An Introduction to Alternate Data Streams (ADS)

备用数据流 (ADS) 简介

A Hidden Layer of New Technology File System (NTFS) Alternate Data Streams (ADS) is a New Technology File System (NTFS) feature that allows data to be associated with a file or directory without modifying its primary data or attributes. Although introduced to provide enhanced functionality, ADS has also sparked debates due to its potential misuse in cybersecurity. This article explores ADS’s technical nuances, exploring its design, use cases, and challenges.

NTFS 文件系统中的隐藏层：备用数据流 (ADS) 是新技术文件系统 (NTFS) 的一项功能，它允许将数据关联到文件或目录，而无需修改其主要数据或属性。尽管引入该功能是为了提供增强的实用性，但由于其在网络安全中可能被滥用，ADS 也引发了诸多争议。本文将探讨 ADS 的技术细节，包括其设计、用例及面临的挑战。

What are Alternate Data Streams? In NTFS, every file or directory consists of multiple data streams. By default, the file’s primary data is stored in the main data stream, also known as the default data stream. ADS allows developers to attach additional data streams to a file, offering a way to embed metadata or supplementary content without altering the original file’s content. For instance, a file on an NTFS filesystem can have a primary stream (main stream) for the main content and one or more alternate streams for additional metadata.

什么是备用数据流？在 NTFS 中，每个文件或目录都由多个数据流组成。默认情况下，文件的主要数据存储在主数据流中，也称为默认数据流。ADS 允许开发人员将额外的数据流附加到文件中，从而提供了一种在不改变原始文件内容的情况下嵌入元数据或补充内容的方法。例如，NTFS 文件系统上的一个文件可以拥有一个用于存储主要内容的主流（Main Stream），以及一个或多个用于存储额外元数据的备用流。

Syntax Overview The syntax for working with ADS is pretty straightforward. You can associate an alternate data stream using a colon (:) as a separator filename:streamname For example: echo “This is an alternate data stream” > document.txt:hiddenstream Here, document.txt is the primary file, and hiddenstream is the alternate data stream associated with it. These alternate streams could be anything, for instance, an executable, a script, a log file, etc.

语法概述：使用 ADS 的语法非常简单。你可以使用冒号 (:) 作为分隔符来关联备用数据流，格式为 文件名:流名称。例如：echo "This is an alternate data stream" > document.txt:hiddenstream。在此例中，document.txt 是主文件，而 hiddenstream 是与之关联的备用数据流。这些备用流可以是任何内容，例如可执行文件、脚本、日志文件等。

Practical Use Cases of ADS ADS was designed with legitimate use cases in mind. Some of its primary applications are: 1. Storing Metadata Alternate Data Streams can store metadata about files without cluttering the primary file content. For instance, a text editor might save configuration settings or user preferences in an ADS. 2. Attaching Hidden Data Applications can use ADS to store additional data related to a file, such as thumbnails or indexing information, without exposing it in the file’s primary content. 3. Enhanced File Management Developers can utilize ADS for logging, tagging, or embedding instructions within files. For example, a backup application might use ADS to store backup timestamps.

ADS 的实际用例：ADS 的设计初衷是为了合法的应用场景。其主要应用包括：1. 存储元数据：备用数据流可以在不干扰主文件内容的情况下存储有关文件的元数据。例如，文本编辑器可以将配置设置或用户偏好保存在 ADS 中。2. 附加隐藏数据：应用程序可以使用 ADS 存储与文件相关的额外数据（如缩略图或索引信息），而无需将其暴露在文件的主要内容中。3. 增强文件管理：开发人员可以利用 ADS 进行日志记录、标记或在文件中嵌入指令。例如，备份应用程序可以使用 ADS 来存储备份时间戳。

Cybersecurity Challenges with ADS 1. Data Hiding Attackers can embed malicious code or payloads within ADS to evade detection. For example, a file might appear benign while carrying a hidden executable within an alternate data stream. 2. Bypassing Security Tools Many antivirus and security scanners do not thoroughly inspect alternate data streams, making them an effective tool for malware authors to obfuscate threats. 3. Persistence Mechanism Threat actors can leverage ADS to maintain persistence on a compromised system. For instance, they might store configuration files, encryption keys, or secondary payloads in ADS.

