1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hide Data WITHOUT Steganography

Discussion in 'Windows' started by SaswatPadhi, Jun 26, 2009.

  1. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,343
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:

    Introduction



    Hello everyone. :) Good morning/afternoon/evening/whatever :p
    First of all, thank you all for your feedback on my articles. :pleased:
    This is my 2nd article in the OS/Windows section. I hope this article will be enjoyable and useful for all. ;)

    Some years back, I badly required a satisfactory method to store my passwords. I used to create a password protected document with my login details, but many times I used to forget the password to the protected file. So, later I switched to hiding my passwords "behind" my photo (a jpg file) using steganography. But the passwords could be read with hex editor :( Finally when I heard about ADS, I found it the most satisfactory.

    In this article, I will be talking about "hiding" data without using steganography. The whole concept behind this is the use of Alternate Data Streams (ADS).

    For those who don't know what steganography is, here is what Wikipedia mentions :
    Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing".​

    Alternate Data Streams



    Today most Windows users rely on NTFS. ADS is a relatively unknown feature of NTFS. ADS is the ability to fork data (streams) into existing files. ADS capabilities are found in all versions of NTFS. ADS was originally created to allow for compatibility with the HFS : Macintosh Hierarchical File System, in which file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

    Advantages and Dis-advantages of ADS



    ADS has many advantages (even over conventional steganographic methods) :

    • ADS does not increase the size of the target file, no matter how much data you hide. (believe me !)
    • ADS cannot be detected with MOST file browsers like Windows Explorer or the DOS command DIR.
    • ADS does not affect the functionality of the target file inside which data is hidden.
    • You can work with the hidden data directly without extracting it again and again.
    • You do not need any special software to read/write hide data using ADS. Plain old MS-DOS ("cmd.exe") is all that you need !
    • ADS does not involve any sophisticated hacking skills or anything like that.
    • Moving/Copying the file into which data is hidden, also moves/copies the hidden data.
    • Using ADS, you can hide any kind of data : binary/text streams.

    Dis-advantages of ADS :
    • ADS changes the time stamp of the target file into which data is hidden.
    • ADS is not supported on all systems. So, copying a file with ADS to such a system will remove all the hidden streams.

    Time for some Action



    (1) Hiding data using ADS

    So, ready to test the newly learnt skill ? OK. Gear up "cmd.exe".
    You heard it right, "cmd.exe" : the DOS command prompt.

    [[ In all the codes below, BLUE TEXT represents computer generated ones and GREEN TEXT represents the ones, you are expected to type ]]

    To begin, create a text file named test.txt and check it's contents :
    Code:
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]ECHO This is the test target>test.txt[/COLOR][/B]
    
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]TYPE test.txt[/COLOR][/B]
    [COLOR="Blue"]This is the test target[/COLOR]
    
    [COLOR="Blue"]C:\>[/COLOR][COLOR="Green"][B]DIR test.txt[/COLOR][/B]
    [COLOR="Blue"] Volume in drive C is WiND0WS XP
     Volume Serial Number is D86F-8B7A
    
     Directory of C:\
    
    06/26/2009  09:15 PM <                25 TEST.txt
                   1 File(s)             25 bytes
                   0 Dir(s)   9,065,259,008 bytes free[/COLOR]
    
    Now, let's put some secret data into this test target and check it's contents:
    Code:
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]ECHO This data is hidden>test.txt:hidden.txt[/COLOR][/B]
    
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]TYPE test.txt[/COLOR][/B]
    [COLOR="Blue"]This is the test target[/COLOR]
    
    [COLOR="Blue"]C:\>[/COLOR][COLOR="Green"][B]DIR test.txt[/COLOR][/B]
    [COLOR="Blue"] Volume in drive C is WiND0WS XP
     Volume Serial Number is D86F-8B7A
    
     Directory of C:\
    
    06/26/2009  [COLOR="Red"]09:17 PM[/COLOR] <                25 TEST.txt
                   1 File(s)             25 bytes
                   0 Dir(s)   9,065,259,008 bytes free[/COLOR]
    
    Note that only the time stamp has changed, but the file size (25 bytes) and the file contents are *exactly* the same !

    Now, let's see the hidden data:
    Code:
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]DIR test.txt:hidden.txt[/COLOR][/B]
    [COLOR="Blue"] Volume in drive C is WiND0WS XP
     Volume Serial Number is D86F-8B7A
    
     Directory of C:\
    
    File Not Found[/COLOR]
    
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]TYPE test.txt:hidden.txt[/COLOR][/B]
    [COLOR="Blue"]The filename, directory name, or volume label syntax is incorrect.[/COLOR]
    
    [COLOR="Blue"]C:\>[/COLOR][COLOR="Green"][B]NOTEPAD test.txt:hidden.txt[/COLOR][/B]
    
    Did you note that the DOS commands DIR and TYPE do not detect the hidden data, but notepad did !

    Now, lets try hiding something else:
    Code:
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]TYPE WallPaper_1.jpg>test.txt:Wall.jpg[/COLOR][/B]
    
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]START .\test.txt:Wall.jpg[/COLOR][/B]
    
    I first hid a wallpaper inside test.txt and then I try to view it directly. And, it works !!

    Let me give you the general syntax to hide any file :
    TYPE [data to be hidden]>[target file]:[Alternate stream]
    You need to fill in the parts inside []. For example,

    TYPE Passwords.doc>My_Pic.jpg:MyPasswords.doc will fork My_Pic.jpg with an ADS MyPasswords.doc.

    Even exe file can be hidden and *directly* accessed through ADS. For example :
    Code:
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]TYPE Virus>test.txt:MyVirus.exe[/COLOR][/B]
    
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]START .\test.txt:MyVirus.exe[/COLOR][/B]
    
    The above code will embed fork text.txt with Virus.exe and will directly run it from the ADS MyVirus.exe.

    You can note only use ADS with files, but also with directories ! It can be done this way :
    Code:
    [COLOR="Blue"]C:\TestADS>[/COLOR][B][COLOR="Green"]ECHO This is hidden inside this directory > :hidden.dat[/COLOR][/B]
    [COLOR="Blue"]
    C:\TestADS>[/COLOR][B][COLOR="Green"]DIR[/COLOR][/B]
    [COLOR="Blue"] Volume in drive C is WiND0WS XP
     Volume Serial Number is D86F-8B7A
    
     Directory of C:\TestADS
    
    06/28/2009  21:37    <DIR>          .
    06/28/2009  21:37    <DIR>          ..
                   0 File(s)              0 bytes
                   2 Dir(s)   2,828,603,392 bytes free
    
    C:\TestADS>[/COLOR][COLOR="Green"][B]notepad :hidden.dat[/B][/COLOR]
    
    See that the DIR command does not show the hidden.dat, but notepad opens it.

    (2) Removing attached ADS

    Now, suppose you want to delete the alternate data streams from a file without deleting the file itself. So, what you do is you copy the original contents to another file and then delete the original file, which would also delete all ADS. For example :
    Code:
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]REN test.txt temp.txt[/COLOR][/B]
    
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]TYPE temp.txt>test.txt[/COLOR][/B]
    
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]DEL temp.txt[/COLOR][/B]
    
    This would rename test.txt to temp.txt first, then copy its contents to a new file named test.txt and then delete the original temp.txt.

    (3) Recovering attached ADS

    Suppose you want to extract the attached ADS to a separate file. For this you need the *nix utility CAT from http://sourceforge.net/projects/unxutils. Now you can simply retrieve ADS using :
    Code:
    [COLOR="Blue"]C:\>[/COLOR][B][COLOR="Green"]CAT "test.txt:hidden.txt">"Recovered.txt"[/COLOR][/B]
    
    This will recover data from the ADS hidden.txt to Recovered.txt.

    (4) Detecting ADS

    There are quite a few tools to detect ADS in Windows. Some popular ones are :

    LADS - List Alternate Data Streams by Frank Heyne
    http://www.heysoft.de/en/software/lads.php

    Streams.exe from SysInternals:
    http://www.sysinternals.com/ntw2k/source/misc.shtml#streams

    ADS Spy GUI Scanner:
    http://www.spywareinfo.com/~merijn/downloads.html

    Crucial ADS GUI Scanner:
    www.crucialsecurity.com/downloads.html

    ADS Detector for Explorer:
    http://www.codeproject.com/csharp/CsADSDetectorArticle.asp

    Conclusion



    So, we have come to the end of this ADS tutorial. ADS has been extensively used by malicious coders to make viruses, that are difficult to detect. ADS is a potentially dangerous vulnerability in the NTFS, but the security features of the NTFS outweigh this vulnerability.

    Thanks all for reading this article :)
    Hope you like it.

    Good bye and Take care.
     
  2. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    great job saswat, although i'll have to work on it to really understand the depth of it, but i didnt get one thing, how is the size still the same no matter what the code to be hidden is???? how does it do that??
    ps - one point, do consider some newbies, when you mentioned "without stenography" to tell what stenography is....else more then your article there mind will be filled with what is stenography is...
    else it was :2thumbsup
     
    Last edited: Jun 27, 2009
  3. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,343
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    Thanx for the feedback, mayjune :)

    >> how is the size still the same no matter what the code to be hidden is???? how does it do that??
    The data still resides on your hard disk, but the file size is unaffected because it shows the size of the primary data stream and not of the alternate data streams.

    And, I'll try to add "Steganography" definition to the article.
     
  4. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83
    PM Me the definition as no one can edit the articles once posted.
     
  5. nimesh

    nimesh New Member

    Joined:
    Apr 13, 2009
    Messages:
    770
    Likes Received:
    20
    Trophy Points:
    0
    Occupation:
    Oracle Apps Admin
    Location:
    Mumbai
    Home Page:
    Nice Article Saswat.

    I came to knew about this vulnerability of ADS in Trend Micro's HiJackThis tool, but didn't knew how do use it :)

    Thanks.
     
  6. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    questions..

    nope it did not detect, it said file did not exist??? (using vista)

    the download link does not work give alternative....

    how do i recover a pic file???
     
