All Files being given this Alternative Data Stream ?
Posted: Wed Jan 14, 2015 2:44 pm
Hi to all
All my files seem to be getting these ADS added to them, slow start up from an SSD also as reported on the Comodo forums ( yes i use Comodo). I am adapting
Nico ADS program (added sort via utopiomania sort code) with the idea of creating checksums for the ADS and comparing them. In the forums i have browsed there has been mention the ADS known as :$CmdTclID:$Data 64 starting with b and where the rest of the stream is different.
ADS ie: :$CmdTclID:$Data 64 bÊtåD¦ø";èÌõò~‰VZ5E²>SŸU¥ýêòŠŸVZ5EäÉ‹,ëÚÑßÊtåDæBÐ#«¢üê
https://forums.comodo.com/install-setup ... #msg793394
Nothing is being pulled via my anti virus/malware
but curious 
Would anyone care to look at there files with this ADS Source code! people with Comodo and without please
Thanks Zebuddi.
If retrieving the data streams please compile with unicoded off.
All my files seem to be getting these ADS added to them, slow start up from an SSD also as reported on the Comodo forums ( yes i use Comodo). I am adapting
Nico ADS program (added sort via utopiomania sort code) with the idea of creating checksums for the ADS and comparing them. In the forums i have browsed there has been mention the ADS known as :$CmdTclID:$Data 64 starting with b and where the rest of the stream is different.
ADS ie: :$CmdTclID:$Data 64 bÊtåD¦ø";èÌõò~‰VZ5E²>SŸU¥ýêòŠŸVZ5EäÉ‹,ëÚÑßÊtåDæBÐ#«¢üê
https://forums.comodo.com/install-setup ... #msg793394
Nothing is being pulled via my anti virus/malware
but curious Would anyone care to look at there files with this ADS Source code! people with Comodo and without please
Thanks Zebuddi.
If retrieving the data streams please compile with unicoded off.
Code: Select all
; ---------------------------------------------------------------
; PureBasic 4.51
;----------------------------------------------------------------
; Version 1.0
; Fonctionne à partir de Window 2000 (Système de File NTFS)
;----------------------------------------------------------------
; --> Compiler en Unicode et Activer la gestion des Threads ! <--
;----------------------------------------------------------------
; Ce code permet seulement de lister les streams "Alternate Data"
; contenus dans les fichiers ou les dossiers
;----------------------------------------------------------------
;{- Enumerations / DataSections
;{ Windows
Enumeration
#Window_Main
EndEnumeration
;}
;{ Gadgets
Enumeration
#String_Dossier_Fichier
#Button_Dossier
#Button_Fichier
#ListIcon_Stream
#Button_Scan
#Button_StopperScan
#Button_SupprimerleStream
#Button_EditeravecNotepad
#Button_Extrairevers
#Button_Quitter
#Text_Info
#Button_OuvrirExplorateur
#BarreEtat
EndEnumeration
;}
;}
Global Chemin$
Global NomStream.s,StreamSize.q
Global FinRecherche.l
;sort order,0 ascending/listicongadget cols
Global order, li = 1 ;listicon id
Global cols = 4, max = 6
Procedure swapItems(id, item1, item2, cols)
For col = 0 To cols - 1
;swap item text
text.s = GetGadgetItemText(id, item1, col)
SetGadgetItemText(id, item1, GetGadgetItemText(id, item2, col), col)
SetGadgetItemText(id, item2, text, col)
;swap item data
dta = GetGadgetItemData(id, item1)
SetGadgetItemData(id, item1, GetGadgetItemData(id, item2))
SetGadgetItemData(id, item2, dta)
;swap item fg colors
fg = GetGadgetItemColor(id, item1, #PB_Gadget_FrontColor, col)
SetGadgetItemColor(id, item1, #PB_Gadget_FrontColor, GetGadgetItemColor(id, item2, #PB_Gadget_FrontColor, col), col)
SetGadgetItemColor(id, item2, #PB_Gadget_FrontColor, fg, col)
;swap item bg colors
