NTFS alternate data stream

NTFS can handle sub data stream different from main data stream which can be shown by explorer or major text viewers. Alternate Data Stream(ADS) can be shown by dir command with /r option.

dir /r

And stream data in ADS is desplayed as follows.

more < 'file':'stream name'

We can also obtain data streams and data with powershell command.

get-item 'file' -stream *
get-content 'file' -stream 'stream name'

Store data into ADS.

set-content 'file' -stream 'stream name'

We can embed executable binary or library into ADS. It can be loaded by CreateProcess and LoadLibrary Win32API.

$binary = get-content 'lib file' -encode byte
set-content 'file' -stream 'stream name' -value $binary -encode byte

Profile

I have technical job experience in enbedded software development and server side infrastructure/application engineering. I'm interested in programming and computer security.

Objective

To write down my technical knowledge in the place where I can access from anywhere. To share my program source code. To train my writing skill.

Link

LinkedIn (preparing)

Twitter

Facebook (preparing)

GitHub

StackOverFlow (preparing)

New entries

Setup a DNS server using Coredns container

Setup a VPN server using Pritunl container

Git CLI operations

Package Installation for Kali-Linux

AWS IoT Button : I am going to home button