TechQA.

How do you use Alternate Data Streams and what are the benefits?

3k views Asked by At

I've read some documentations about Alternate Data Streams and I'm thinking about using them in my own projects. However there is so much unknown knowledge and open questions that I still have before I decide to use them. That's why I made this question list:

  1. How do you enum Streams without the Sysinternals tool streams?
  2. Does a stream affect the "Host" File's MD5 Value?
  3. What happens if I copy/cut the "Host" File to another (NTFS) Path? Do the streams copy/cut themselves too?
  4. What happens if I copy/cut the "Host" File to another Path that is NOT NTFS?
  5. Is it possible to have another Stream in an existing stream?
  6. Since you will have an actual filehandle for each stream, is it possible to change a stream's attributes?
  7. Can I use the LoadLibrary API to load a DLL from a stream?
  8. Is it possible to execute (e.g. ShellExecute) a stream?
  9. What are the advantages/benefits/disadvantages using Alternate Data Streams?
  10. What do I have to be cautious about if I use Alternate Data Streams?

I'm looking forward to your answers/infos/summarys. The preferable language is Delphi but any other language will do too, as long as it uses the WinAPI.

winapi alternate-data-stream
Original Q&A
1

There are 1 answers

2
Felix Dombek On BEST ANSWER

Many of your questions are covered here: http://flexhex.com/docs/articles/alternate-streams.phtml

  1. Enumeration: Use NtQueryInformationFile, see link. Beginning with Windows Vista, you can also enumerate streams on the commandline using dir /r.

  2. Checksums: As you usually open only the unnamed data stream when you access a file by name, only the contents of this stream are used when calculating checksums.

  3. Copying to NTFS: Windows Explorer and the copy commandline utility copy all streams.

  4. Copying to other FS: The alternate data streams are lost.

  5. Nested streams: No, a file simply consists of a list of streams, they cannot be nested.

  6. Attributes: Some attributes are file-based, some (encrypted, compressed, sparse) are stream-based.

  7. LoadLibrary seems to work on alternate data streams.

  8. ShellExecute on an ADS failed with ERROR_FILE_NOT_FOUND (2) on my computer.

    Note that is is theoretically possible to run an ADS from the commandline:

    type calc.exe > dummy.txt:calc

    wmic process call create "dummy.txt:calc"

  9. ADS are useful to store some non-critical information associated with a file. For example, executable files downloaded from the internet will have an ADS which causes Explorer to display a warning before the file is executed.

  10. See link. In particular, don't use them for critical data.

Related Questions in WINAPI

Related Questions in ALTERNATE-DATA-STREAM

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions