If you need to get to the data in an ADS, there are several utilities that will notify you and/or copy out the Alternate Data Stream from the file. Just to name a few, Mares has one called copy_ads; Heysoft has one called lads; and another one called streams.exe is out there as well.
To add to Curt's comment earlier, I believe Silkrope was one of the tools you referred to that allows exe packing. Henri -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Maynard, David C Sent: Monday, October 20, 2003 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [inbox] Re: [Full-Disclosure] Windows covert channel I believe you are refering to editing a file and saving with a :hidden Say you have a file test 4k you can open the that file with lets say test:hidden and add as much info as you want and the orignial file size never changes and test:hidden it not listed in file system but is treated as a seprate file when edited. You have to know the hidden info is attached to the test file to detect the info. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Curt Purdy Sent: Monday, October 20, 2003 9:49 AM To: 'jazper'; [EMAIL PROTECTED] Subject: RE: [inbox] Re: [Full-Disclosure] Windows covert channel > You are probably thinking of ADS(Alternate Data Streams). > > jazper > > > > I seem to remember in the dim reaches of my memory a covert > channel in > > the Windows file system where you could paste one file at > the end of > > another without it being detectible when you edited the > orginal file. It may be that he is referring to an exe packer as used to attach a trojan to a legitimate exe aka whackamole. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