  7. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,343
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    Answers:

    (1) Vista does detect the file. You can also use "DIR /R" command in vista to show Alternate Data Streams (it's not supported in XP).
    Did you create the file before opening in notepad ?? I mean did you do something like "ECHO Hidden Text>Test.txt:Hidden" before "notepad Test.txt:Hidden" ?? If not, then no ADS is present with Test.txt, so notepad won't find any ADS.

    (2) New-link : http://sourceforge.net/projects/unxutils. (Will update the article)
     
  8. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83
    Link Updated.
     
  9. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    nope it does not show any ads...

    C:\>dir \R
    Volume in drive C has no label.
    Volume Serial Number is 8C19-481A

    Directory of C:\

    File Not Found

    ok ok it showed...i used \ instead of /R... :p

    17 test:hidden.txt:$DATA
    28-06-2009 22:58 17 test.txt
    26 test.txt:hidden:$DATA

    yes i did create the file before i tried opening in notepad....i followed the steps you said for test.txt

    NOTE THIS

    C:\>notepad test:hidden.txt
    (THIS showes my hidden text)

    C:\>notepad test.txt:hidden.txt
    (THIS doesnt work, says file doesnt exist..????)

    (2) New-link : http://sourceforge.net/projects/unxutils. (Will update the article)
    downloading, will update you on that..
     
    Last edited: Jun 29, 2009
  10. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    one more point, i just added more text in hidden.txt
    using
    C:\>notepad test:hidden.txt
    (added more text)
    C:\>dir test.txt
    Volume in drive C has no label.
    Volume Serial Number is 8C19-481A

    Directory of C:\

    28-06-2009 22:58 17 test.txt
    1 File(s) 17 bytes
    0 Dir(s) 33,659,916,288 bytes free
    ^MY date and time didnt change???? how come it should? i checked, the text is added in hidden.txt
     
  11. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,343
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    LOL :rofl: Look at what your drive contents :

    17 test:hidden.txt:$DATA
    28-06-2009 22:58 17 test.txt
    26 test.txt:hidden:$DATA

    So, you have created a ADS named "hidden.txt" in the file "test" (without ".txt" extension) and you have also created an ADS named "hidden" (without the ".txt" extension) in the file "test.txt". That means you can either use :

    (1) notepad test.txt:hidden or
    (2) notepad test:hidden.txt

    And not :

    (1) notepad test.txt:hidden.txt or
    (2) notepad test:hidden

    Reason is mentioned in the first part of this reply.
    When you added more text to the "hidden.txt", you added it to the ADS "hidden.txt" attached to "test" not "test.txt". So, the time-stamp of "test" changed and not "test.txt".
    Try to modify "hidden" and not "hidden.txt", like this :

    notepad test.txt:hidden

    You will see, the time-stamp of test.txt will change.

    You probably messed up with the extensions while creating the file or the ADS. Delete both and start again, as mentioned in the article.
     
  12. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    What's in a (Exntension) name????
    Everything!!! :p
    lol....it worked, the way it should have, the time changed and other things...

    ps -
    1) what are the systems it will not work on?
    2)
    i made a new file t.txt:h.txt and checked it worked. It had a hidden file
    i sent it to myself on gmail. Downloaded, and tried it on that, didnt work...?
    is it because at the end where it went to the system didnt support it? or am i doing something wrong..?
     
    Last edited: Jun 29, 2009
  13. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    LADS link is not working...

    and after downloading the *nix zip, what do i do...?
     
  14. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,343
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    As mentioned in the article, it won't work on an FS which does not support ADS e.g. FAT32 and FAT16. But it works fine if the source and destination file-sytems, both support ADS e.g. transferring from NTFS to Mac HFS is fine.

    Nothing wrong, may be GMail uses an FS that does not support ADS. So, when your file was stored in GMail, all alternate data streams were lost. So, when you downloaded the file and tested it, it had no ADS !

    Sorry, I provided an old link. New link = http://www.heysoft.de/en/software/lads.php.
    Thanx for the report, I'll request shabbir to update article.

    Extract all the "*.exe" from "usr\local\wbin" folder inside the zip file to your %WINDIR%\system32 folder.
    Then you can directly use the *nix utilities from command prompt. :)
     
  15. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    there is no folder like that, no usr, no local, nor wbin????
     
  16. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,343
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    You downloaded the UnxUtils.zip file, right ?? (The binary file, not the source !)
    Then inside the zip, there are two folder : bin and usr.
    The executables are @ : usr->local->wbin
     
  17. mayjune

    mayjune New Member

    Joined:
    Jun 14, 2009
    Messages:
    817
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    Pune,Delhi
    ok i got the binary file not the source (which i did last time), extracted the exes from usr>local>wbin>
    to C:\Windows\System32\
    but yet the cat command in not recognized...?
    what could be wrong? i checked, cat is there....
     
  18. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,343
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    May be something with the permissions, that's a really annoying feature in Vista. Allow full control to all the exes and see if they work.
    Or, may be C:\Windows\System32 is not listed in your PATH environment variable, which is nearly impossible.
     
  19. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83
  20. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,283
    Likes Received:
    364
    Trophy Points:
    83

Share This Page