Fun with NTFS : Hide your data in Alternate Streams
December 01, 2010
Windows NT is a dynamic filesystems. It has certain cool capabilities such as file and directory linking, spurse files, alternate streams and many more. Today we are going to see what Alternate Streams can do for us.
Alternate Streams
We can programmatically open files in NTFS as file streams. NTFS supports alternate file streams for any file. We can open multiple file streams on a single file. To a normal user only the default file stream would be visible. This technique can be used to hide sensitive data in plain sight, or hide the encrypted data in hidden stream. Some viruses and rootkits use this technique to hide. Even two years ago many of the famous antiviruses did not use to scan for alternate file streams.
Before we go into programming details lets have fun exercise with alternate file streams.
Step 1. Open up command prompt in windows
Step 2. Type the following
notepad myfile.txt
Step 3. Type "Default text" in notepad then save the file
Step 4. again in command prompt type
notepad myfile.txt:hidden_data
Step 5. Type "My gmail password : yoho" in notepad then save the file
Step 6. Open the myfile.txt. What do you see?
You can see the "Default text" in the file. But the data you saved in the alternate stream named "hidden_data" is not visible. If you look in the explorer you will not find the file named myfile.txt:hidden_data, rather you will only see myfile.txt. Now if we type in the command again "notepad myfile.txt:hidden_data" then we will see that the text "My gmail password : yoho" is on notepad.
So, myfile.txt have an alternate file stream called "hidden_data". We can open and keep multiple such streams for the file. This is a cool feature, isn’t it?
.NET Does not support NTFS alternate strems
NTFS streams have been around for more than 10 years and we have .NET version 4.0 released. But unfortuntely .NET Framework yet do not have any support for alternative file streams. This is quite unexpected and sad.
I am quite disappointed in Microsoft for not providing such a basic file system manipulation has been in NTFS for over 10 years.
So? What is our option
You can write Alternative file stream class yourself by using the basic windows APIs. But it would be a lot easier to use a prebuilt library. Greg Duncan has already created a library. His code can be found here.