bg = GetGadgetItemColor(id, item1, #PB_Gadget_BackColor, col)
SetGadgetItemColor(id, item1, #PB_Gadget_BackColor, GetGadgetItemColor(id, item2, #PB_Gadget_BackColor, col), col)
SetGadgetItemColor(id, item2, #PB_Gadget_BackColor, bg, col)
Next col
;swap checkbox/selected item states
state = GetGadgetItemState(id, item1)
SetGadgetItemState(id, item1, GetGadgetItemState(id, item2))
SetGadgetItemState(id, item2, state)
EndProcedure
Procedure compare(s1.s, s2.s)
;rsets to compare numbers correctly
sc1.s = UCase(RSet(s1, max))
sc2.s = UCase(RSet(s2, max))
If sc1 < sc2
ProcedureReturn -1
ElseIf sc1 > sc2
ProcedureReturn 1
EndIf
ProcedureReturn 0
EndProcedure
Procedure qSortItems(id, order, col, cols, left, right)
;quicksort kernel, herbert schildt
;comparisons: n * log10(n), swaps: n/6 * log10(n)
lft = left: rgt = right
txt.s = GetGadgetItemText(id, (lft + rgt) / 2, col)
While lft <=rgt
If order
;is descending
While compare(GetGadgetItemText(id, lft, col), txt) > 0 And lft < right
lft + 1
Wend
While compare(GetGadgetItemText(id, rgt, col), txt) < 0 And lft < right
rgt - 1
Wend
Else
While compare(GetGadgetItemText(id, lft, col), txt) < 0 And lft < right
lft + 1
Wend
While compare(GetGadgetItemText(id, rgt, col), txt) > 0 And lft < right
rgt - 1
Wend
EndIf
If lft <= rgt
swapItems(id, lft, rgt, cols)
lft + 1: rgt - 1
EndIf
Wend
If left < rgt
qSortItems(id, order, col, cols, left, rgt)
EndIf
If lft < right
qSortItems(id, order, col, cols, lft, right)
EndIf
EndProcedure
Procedure quickSortItems(id, order, col, cols)
;quicksort wrapper
qSortItems(id, order, col, cols, 0, CountGadgetItems(id) - 1)
ProcedureReturn order ! 1
EndProcedure
Procedure windowCallback(win, msg, wParam, lParam)
;code handles column header clicks and initiates sorts
If msg = #WM_NOTIFY
*phdr.HD_NOTIFY = lParam
If *phdr\hdr\code = #HDN_ITEMCLICK
order = quickSortItems(#ListIcon_Stream, order, *phdr\iItem, cols)
EndIf
EndIf
ProcedureReturn #PB_ProcessPureBasicEvents
EndProcedure
Procedure ReadStream(CheminDossier_CheminFichier.s)
Protected file_h.i, z.i,*stream.WIN32_STREAM_ID
Protected context.l=0, bytes_read.l=0, bytes_read1.l=0, seek_l = 0, seek_h = 0, Result.l=0
Protected namesize.l,streamHight.q,streamLow.q
file_h = CreateFile_(@CheminDossier_CheminFichier, #READ_CONTROL, 0, 0, #OPEN_EXISTING, #FILE_FLAG_BACKUP_SEMANTICS, 0)
If file_h <> 0
*stream.WIN32_STREAM_ID = AllocateMemory(20)
z = BackupRead_(file_h, *stream, 20, @bytes_read, 0, 1, @context)
While (bytes_read <> 0 ) And Result=0
namesize = *stream\dwStreamNameSize
If namesize > 0
*buffer = AllocateMemory(namesize)
BackupRead_(file_h,*buffer,namesize,@bytes_read1,0,1,@context)
NomStream= PeekS(*buffer,namesize/2,#PB_Unicode)
FreeMemory(*buffer)
EndIf
If *stream\dwStreamID=#BACKUP_ALTERNATE_DATA
streamHight.q=*stream\Size\highpart & $FFFFFFFF
streamLow.q=*stream\Size\lowpart & $FFFFFFFF
StreamSize.q = streamHight<<32 | streamLow
Result=1
EndIf
BackupSeek_(file_h, *stream\Size\lowpart, *stream\Size\highpart, @seek_l, @seek_h, @context)
FreeMemory(*stream)
*stream.WIN32_STREAM_ID = AllocateMemory(20)
bytes_read = 0
z = BackupRead_(file_h, *stream, 20, @bytes_read, 0, 1, @context)
Wend
FreeMemory(*stream)
BackupRead_(file_h,0,0,@bytes_read,1,0,@context)
CloseHandle_(file_h)
EndIf
ProcedureReturn Result
EndProcedure
Procedure.s ParseDirectory(folder.s, id.l = 0)
Protected Type.s
If Right(folder, 1) <> "\"
folder + "\"
EndIf
If ExamineDirectory(id, folder, "*.*")
If FinRecherche<2
While NextDirectoryEntry(id)
If DirectoryEntryName(id) <> "." And DirectoryEntryName(id) <> ".."