ADS 面临的网络安全挑战：1. 数据隐藏：攻击者可以将恶意代码或载荷嵌入 ADS 中以逃避检测。例如，一个文件看起来可能无害，但其备用数据流中却携带了一个隐藏的可执行文件。2. 绕过安全工具：许多杀毒软件和安全扫描程序不会彻底检查备用数据流，这使其成为恶意软件作者混淆威胁的有效工具。3. 持久化机制：威胁行为者可以利用 ADS 在受感染的系统上保持持久性。例如，他们可能会将配置文件、加密密钥或辅助载荷存储在 ADS 中。

Detecting and Managing Alternate Data Streams Understanding how to detect and manage ADS is critical given the potential risks. Here are some tools and techniques: 1. Using Built-in Commands The dir command with the /R flag can reveal alternate data streams: dir /R 2. PowerShell Scripts Custom PowerShell scripts can be used to enumerate ADS.

检测和管理备用数据流：鉴于潜在的风险，了解如何检测和管理 ADS 至关重要。以下是一些工具和技术：1. 使用内置命令：带有 /R 参数的 dir 命令可以显示备用数据流：dir /R。2. PowerShell 脚本：可以使用自定义的 PowerShell 脚本来枚举 ADS。

(Script omitted for brevity, see original text) The explanation of the above script is as follows: The Get-ChildItem -Recurse command retrieves all the files and subdirectories present in the current working directory, which we then pipe the output to a ForEach-Object loop that iterates through each item. The Get-Item $file.FullName -Stream * command retrieves all streams associated with a particular item being processed by the loop. The output of this is, in turn, passed to the Where-Object Stream -ne ’:$Data’ which filters out the main stream identified by the tag :$Data (this would contain the main content of the file) Finally, we pipe the filtered list from above into another loop that iterates through the identified alternate data streams and creates a custom object for each entry found during the process. We use Format-Table -AutoSize command to display the final output in a tabular form. The output of the above script, in our case, will reveal the alternate data stream hiddenstream that we created in the earlier section.

上述脚本的解释如下：Get-ChildItem -Recurse 命令检索当前工作目录中的所有文件和子目录，然后我们将输出通过管道传递给 ForEach-Object 循环，遍历每个项目。Get-Item $file.FullName -Stream * 命令检索与循环处理的特定项目相关联的所有流。其输出随后传递给 Where-Object Stream -ne ':$Data'，该命令过滤掉由 :$Data 标签标识的主流（其中包含文件的主要内容）。最后，我们将过滤后的列表通过管道传递到另一个循环中，遍历已识别的备用数据流，并为过程中发现的每个条目创建一个自定义对象。我们使用 Format-Table -AutoSize 命令以表格形式显示最终输出。在我们的案例中，上述脚本的输出将显示我们在前文中创建的备用数据流 hiddenstream。

3. Third-Party Tools Specialized tools like Sysinternals’ Streams can identify and analyze ADS on a system.

4. 第三方工具：像 Sysinternals 的 Streams 这样的专业工具可以识别和分析系统上的 ADS。

Mitigating Risks of ADS To balance the utility of ADS with security, organizations and developers can adopt the following practices: 1. Monitor and Audit: Regularly audit systems for unauthorized ADS usage. 2. Restrict Privileges: Limit file system privileges to reduce the risk of ADS exploitation. 3. Educate Users: Train users and administrators on identifying and mitigating ADS risks. 4. Enhance Security Scans: Ensure antivirus and security tools are configured to detect and scan ADS.

降低 ADS 风险：为了平衡 ADS 的实用性与安全性，组织和开发人员可以采取以下做法：1. 监控与审计：定期审计系统以发现未经授权的 ADS 使用情况。2. 限制权限：限制文件系统权限以降低 ADS 被利用的风险。3. 用户教育：培训用户和管理员识别并减轻 ADS 风险。4. 增强安全扫描：确保杀毒软件和安全工具已配置为检测和扫描 ADS。