ADS Alternative Data Stream

Well ,

I know for a long time that it existed.
But how to use it en when?

Well i think you can use it with allot of things.
Using it into scripts, exe’s, vbs files, etc.
It works just brilliant .

But as simple as it is to create it is also very simple to lose the ADS .
When you move the file to  a non-NTFS file system the ADS is lost.

My first test was a small script for an issue i encountered.

The initial file that i wanted to move into the data stream was a *.Bat file i named it COA.Bat :

cd “C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\”
for /d %%a in (“C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\”) do rd /Q /S %%a
CD “%~dp0”
TIMEOUT /T 10 /NOBREAK
ECHO MSGBOX “Alle attachments zijn opgeruimd ¯\_(00)_/¯” > %temp%\TEMPmessage.vbs
call %temp%\TEMPmessage.vbs
TIMEOUT /T 5 /NOBREAK
del %temp%\TEMPmessage.vbs /f /q
CLS
EXIT

So needed an other file to hide the ADS. I created Clean.BAT .
But how do you write the above content to the ADS of the Clean.BAT .

Well you need to head to open a Command Promt window
CD to the correct directory where you created the COA.Bat file.
If you need to CD allot to that folder its easy to create just a bat file with the line CMD.exe in it.
Place that cmd bat into the directory where you are working in and open it.

You can now just TYPE to the Clean.Bat ADS stream. Yes, 🙂 just TYPE.

TYPE File1 > File2:File1

In my case that would be:
TYPE COA.bat > Clean.bat:COA.bat

Well now the ADS has been Written to the file.

Accessing your ADS behind the main file:
In Windows 7 they removed the part where you could just run the file from the ADS.
Like this:

So instead off talking or executing directly into the ADS i would take it out the ADS again.
MORE < Clean.bat:COA.bat > HiddenCOA.bat

This is how the main Clean.Bat file looks like.

CD “%~dp0”
@echo off
MORE < Clean.bat:COA.bat > HiddenCOA.bat
Start /min HiddenCOA.bat
TIMEOUT /T 18 /NOBREAK
DEL HiddenCOA.bat
cls

EXIT

My main reason of using the ADS:

  1. There is no direct access to the file so code stay’s untouched.
  2. Just to test out the surface of the ADS stream.
  3. Fun

But this can be also used for malicious things