Alternate Data Streams

Started by DAG_P6, January 25, 2014, 01:56:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

DAG_P6

January 25, 2014, 01:56:45 PM
As I finished using the SysInternals streams.exe program to de-fang the archive containing my copy of the 2014A  version of WinBatch+Compiler, I began to wonder whether anybody has found another legitimate use for alternate data streams.

Of course, I realize that they are a great way to hide parts of a file from all but the technically savvy who know about them,  and about how to edit them.

So what?
David A. Gray
You are more important than any technology.

stanl

#1
January 26, 2014, 03:46:25 AM
I know there are a couple of posts in the old webboard about ADS. I found this interesting.

http://www.codeproject.com/Articles/9387/Manipulate-Alternate-Data-Streams

ChuckC

#2
January 27, 2014, 05:20:01 AM
The "MotW" [Mark of the Web] which indicates to the Explorer shell that a file was downloaded from the Internet is stored in an alternate data stream.  Pretty much every web browser that runs on Windows uses this mechanism in the same way.

Starting with Windows Server 2008 R2, the FSRM role has a File Classification feature that allows for the content of a file to be analyzed and for "properties" to be assigned to the file where the values of the properties are based on the results of the content classification analysis.  All of the properties and their values are stored in alternate data streams.

Quite a number of other valid uses for alternate data streams do exist, too, but these examples are 2 of the most prevalent usage cases that are likely to be encountered today.

Deana

#3
January 27, 2014, 08:51:21 AM 
Deana F.
Technical Support
Wilson WindowWare Inc.

stanl

#4
January 28, 2014, 07:44:07 AM
This is interesting. Embed Powershell script code as a stream.

http://powershell.com/cs/blogs/tips/archive/2014/01/27/reading-and-writing-ntfs-streams.aspx

td

#5
January 28, 2014, 08:17:17 AM
Quote from: stanl on January 28, 2014, 07:44:07 AM
This is interesting. Embed Powershell script code as a stream.

http://powershell.com/cs/blogs/tips/archive/2014/01/27/reading-and-writing-ntfs-streams.aspx

Haven't tried it but I suppose you could use streams as an alternative to extracting files other than the WIL interpreter DLL from compile WinBatch scripts. Of course, you would have to sign the exe outside of the compiler but that is no big issue. It would also render the exe useless on FAT systems.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

DAG_P6

#6
January 28, 2014, 10:37:49 PM
Deana,

Quote from: Deana on January 27, 2014, 08:51:21 AM
Note: The WILX Extender contains a function call xEnumStreams.

Reference:
http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/File~Operations+List~Files~with~Alternate~Data~Streams.txt
http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/Miscellaneous+Unblock~a~file.txt

Thanks for the nice summary. It's been an eternity (well, maybe only a decade) since I looked at the WILx extender.  Since it comes with the WIL SDK, I've come to think of it as more of an example to get a developer started with extenders than a source of useful functions. The one function in it that I actually used to use xMessageBox, I rolled into my WWWILMuscle extender long ago. My function doesn't do anything more than xMessaeeBox, but having an equivalent routine reduced by one the number of extenders that I had to ship and maintain.
David A. Gray
You are more important than any technology.
Print
Go Up Pages1
User actions