npocmaka
M?
Code: Select all
echo hide>:and_seek?*After that I even can use file wildcards .There are no errors and no produced files.
Last edited by npocmaka (02 May 2013 09:25)
----------------------------
#2 01 May 2013 22:51
AiroNG
Very nice idea
But...
1. you can't name/create files with symbols like " / \ : * ? > < |
2. echo can't use wildcards when creating/editing a file (ie.: " echo hide >> and_seek.tx* ")
3. the reason for no error message is the ":". I tried "cls:blabla" and only cls is processed.
I do not know why that is, maybe is has to do with the fact that the ":" is used as a label precursor. Or it has something to do with it's usage as a drive-letter designator.
Last edited by AiroNG (01 May 2013 22:53)
I don't suffer from insanity, I enjoy every minute of it.
----------------------------
#3 02 May 2013 01:57
Liviu
Assuming you run it on an NTFS formatted drive, the output actually goes to, and is stored in, an ADS associated with the current directory (alternate data stream - see for example... sorry, "not allowed to post links" yet).npocmaka wrote:
If I redirect echo to a string that starts with semicolon (and contains only one) the output goes nowhere.
Code: Select all
C:\tmp\123>echo hide>:and_seek?*
C:\tmp\123>more <:and_seek?*
hide
C:\tmp\123>Liviu
----------------------------
#4 02 May 2013 03:03
probyn
Yeah, alternate data stream attached to the directory. But how to get rid of it without deleting and recreating the directory?
Phil Robyn
Univ. of California, Berkeley (retired)
----------------------------
#5 02 May 2013 03:47
Liviu
One can empty the contents of an ADS with "type nul >:etc" but that still leaves a 0-byte ADS in place. I don't know that it's possible to delete an ADS in pure batch. It can be done using sysinternals' streams.exe for example.
Code: Select all
C:\tmp\123>type nul >:and_seek?*
C:\tmp\123>more <:and_seek?*
C:\tmp\123>streams .
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\tmp\123:
:and_seek?*:$DATA 0
C:\tmp\123>streams -d .
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\tmp\123:
Deleted :and_seek?*:$DATA
C:\tmp\123>streams .
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
No files with streams found.
C:\tmp\123>----------------------------
#6 02 May 2013 06:40
npocmaka
thanks Liviu,
That was interesting to know.If these streams are associated with files (but not with directories) they can be deleted more easily :
Code: Select all
C:\Users\tmp>echo one>two:three
C:\Users\tmp>more <two:three
one
C:\Users\tmp>del two /s /q
Deleted file - C:\Users\tmp\two
C:\Users\tmp>more <two:three
The system cannot find the file specified.
C:\Users\tmp>streams -s
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
No files with streams found.#7 02 May 2013 09:24
npocmaka
And the commands read form alternate streams (that i've found so far):
FOR /F , FIND , FINDSTR ,MORE (as it was mentioned) , CERTUTIL ,CLIP ,EXPAND , SORT , MOFCOMP , FTP -S
CERTUIL, MOFCOMP and EXPAND look like a security threats
---
http://www.exploit-monday.com/2011/09/s ... s-and.html [404]
http://pauldotcom.com/2010/02/deleting- ... eable.html [404]
http://pauldotcom.com/2010/10/windows-7 ... and-h.html [404]
Last edited by npocmaka (06 May 2013 23:11)
----------------------------
#8 02 May 2013 19:58
Liviu
One other command that supports ADS is CSCRIPT. This opens up some interesting possibilities, for example writing a self-contained batch file that saves and runs script code in an ADS.
Code: Select all
@echo off & setlocal
pushd "%~dp0"
(set/p "isads=" <%~nx0:ads.vbs) 2>nul || (
echo saving :ads.vbs
echo wscript.echo "inside :ads.vbs [ " ^& wscript.arguments^(0^) ^& " ]" >%~nx0:ads.vbs
)
echo running :ads.vbs
cscript //nologo "%~nx0:ads.vbs" works
echo finished :ads.vbsCode: Select all
C:\tmp\123>hybrid
saving :ads.vbs
running :ads.vbs
inside :ads.vbs [ works ]
finished :ads.vbs
C:\tmp\123>hybrid
running :ads.vbs
inside :ads.vbs [ works ]
finished :ads.vbs
C:\tmp\123>Liviu