Sign in to follow this  
Followers 0
Skrip

_ADS() UDF

25 posts in this topic

#1 ·  Posted (edited)

; $read = 1 means to read the stream, 0 means to write.
; $file = Which file to write the stream to.
; $streamname = What to call the stream?
; $write_msg = What to write.
; $encrypted = 1 means to encrypt/decrypt the message, 0 means not to.
; $epassword = The encryption password.
; $encrypted_level = 1-10 crypt strength.
#include <String.au3>
FileWrite("C:\.test", "Test file.")

MsgBox(0, "", _ADS(0, "C:\.test", "test", "test!")); Writing "test!" to ADS.
MsgBox(0, "", _ADS(1, "C:\.test", "test"))

Func _ADS($read, $file, $streamname, $write_msg = "", $encrypted = 0, $epassword = "", $encrypted_level = 1)
    If $read = 1 Then; Read
        $found = FileRead($file & ":" & $streamname)
        If $encrypted = 1 Then $found = _StringEncrypt(0, $found, $epassword, $encrypted_level)
        Return $found
    ElseIf $read = 0 Then; Write
        If $encrypted = 1 Then $write_msg = _StringEncrypt(1, $write_msg, $epassword, $encrypted_level)
        FileWrite($file & ":" & $streamname, $write_msg)
        Return "Written"
    EndIf
EndFunc

There you go. The function and an example.

Edited by Firestorm

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites



ok i understand but is there any way to manipulate these streams, by copying them in autoit? i know they cant be copied via windows, but can you actualy copy a stream with autoit .

could yuo send it over a network in the alternative stream?

liek alternative stream packs that coudl avoid a packet logger?

Share this post


Link to post
Share on other sites

i made a gui to edit alternate stream data

#include <GUIConstants.au3>

#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("Stream Editor", 459, 529, 193, 125)
$Input1 = GUICtrlCreateInput("", 32, 32, 377, 21)
$button3 = guictrlcreatebutton("Browse", 410, 32)
$Label1 = GUICtrlCreateLabel("File:", 208, 8, 23, 17)
$Label2 = GUICtrlCreateLabel("Stream", 208, 72, 37, 17)
$Input2 = GUICtrlCreateInput("", 32, 104, 377, 21)
$Edit1 = GUICtrlCreateEdit("", 40, 176, 393, 345)
$Button1 = GUICtrlCreateButton("Read", 150, 144, 75, 25, 0)
$Button2 = GUICtrlCreateButton("Save", 250, 144, 75, 25, 0)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE
            Exit
        case $Button1
            guictrlsetdata($Edit1, fileread(GUICtrlRead($Input1)&":"&GUICtrlRead($input2)))
        case $button3
            $file = FileOpenDialog("Stream Reader", @DesktopDir, "All Files(*.*)")
            guictrlsetdata($Input1, $file)
        Case $Button2
            $write = FileOpen(GUICtrlRead($Input1)&":"&GUICtrlRead($input2), "2")
            FileWrite($write, guictrlread($Edit1))
FileClose($write)
    EndSwitch
WEnd

is there any way to save an executable (binary data) to an alt stream then run the executable from the stream without the need to write it to another file

like

compilation.exe:program1

Share this post


Link to post
Share on other sites

is there any way to save an executable (binary data) to an alt stream then run the executable from the stream without the need to write it to another file

like

compilation.exe:program1

Not possible, and probably for a good reason too!

Read this: http://www.wikistc.org/wiki/Alternate_data_streams


Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet()

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

it is possible and i;ve done it.

all tyyou have to do is put the binary code of the executable into an alternate stream with a .exe at the end

run("file:executable.exe")

Edited by YourSpace

Share this post


Link to post
Share on other sites

EXE's can be run from an ADS.

What if I told you that ADS can also be used with executable files? Thats right, ADS files that are executable can be attached to any file just like you attached .txt files, and just like the text files, would be hidden from most software.

Here is an example:

C:\test> type c:\windows\notepad.exe > ads.txt:hidden.exe

You have now created an ADS file called hidden.exe and attached it to the text file ads.txt. Once again, if you Dir the directory you will just see ads.txt, and not hidden.exe. Run LADS, and you will see the ADS.

There is a caveat to launching executable files that are ADS files. You must always use the START command to launch the ADS executable and you must always use the full path of the file. Here are some examples of working commands and non-working commands.

I will first make my ADS executable:

C:\test> type c:\windows\notepad.exe > ads.txt:np.exe

Commands that do not launch the np.exe ADS executable:

C:\test>ads.txt:np.exe

The filename, directory name, or volume label syntax is incorrect.

