Windows Internals Interesting site great articles

[Zebuddi123]

Hi to all came across this site while researching Alternative Data Streams. Some great in depth articles about windows internals for those that might be interested.

Zebuddi

http://www.alex-ionescu.com/

[idle]

Some good articles there, didn't see the one on the very scary ADS though!

[Little John]

[...] Alternative Data Streams [...]
http://www.alex-ionescu.com/

Some good articles there, didn't see the one on the very scary ADS though!

That page has a search field near the upper right corner. If I search for "Alternative Data Streams", then I find nothing. The reason probably is, that that's not the name of that beast.

But searching for "Alternate Data Streams", I found this:
http://www.alex-ionescu.com/?s=Alternate+Data+Streams

Regards, Little John

[Zebuddi123]

Hi Idle they certainly are that's why i`m researching them, been having problems ever since i install pb5.10b1 (though i don't think its pb) and comodo ics 2013

5 or 6 times a day purebasic_compilation??? or pb_debugger the ide even programs ive written myself i use suddenly requests igmp 239.255.255.253. today pb_debugger requesting 224.0.0.22 (reported by comodo ics 2013) played detective with networkmonitor procmon procexp etc. a program i wrote for searching strings in a file suddenly starts requesting 239.255.255.253 (I blocked ) whilst parsing all my pb source files 8000+ for any line with the word german (bk working on my CLC commented language converter) at a particular section in the file list( not narrowed down to which file/files yet) up jumps the request and its reproducible.

Ran avast, comodo, fprot, ubuntu livecd running clam, malwarebytes, nothing not a sausage. so i wondered somehow maybe its from the ads (up 2 gig multiple streams, encrypted, and executable (done rootkit searches too also full wipe via linux reinstalled windows x 2 ). Don`t really know allot about networking, so probably barking up the wrong tree (but thats normal for me )

anyone with some insight any ideas would be appreciated. anyways the link for the ads

http://www.alex-ionescu.com/NTFS%20Alte ... treams.pdf

Zebuddi.

[idle]

@ little john
I was just making the point that Alternate Data Streams are a scary feature of NTFS
How are you supposed to know if an exe has been appended to a file? Explorer won't show it!
All you see is a modified date of the file in question and despite ADS being around since mid 90's
they're not that widely known and the average user wouldn't have a clue if they've got rouge files
hidden from their view in an alternate stream.
I'd assume every AV product would test for them today but that never used to be the case
and at some point even some exe monitors would ignore the request to open a stream
C:\Foo.exe:NastyVirus.exe and simply let it run.

@Zebuddi123
A lot of AV's will use ADS to store checksums and post XP I think they're viewable
but you can also download tools to list all the streams
I remember I was so paranoid of ADS when I first heard of them I reformatted to FAT.

background on them
http://en.wikipedia.org/wiki/Fork_(file_system)
a good article
http://www.windowsitpro.com/article/fil ... ta-streams

Not sure what's going on with the multicast
http://en.wikipedia.org/wiki/Internet_G ... t_Protocol

[Zebuddi123]

Hi idle yes i written a console program to view them via parsing system internals streams.exe -s > blabla.tx could`nt spot anything. have just run my search4strings tool for the word german again though all my pb sources and search4strings pops up requesting igmp 239.255.255.250 as i said its reproducible, then ran procmon filtered search4strings and cis (comodo) as soon as the igmp request pops up i searched procmon for .wav to see which .pb files were opened just prior to the alarm.

deleted the group of files in that directory (nothing to valuable) and researched with search4strings and nothing, gone. as my tool will search any file type just did a search on c:\ pulled a .pdf that cause search4strings to request igmp again so killed that little sod too ran another search to just beyond that point and again nothing

so tomorrow i`ll let it search all my c:\ drive, imagine it`ll take an hour or two and kill anything that pops up. Im in the thinking it has to be in the ads, if it pulls another i`ll put the group, prior to the alert i find in procmon and submit to virustotal or avast etc with an explanation see if the gurus find something.

should imagine the ads are copied too. but imagine you copied a 7k .pb file as a rar file but the .pb has a 70k ads now i know window explorer dont show the size of the file with ads but would you notice it in the rar size

well find out more tomorrow

Zebuddi.