Using ADS to hide a directory

Discussion in 'other security issues & news' started by GMMorris, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. GMMorris

    GMMorris Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Hi,

    First of all let me complement you guys on your cool community. I didn't know you existed till today, and I'll def' be back, this is a very useful place :)

    Ok, to buisness. I have reason to believe a threat may be made to the network I run for my company.
    I believe a user is hiding a whole directory packed with illigal software on his computer, and I suspect it is hidden using ADS. Could this be?
    Can you hide an entire directory full of files using Alternative Data Streams??

    I know I could use LADS, but I can't move outside software into our networks for reasons of security. I'm in the process of writing a C# application to scan our servers for illigal ADS usage, but I thought I'd ask you guys if it could be done anyway.

    Thanks :D
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear GMMorris, welcome to the forum. i'm glad you liked it. yes its possible.
     
  3. GMMorris

    GMMorris Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Thanks.

    Really? It is possible to hide an entire folder in ADS? How?

    Is there a way for me to prevent users using File Streams?
     
  4. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    well not directly but indirectly. i'd archive the whole directory using minimal compression to a single file and then add it normally using this ':' special COLON character. i'm lazy but you'll find a whole lot of tutorials on how to add ADS to a file or directory. you can't prevent it.
     
  5. GMMorris

    GMMorris Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Thats basically adding a single file to a file or directory using ADS, what I'm searching for is an actual directory.
    If all his files are in ZIP or something like that, he can't run programs out of it :)

    And I don't need tutorials, I've done ADS several times before ;)
     
  6. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear GMMorris, i didn't know he was running his programs like that. it should be something else. otherwise it'd be detectable very easily. you can't hide directory as ADS directly.
     
  7. GMMorris

    GMMorris Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    ok, thanks. I'll keep searchin' :D
     
Loading...
Thread Status:
Not open for further replies.