;##########################################
StatusBarText(#BarreEtat, 0, folder + DirectoryEntryName(id))
If ReadStream(folder + DirectoryEntryName(id))
If DirectoryEntryType(id)= #PB_DirectoryEntry_Directory
Type.s="Folder"
Else
Type.s="File"
EndIf
AddGadgetItem(#ListIcon_Stream, -1, NomStream+Chr(10)+Str(StreamSize)+Chr(10)+Type+Chr(10)+folder + DirectoryEntryName(id))
EndIf
;##########################################
If DirectoryEntryType(id) = #PB_DirectoryEntry_Directory
ParseDirectory(folder + DirectoryEntryName(id), id + 1)
EndIf
EndIf
Wend
EndIf
FinishDirectory(id)
EndIf
EndProcedure
Procedure ParseCheminFichierouDossier(folder.s)
Protected Type.s
If FileSize(folder)=-2
Type.s="Folder"
Else
Type.s="File"
EndIf
If ReadStream(folder)
AddGadgetItem(#ListIcon_Stream, -1, NomStream+Chr(10)+Str(StreamSize)+Chr(10)+Type+Chr(10)+folder)
EndIf
If Type="Folder"
ParseDirectory(folder)
EndIf
EndProcedure
Procedure DisableGadgetGroup1(Etat.l)
DisableGadget(#Button_Dossier,Etat)
DisableGadget(#Button_Fichier,Etat)
DisableGadget(#Button_Scan,Etat)
DisableGadget(#Button_Quitter,Etat)
EndProcedure
Procedure DisableGadgetGroup2(Etat.l)
DisableGadget(#Button_SupprimerleStream,Etat)
DisableGadget(#Button_EditeravecNotepad,Etat)
DisableGadget(#Button_Extrairevers,Etat)
DisableGadget(#Button_OuvrirExplorateur,Etat)
EndProcedure
Procedure Thread(lParam.i)
ParseCheminFichierouDossier(Chemin$)
StatusBarText(#BarreEtat, 0, "")
FinRecherche=0
DisableGadget(#Button_StopperScan,1)
DisableGadgetGroup1(0)
EndProcedure
Procedure OpenWindow_Window_Main()
If OpenWindow(#Window_Main, 200, 200, 610, 460, "Alternate Data Stream SPY", #PB_Window_SystemMenu|#PB_Window_TitleBar)
StringGadget(#String_Dossier_Fichier, 10, 25, 520, 25, "", #PB_String_ReadOnly)
ButtonGadget(#Button_Dossier, 540, 10, 60, 25, "Folder")
ButtonGadget(#Button_Fichier, 540, 40, 60, 25, "File")
ListIconGadget(#ListIcon_Stream, 10, 110, 590, 250, "Name of the Stream", 100, #PB_ListIcon_AlwaysShowSelection|#PB_ListIcon_FullRowSelect|#PB_ListIcon_GridLines)
AddGadgetColumn(#ListIcon_Stream, 1, "Size", 60)
AddGadgetColumn(#ListIcon_Stream, 2, "Type", 60)
AddGadgetColumn(#ListIcon_Stream, 3, "Path", 360)
ButtonGadget(#Button_Scan, 110, 70, 170, 25, "Scan Alternate Data Stream")
ButtonGadget(#Button_StopperScan, 340, 70, 155, 25, "Stop the Scan")
ButtonGadget(#Button_SupprimerleStream, 300, 370, 150, 25, "Delete the Stream")
ButtonGadget(#Button_EditeravecNotepad, 10, 370, 140, 25, "Edit with Notepad")
ButtonGadget(#Button_Extrairevers, 150, 370, 150, 25, "Retrieve the Stream to...")
ButtonGadget(#Button_Quitter, 240, 405, 130, 25, "Quit")
TextGadget(#Text_Info, 10, 5, 520, 20, "You can drag-and - drop a File or a Folder in the text box below")
ButtonGadget(#Button_OuvrirExplorateur, 450, 370, 150, 25, "Open in Explorer")
CreateStatusBar(#BarreEtat, WindowID(#Window_Main))
AddStatusBarField(#PB_Ignore)
EnableGadgetDrop(#String_Dossier_Fichier, #PB_Drop_Files, #PB_Drag_Copy)
DisableGadget(#Button_StopperScan,1)
DisableGadgetGroup2(1)
EndIf
EndProcedure
OpenWindow_Window_Main()
SetWindowCallback(@windowCallback())
;{- Event loop
Repeat
Select WaitWindowEvent()
; ///////////////////
Case #PB_Event_GadgetDrop
Select EventGadget()
Case #String_Dossier_Fichier
Files$ = EventDropFiles()
Count = CountString(Files$, Chr(10)) + 1
SetGadgetText(#String_Dossier_Fichier,StringField(Files$, 1, Chr(10)))
EndSelect
Case #PB_Event_Gadget
Select EventGadget()
Case #Button_Dossier
Chemin$ = PathRequester("Choose a directory:", "C:\")
SetGadgetText(#String_Dossier_Fichier,Chemin$)
Case #Button_Fichier
Chemin$ = OpenFileRequester("Choose a File:", "C:\", "*.*",0)
SetGadgetText(#String_Dossier_Fichier,Chemin$)
Case #ListIcon_Stream
Index.l=GetGadgetState(#ListIcon_Stream)
If Index>-1
DisableGadgetGroup2(0)
Else
DisableGadgetGroup2(1)
EndIf
Case #Button_Scan
ClearGadgetItems(#ListIcon_Stream)
Chemin$=GetGadgetText(#String_Dossier_Fichier)
If FileSize(Chemin$) <>-1
DisableGadgetGroup1(1)
DisableGadgetGroup2(1)
DisableGadget(#Button_StopperScan,0)
FinRecherche=1
CreateThread(@Thread(),0)
Else
MessageRequester("Info","Choose a folder or valid file path !")