C:\test>c:\test\ads.txt:np.exe

The filename, directory name, or volume label syntax is incorrect.:

C:\test>start ads.txt:np.exe

Access is denied.

The command that will launch the executable:

C:\test>start c:\test\ads.txt:np.exe

As you can see, you must use the full path of the ADS executable file.

It works for me. I'm making a nice GUI for this too.

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

i've made a udf to do this

(also via the command lien you may want to use binary copy mode)

but i made a udf in autoit to do this, you may use it with your gui just give cred :P

udf FileInStream:

http://www.autoitscript.com/forum/index.php?showtopic=82715

(also you can use the run command in autoit and it will work perfect)

Edited by YourSpace

Share this post


Link to post
Share on other sites

also remebe ralternative data streams are of no use if the file is uploaded to a website that doesnt have ntfs(such as a linux server) or to a flash drive or disk

i;ve made an application that converst files binary into hex, then you run another executable and it reads settings from a .ini.

hexifier: (makes a .hex out of a file)

#include <string.au3>
$file = Fileopen(FileOpenDialog("Hexify", @DesktopDir, "All Files(*.*)"), 16)
$data = binary(FileRead($file))
FileClose($file)
SplashImageOn("Hexifieing", "your file is being hexified, this may take a long time")
$data = _StringToHex($data)
SplashOff()
filewrite(FileSaveDialog("Save", @DesktopDir, "Hex Files(*.hex)")&".hex", $data)oÝ÷ ØãyËh®­²Ø^ìbÚ-àI«­¢+Ø¥¹±Õ±ÐíÍÑÉ¥¹¹ÔÌÐì(9½QÉå%½¸(ÀÌØíMQIPô%¹¥I ÅÕ½ÐíÍÑÑ¥¹Ì¹¥¹¤ÅÕ½Ðì°ÅÕ½Ðí¥±ÅÕ½Ðì°ÅÕ½Ðí¡àÅÕ½Ðì°ÅÕ½ÐíII=HÅÕ½Ðì¤(ÀÌØí9aPô%¹¥I ÅÕ½ÐíÍÑÑ¥¹Ì¹¥¹¤ÅÕ½Ðì°ÅÕ½Ðí¥±ÅÕ½Ðì°ÅÕ½ÐíÍ¥ÑÅÕ½Ðì°ÅÕ½ÐíII=HÅÕ½Ðì¤(ÀÌØí9aQàô%¹¥I ÅÕ½ÐíÍÑÑ¥¹Ì¹¥¹¤ÅÕ½Ðì°ÅÕ½Ðí¥±ÅÕ½Ðì°ÅÕ½ÐíÍÑÉ´ÅÕ½Ðì°ÅÕ½ÐíII=HÅÕ½Ðì¤(ÀÌØí½¹Ðô¥±I ÀÌØíMQIP¤(ÀÌØí¥¸ô   ¥¹Éä¡}!áQ½MÑÉ¥¹ ÀÌØí½¹Ð¤¤)¥±]É¥Ñ ÀÌØí9aPµÀìÅÕ½ÐìèÅÕ½ÐìµÀìÀÌØí9aQà°ÀÌØí¥¸¤

ini config file:

[file]
hex=tts.hex
site=XInjector.exe
stream=xinject.exe

hex is the name of the hex file genorated by the hexifier

site is the place to inject into the stream(you can put it in the same executable as its being ran from, so if you named it injector.exe you coudl inject into injector.exe)

stream is the name of the stream, i can not stree enough the exstension must be the same the filex you turned into hex

there is our donation to your project.

hope somethign great comes out of it :P

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

I like how easy it is to utilize ADS, just what kills it pretty bad, is that you can't remove streams.

Edited by Firestorm

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Easy Remove Method.

