#1 01 May 2013 08:07

npocmaka
Member
From: Bulgaria
Registered: 03 Dec 2009
Posts: 430

(Alternate data streams)Where the output goes?

M?

echo hide>:and_seek?*

If I redirect echo to a string that starts with semicolon (and contains only one) the output goes nowhere.
After that I even can use file wildcards .There are no errors and no produced files.

Last edited by npocmaka (02 May 2013 09:25)

Offline

#2 01 May 2013 22:51

AiroNG
Member
From: Germany
Registered: 26 Nov 2012
Posts: 42

Re: (Alternate data streams)Where the output goes?

Very nice idea smile

But...
1. you can't name/create files with symbols like " / \ : * ? > < |
2. echo can't use wildcards when creating/editing a file (ie.: " echo hide >> and_seek.tx* ")
3. the reason for no error message is the ":". I tried "cls:blabla" and only cls is processed.

I do not know why that is, maybe is has to do with the fact that the ":" is used as a label precursor. Or it has something to do with it's usage as a drive-letter designator.

Last edited by AiroNG (01 May 2013 22:53)


I don't suffer from insanity, I enjoy every minute of it.

Offline

#3 02 May 2013 01:57

Liviu
Member
Registered: 02 May 2013
Posts: 8

Re: (Alternate data streams)Where the output goes?

npocmaka wrote:

If I redirect echo to a string that starts with semicolon (and contains only one) the output goes nowhere.

Assuming you run it on an NTFS formatted drive, the output actually goes to, and is stored in, an ADS associated with the current directory (alternate data stream - see for example... sorry, "not allowed to post links" yet).

C:\tmp\123>echo hide>:and_seek?*

C:\tmp\123>more <:and_seek?*
hide

C:\tmp\123>

Note that the ?* is part of the ADS name, and does not work as a wildcard in this context.

Liviu

Offline

#4 02 May 2013 03:03

probyn
Member
From: El Cerrito, CA, USA
Registered: 02 May 2013
Posts: 2

Re: (Alternate data streams)Where the output goes?

Yeah, alternate data stream attached to the directory. But how to get rid of it without deleting and recreating the directory?

Phil Robyn
Univ. of California, Berkeley (retired)

Offline

#5 02 May 2013 03:47

Liviu
Member
Registered: 02 May 2013
Posts: 8

Re: (Alternate data streams)Where the output goes?

One can empty the contents of an ADS with "type nul >:etc" but that still leaves a 0-byte ADS in place. I don't know that it's possible to delete an ADS in pure batch. It can be done using sysinternals' streams.exe for example.

C:\tmp\123>type nul >:and_seek?*

C:\tmp\123>more <:and_seek?*

C:\tmp\123>streams .

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\tmp\123:
      :and_seek?*:$DATA 0

C:\tmp\123>streams -d .

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\tmp\123:
   Deleted :and_seek?*:$DATA

C:\tmp\123>streams .

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

No files with streams found.

C:\tmp\123>

Liviu

Offline

#6 02 May 2013 06:40

npocmaka
Member
From: Bulgaria
Registered: 03 Dec 2009
Posts: 430

Re: (Alternate data streams)Where the output goes?

thanks Liviu,

That was interesting to know.If these streams are associated with files (but not with directories) they can be deleted more easily :

C:\Users\tmp>echo one>two:three

C:\Users\tmp>more <two:three
one

C:\Users\tmp>del two /s /q
Deleted file - C:\Users\tmp\two

C:\Users\tmp>more <two:three
The system cannot find the file specified.

C:\Users\tmp>streams -s

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

No files with streams found.

Offline

#7 02 May 2013 09:24

npocmaka
Member
From: Bulgaria
Registered: 03 Dec 2009
Posts: 430

Re: (Alternate data streams)Where the output goes?

And the commands read form alternate streams (that i've found so far):

FOR /F , FIND , FINDSTR ,MORE (as it was mentioned) , CERTUTIL  ,CLIP ,EXPAND , SORT , MOFCOMP , FTP -S

CERTUIL, MOFCOMP and EXPAND look like a security threats

---
http://www.exploit-monday.com/2011/09/s … s-and.html
http://pauldotcom.com/2010/02/deleting- … eable.html
http://pauldotcom.com/2010/10/windows-7 … and-h.html

Last edited by npocmaka (06 May 2013 23:11)

Offline

#8 02 May 2013 19:58

Liviu
Member
Registered: 02 May 2013
Posts: 8

Re: (Alternate data streams)Where the output goes?

One other command that supports ADS is CSCRIPT. This opens up some interesting possibilities, for example writing a self-contained batch file that saves and runs script code in an ADS.

@echo off & setlocal
pushd "%~dp0"

(set/p "isads=" <%~nx0:ads.vbs) 2>nul || (
  echo saving    :ads.vbs
  echo wscript.echo "inside    :ads.vbs [ " ^& wscript.arguments^(0^) ^& " ]" >%~nx0:ads.vbs
)

echo running   :ads.vbs
cscript //nologo "%~nx0:ads.vbs" works
echo finished  :ads.vbs

Assuming the above is saved as hybrid.cmd and run twice, the output shows that the VBScript ADS is created on the first run, only, then reused on subsequent runs.

C:\tmp\123>hybrid
saving    :ads.vbs
running   :ads.vbs
inside    :ads.vbs [ works ]
finished  :ads.vbs

C:\tmp\123>hybrid
running   :ads.vbs
inside    :ads.vbs [ works ]
finished  :ads.vbs

C:\tmp\123>

One obvious caveat is that the trick only works on NTFS volumes. Then, I have a nagging feeling that MS might someday consider it a security risk and disable the functionality. In the meantime, it works under XP, Win7 x64, and (I assume) everything in between.

Liviu

Offline

Board footer

Powered by FluxBB