EndIf
Case #Button_StopperScan
FinRecherche=2
DisableGadget(#Button_StopperScan,1)
DisableGadgetGroup1(0)
Case #Button_EditeravecNotepad
Index.l=GetGadgetState(#ListIcon_Stream)
If Index>-1
NameStream.s=GetGadgetItemText(#ListIcon_Stream, Index , 0)
NameStream=StringField(NameStream,2,":")
CheminStream.s=GetGadgetItemText(#ListIcon_Stream, Index , 3)
MessageRequester("Info","In some cases, Notepad will not be able to open the Stream!"+Chr(13)+"but you can always make a removal and then edit the resulting file.")
RunProgram("Notepad.exe",CheminStream+":"+NameStream,"")
EndIf
Case #Button_Extrairevers
Index.l=GetGadgetState(#ListIcon_Stream)
If Index>-1
NameStream.s=GetGadgetItemText(#ListIcon_Stream, Index , 0)
NameStream=StringField(NameStream,2,":")
Taille.s=GetGadgetItemText(#ListIcon_Stream, Index , 1)
If Taille<>"0"
NomFichier$ = SaveFileRequester("Choose a location:", NameStream, "*.*", 0)
If NomFichier$<>""
CheminStream.s=GetGadgetItemText(#ListIcon_Stream, Index , 3)
If ReadFile(0,CheminStream+":"+NameStream)
Longueur.q=Lof(0)
*Buffer=AllocateMemory(Longueur)
ReadData(0,*Buffer,Longueur)
CloseFile(0)
If CreateFile(0,NomFichier$)
WriteData(0,*Buffer,Longueur)
CloseFile(0)
EndIf
FreeMemory(*Buffer)
Else
MessageRequester("Error","The Stream could not be saved !")
EndIf
EndIf
Else
MessageRequester("Info","The size of this Stream is 0 bytes, it is unnecessary to want to save it !")
EndIf
EndIf
Case #Button_SupprimerleStream
Index.l=GetGadgetState(#ListIcon_Stream)
If Index>-1
NameStream.s=GetGadgetItemText(#ListIcon_Stream, Index , 0)
NameStream=StringField(NameStream,2,":")
CheminStream.s=GetGadgetItemText(#ListIcon_Stream, Index , 3)
Type.s=GetGadgetItemText(#ListIcon_Stream, Index , 2)
Message$="Are you sure you want to delete the Stream : "+NameStream+" ?"+Chr(13)+"the "+Type+" "+CheminStream
Resultat =MessageRequester("Attention",Message$, #PB_MessageRequester_YesNo)
If Resultat = #PB_MessageRequester_Yes
If DeleteFile(CheminStream+":"+NameStream)<>0
RemoveGadgetItem(#ListIcon_Stream, Index)
Else
MessageRequester("Error","The Stream could not be erased !")
EndIf
EndIf
EndIf
Case #Button_OuvrirExplorateur
Index.l=GetGadgetState(#ListIcon_Stream)
If Index>-1
CheminStream.s=GetGadgetItemText(#ListIcon_Stream, Index , 3)
RunProgram("Explorer.exe","/e, /Select,"+CheminStream,"")
EndIf
Case #Button_Quitter
CloseWindow(#Window_Main)
Break
EndSelect
; ////////////////////////
Case #PB_Event_CloseWindow
Select EventWindow()
Case #Window_Main
If FinRecherche=0
CloseWindow(#Window_Main)
Break
Else
MessageRequester("Info","Click on the button stop the Scan before leaving !")
EndIf
EndSelect
EndSelect
ForEver
;
;}