo text > c:\file.ext:something.txt

 

I was wondering why your tool displayed 0d 0a at the end. Turns out echoing into an ADS from cmd will do that, although it strictly speaking should not be part of the content. Or I have misunderstood something.. Doing the same thing with the type command (piping content from standard $DATA attribute of a file into an ADS, will not lead to the strange prefix.

Anyways, your tool works fine :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...