Use ntfs streams to hide files-the vulnerability warning-the black bar safety net

ID MYHACK58:62200716489
Type myhack58
Reporter 佚名
Modified 2007-08-10T00:00:00


Everyone put on an ntfs partition the files are copied to non-ntfs partition, may occasionally encounter the following situations, the system prompts will have data lost, what is this? !

Actually the ntfs file system is introduced into the"flow"of this concept, each file can have multiple streams, and we generally only use the one, by giving file to allocate more of the stream, can achieve a sense of"file hide". For example, can the console use the following command to create a text file: dir d:>abc.txt It lists the d:root directory of all files, 然后 将 其 重定向 到 文件 abc.txt now you can check the abc. txt of size and content, and recorded. Then execute the following command dir c:>abc.txt:stream.txt After the execution is completed, 检查 abc.txt, size and contents are not changed, 但 其实 abc.txt 已经 多 了 一 个 流 stream.txt, and redirect the contents of the output to the inside of it, not the messenger use the following command to look at(note that the stream name you want to. txt at the end, otherwise notepad wouldn't find out): notepad abc.txt:stream.txt So we put a file is hidden, the dir command invisible, the file properties can not see, the resource Manager can not see, if you don't know the stream name, the notepad also is not accessible. In fact, the stream also can not rely on the file, the following commands also are legitimate(do not try, otherwise it might be a bit of a hassle): dir e:>:stream.txt This is the stream tied to the folder, this stream is more subtle. Under normal circumstances you want to delete the stream only the will of its host Delete, if you execute just the command, and is in the root folder on the execution, if you want to delete it, then congratulations you to format the disk:). But by writing a program or not difficult to delete the stream, just call the DeleteFile, and provide a stream name on the line. To enumerate a file in all streams, the current can only by BackupRead to complete. I wrote a small program, through which you can enumerate, delete, import and export the data in a stream, the following is the code for it(written comparison of the rush, there may be some bugs, but main features are implemented, it is the name of nsvw, i.e. Ntfs Stream Viewer).