I was reading an article on MSDN regarding the naming of files, paths, and namespaces[1] and I discovered some interesting peculiarities regarding the naming and creation of certain files containing alternate data streams.
I started by playing around with naming files based upon reserved device names "CON, PRN, AUX, NUL, COM1, LPT1, etc." As an example:
I started by playing around with naming files based upon reserved device names "CON, PRN, AUX, NUL, COM1, LPT1, etc." As an example:
C:\temp>echo hi > \\?\C:\temp\NUL
Note that this file can only be created when the prefix "\\?\" or "\\.\GLOBALROOT\Device\HarddiskVolume[n]\" is appended. Subsequently, this is also the only way to delete the file.
This technique has been known about for over a year now and is well documented[2][3].
What I found to be interesting is that when you create an alternate data stream that is attached to a file named after any reserved device name, the alternate data stream is invisible to both 'dir /R' and streams.exe unless you append the "\\?\" prefix to the path. Also, if the ADS happens to be an executable, it can be executed using WMIC. As an example:
This technique has been known about for over a year now and is well documented[2][3].
What I found to be interesting is that when you create an alternate data stream that is attached to a file named after any reserved device name, the alternate data stream is invisible to both 'dir /R' and streams.exe unless you append the "\\?\" prefix to the path. Also, if the ADS happens to be an executable, it can be executed using WMIC. As an example:
C:\temp>type C:\Windows\System32\cmd.exe > \\?\C:\temp\NUL:hidden_ADS.exe
C:\temp>dir /r C:\temp
Directory of C:\temp
09/17/2011 06:35 AM <DIR> .
09/17/2011 06:35 AM <DIR> ..
09/17/2011 06:37 AM 5 NUL
1 File(s) 5 bytes
C:\temp>streams C:\temp
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
No files with streams found.
C:\temp>wmic process call create \\?\C:\temp\NUL:hidden_ADS.exe
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 1620;
ReturnValue = 0;
};
So what are the implications of this?
1) You have a file that's nearly impossible to delete unless you know to append '\\?\'
2) You can hide malicious files/executables within the device name file in an ADS that is undetectable using traditional tools.
3) If an executable is hidden in the invisible ADS, it can be executed via WMIC.
As an added comment, according to the same MSDN article: "characters whose integer representations are in the range from 1 through 31, except for alternate data streams where these characters are allowed." This would allow someone to create an ADS using alt-characters. As an example:
2) You can hide malicious files/executables within the device name file in an ADS that is undetectable using traditional tools.
3) If an executable is hidden in the invisible ADS, it can be executed via WMIC.
As an added comment, according to the same MSDN article: "characters whose integer representations are in the range from 1 through 31, except for alternate data streams where these characters are allowed." This would allow someone to create an ADS using alt-characters. As an example:
C:\temp>echo hi > C:\temp\test.txt
C:\temp>echo secret text > C:\temp\test.txt:^G^G^G
C:\temp>dir /R C:\temp
Directory of C:\temp
09/17/2011 07:09 AM <DIR> .
09/17/2011 07:09 AM <DIR> ..
09/17/2011 07:08 AM 5 test.txt
14 test.txt::$DATA
1 File(s) 5 bytes
C:\temp>more < C:\temp\test.txt:^G^G^G
secret text
The ADS is named after three system bell characters <ALT+007>. Therefore, nothing is printed but a directory listing would yield three audible beeps. Hehe. Nothing mind-blowing but just another way to mess with admins or incident handlers.
 |
| Happy ADS created using <ALT-002> |
The bottom line: these techniques would serve as both a good malware persistence mechanism and serve to frustrate any incident handler.
1. Microsoft, "Naming Files, Paths, and Namespaces", http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
2. Dan Crowley, "Windows File Pseudonyms," April 2010, http://www.sourceconference.com/publications/bos10pubs/Windows%20File%20Pseudonyms.pptx
3. Mark Baggett, "NOT A CON!!!! (it's a backdoor)," February, 15 2010, http://pauldotcom.com/2010/02/deleting-the-undeleteable.html
Nice findings !
ReplyDeleteprepend \\?\, not append, right ?
Doesn't it just require some update of streams though (maybe it's time to update it! it hasn't been updated since 2007) ? or streams just wouldn't be able to catch it no matter what ?
is there no other 'standard' tool to view ADSs ?
Thanks.
ReplyDeleteYes. Prepend. I am confident that readers will know what I meant.
There's a bunch of tools available to view alternates data streams (LADS, ScanADS, etc.). Irongeek has a good list of ADS listing utils here: http://www.irongeek.com/i.php?page=security/altds
You do know it's Tuesday right? :P Good stuff! I'll definitely be adding this to my malware persistence and concealment talk at Hack3rCon. http://www.hack3rcon.org/ Many shouts out will be given!
ReplyDeleteAWESOME work Matt. Very cool stuff!
ReplyDeleteThanks, gents.
ReplyDelete"2) You can hide malicious files/executables within the device name file in an ADS that is undetectable using traditional tools."
ReplyDeleteThis isn't completely true. Both streams.exe and "dir /r" will display the reserved file names as long as you specify the disable-string-parsing prefix: dir /r \\?\C:\temp\NUL
Granted, this isn't as pretty or easy but still easily possible without 3rd party tools.
Thanks for the clarification. I was unaware of that. Nice tip! :)
DeleteJust curious, did you discover that on your own or did you learn that during Mark Baggett's DerbyCon talk?
DeleteUmm no actually.... I was writing up some scans to check for the existence of these reserved files in a customer's environment and wanted to include the capability of determining whether or not there was anything in the alternate data stream. I had demo'd your post to enough people to prove the point that on a whim, I decided to try and read the information the same way you had to interact with it in any other way (create, delete, attach ADS, etc.), and it worked. I'm not familiar with Mark Baggett or DerbyCon. I'll have to check those out on YouTube.
ReplyDelete