NTFS stream?

so · Pósturaf so » Sun 07. Mar 2004 11:21

Sælir nú gaurar, veit einhver hvað þetta NTFS streams eða Alternate Data Streams í Windows er ? Þetta er einhver dulin vinna eða viðbót við þína vinnu og fæla í vélinni ?
Er þetta eitthvað spyware frá Bill eða eitthvað sem bætir kerfin.

Voffinn · Pósturaf **Voffinn** » Sun 07. Mar 2004 11:40

What are hidden Alternate Data Streams (ADS)?
NTFS, the filesystem used by Windows NT, Windows 2000 and Windows XP has a feature that is not well documented and is unknown to many developers and most users. This feature - Alternate Data Streams - allows data to be stored in hidden files that are linked to a normal visible file. Streams are not limited in size and there can be more than one stream linked to a normal file.

Why is ADS a security risk?
The primary reason why ADS is a security risk is because streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of. Streams can easily be created/written to/read from, allowing any trojan or virus author to take advantage of a hidden file area. But while streams can easily be used, they can only be detected with specialist software. Programs such as Explorer can view normal parent files, but they can't see streams linked to such files, nor can they determine how much diskspace is being used by streams. Because ADS is virtually unknown to many developers, there are very few security programs available that are ADS-aware. As such, if a virus implants itself into an ADS stream, your anti-virus software will probably not be able to detect it. In addition, streams cannot be deleted - to delete a stream you must delete its parent. Streams are of particular importance to law enforcement agencies as important data can sometimes be hidden in these covert file system channels.

Why does NTFS support streams?
The main (but not only) reason is for Macintosh file support. Files stored on the Macintosh file system consist of two parts (known as forks) - one data fork, and one resource fork. Windows relies on the extension of the file (eg. ".exe") in order to determine which program should be associated with that file. Macintosh files use the resource fork to do this. NT stores Macintosh resource forks in a hidden NTFS stream, with the data fork becoming the main parent file to the stream. ADS has other uses. As just one example, you could store a thumbnail image of a picture in a stream and even an audio track, allowing a single file to have several multimedia components. Some anti-virus programs store checksums in a stream under every file on your disk.

What are the main dangers associated with NTFS streams?
- Streams are only visible to specialised software such as TDS-3 that has the capability of enumerating streams from their parents.
- Public awareness of streams is exceptionally low, especially compared to the awareness of other file-hiding techniques such as hidden file attributes.
- Streams can not only attach themselves to files, they can also attach themselves to directories.
- Streams can't actually be deleted. The parent they're attached to must be deleted in order for the stream to be removed. However,
- Streams attached to the root directory of a drive, such as "C::MyStream" cannot be deleted.
- "Available Disk Space" as shown by programs such as Windows Explorer do not take into account disk space consumed by streams.
- A malicious program could continue writing to a stream, filling up the disk and make cleaning up very difficult.
- Streams, as they are essentially still files, can be executed.
- Executed streams do not have their filenames display correctly in Windows NT/2K/XP Task Manager, the utility commonly used to view running processes. For example, if the stream "c:\test.txt:mystream" was running, Task Manager would only show "test.txt".

Tekið héðan

Þetta er ekkert djók. Pældu í því að þú ert að skrifa þetta bréf þitt á stýrikerfi þar sem það eru fídusar sem flestir dev'arnir vita lítið sem ekkert um. Og útfrá þessu geturu farið að hugsa þér hvað það séu margir aðrir 'fídusar' sem þú veist ekki um í kerfinu þínu.

gumol · Pósturaf **gumol** » Sun 07. Mar 2004 12:19

Ég er ekki alveg að sjá hvert security riskið er? :roll:

Ef þetta er gert til að opna Macintos skrár hvernig getur þá verið að develop'arnir viti ekki af þessu.

Og talandi um þessa "gaffla", er þetta ekki bara til að flækja þetta? Seinast þegar ég vissi þá stendur það í upphafi hverrar Macintosh skrár hvernig skrá þetta er.

MezzUp · Pósturaf **MezzUp** » Sun 07. Mar 2004 20:26

gumol skrifaði:Ég er ekki alveg að sjá hvert security riskið er?

The primary reason why ADS is a security risk is because streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of.

so · Pósturaf so » Sun 07. Mar 2004 20:29

Er þá málið að hætta með NTFS og vera bara með FAT 32
Ef maður er mjög paranoid :shock:

gumol · Pósturaf **gumol** » Sun 07. Mar 2004 21:26

Afhverju eruð þið svona vissir að þetta sé satt?

KinD^ · Pósturaf **KinD^** » Sun 07. Mar 2004 22:06

omg wtf sko nú er málið að fá sér linux aftur á allar tölvurnar sínar :S þetta er nátturulega ekki gott mál

Voffinn · Pósturaf **Voffinn** » Sun 07. Mar 2004 23:55

gumol skrifaði:Afhverju eruð þið svona vissir að þetta sé satt?

Af því að ef að þú hefðir farið á linkinn minn, þá geturu prufað sjálfur að gera svona.