Func _RemoveADS($file)
    $data = FileRead($file)
    FileDelete($file)
    Return FileWrite($file,$data)
EndFuncoÝ÷ Ûú®¢×¢êÜ¡×j)^u«­¢+Ø¥¹±Õ±ÐíMÑÉ¥¹¹ÔÌÐì)5Í ½à À°ÅÕ½ÐìÅÕ½Ðì±}L Ä°ÅÕ½ÐíèÀäÈíÑйÑáÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ð줤ì
¡­Ì¥¹åÑ¡¥¹¥ÌÑ¡Éü)5Í    ½à À°ÅÕ½ÐìÅÕ½Ðì±}L À°ÅÕ½ÐíèÀäÈíÑйÑáÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ð줤ì]É¥ÑÌÌäíÑÍÐÌäìѼѡÍÑÉ´ÌäíÑÍÐÌäì)5Í ½à À°ÅÕ½ÐìÅÕ½Ðì±}L Ä°ÅÕ½ÐíèÀäÈíÑйÑáÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ð줤ìI̥и¸¸)}Iµ½ÙL ÅÕ½ÐíèÀäÈíÑйÑáÐéÑÍÐÅÕ½Ðì¤)5Í  ½à À°ÅÕ½ÐìÅÕ½Ðì±}L Ä°ÅÕ½ÐíèÀäÈíÑйÑáÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ðì°ÅÕ½ÐíÑÍÐÅÕ½Ð줤ìI̥Х¸¸¸¸(ìÀÌØíÉôĵ¹ÌѼÉÑ¡ÍÑÉ´°Àµ¹ÌѼÝɥѸ(ìÀÌØí¥±ô]¡¥ ¥±Ñ¼ÝÉ¥ÑÑ¡ÍÑɴѼ¸(ìÀÌØíÍÑɵ¹µô]¡ÐѼ±°Ñ¡ÍÑÉ´ü(ìÀÌØíÝÉ¥Ñ}µÍô]¡ÐѼÝɥѸ(ìÀÌØí¹ÉåÁÑôĵ¹ÌѼ¹ÉåÁнÉåÁÐÑ¡µÍÍ°Àµ¹Ì¹½ÐѼ¸(ìÀÌØíÁÍÍݽÉôQ¡¹ÉåÁÑ¥½¸ÁÍÍݽɸ(ìÀÌØí¹ÉåÁÑ}±Ù°ôÄ´ÄÀÉåÁÐÍÑÉ¹Ñ ¸)Õ¹}L ÀÌØíÉ°ÀÌØí¥±°ÀÌØíÍÑɵ¹µ°ÀÌØíÝÉ¥Ñ}µÍôÅÕ½ÐìÅÕ½Ðì°ÀÌØí¹ÉåÁÑôÀ°ÀÌØíÁÍÍݽÉôÅÕ½ÐìÅÕ½Ðì°ÀÌØí¹ÉåÁÑ}±Ù°ôĤ(%%ÀÌØíÉôÄQ¡¸ìI($$ÀÌØí½Õ¹ô¥±I ÀÌØí¥±µÀìÅÕ½ÐìèÅÕ½ÐìµÀìÀÌØíÍÑɵ¹µ¤($%%ÀÌØí¹ÉåÁÑôÄQ¡¸ÀÌØí½Õ¹ô}MÑÉ¥¹¹ÉåÁÐ À°ÀÌØí½Õ¹°ÀÌØíÁÍÍݽɰÀÌØí¹ÉåÁÑ}±Ù°¤($%IÑÕɸÀÌØí½Õ¹(%±Í%ÀÌØíÉôÀQ¡¸ì]É¥Ñ($%%ÀÌØí¹ÉåÁÑôÄQ¡¸ÀÌØíÝÉ¥Ñ}µÍô}MÑÉ¥¹¹ÉåÁÐ Ä°ÀÌØíÝÉ¥Ñ}µÍ°ÀÌØíÁÍÍݽɰÀÌØí¹ÉåÁÑ}±Ù°¤($%¥±]É¥Ñ ÀÌØí¥±µÀìÅÕ½ÐìèÅÕ½ÐìµÀìÀÌØíÍÑɵ¹µ°ÀÌØíÝÉ¥Ñ}µÍ¤($%IÑÕɸÅÕ½Ðí]É¥ÑѸÅÕ½Ðì(%¹%)¹Õ¹()Õ¹}Iµ½ÙL ÀÌØí¥±¤($ÀÌØíÑô¥±I ÀÌØí¥±¤(%¥±±Ñ ÀÌØí¥±¤(%IÑÕɸ¥±]É¥Ñ ÀÌØí¥±°ÀÌØíѤ)¹Õ¹

Try that to test it...

Edited by Firestorm

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

Share this post


Link to post
Share on other sites

Yeah, but that deletes all the streams...not a single one.


[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites

Link for that shell extension?

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

Yeah, but that deletes all the streams...not a single one.

That's the only way I know of removing streams, unless moved to non NTFS of course. Do you know of an alternate method?

I guess you can use FileClose(FileOpen($file&":"&$streamname,2)) to Erase the data associated with a stream name, but it cannot delete the fork name.

Edited by spudw2k

Share this post


Link to post
Share on other sites

I think the general procedure for deleting a single stream (as archaic as it sounds) is to enumerate and read all the streams, delete all the streams, then write back the ones you want to keep.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0