Alternate Data Streams


I want to recap a topic that has been around for a while:  Alternate Data Streams.  This topic has resurfaced again in an interesting way.  I’m going to tell you about it in later post.  However, I thought I’d explain Alternate Data Streams again, just in case some of you don’t know what they are.  The later post will then make more sense.


So, what are Alternate Data Streams?  Well, it happens that NTFS files can have more than one set of data stored inside them.  (You cross-platform guys might know about “resource forks.”  This is a similar concept.)  Everyone knows about the primary stream.  This is the data that we normally associate with files.  It is the data that we see when we open the file, and it accounts for the file size numbers that we see in file listings.  However, we can “hide” other sets of data in a file too.  Let’s look at a simple example. (It is very important that you use the same commands that I do.  Not all console commands are aware of alternate data streams.)


Open a command window and try the following:


Create a file called “names.txt” that contains my name:
echo Jerry > names.txt


Prove that the file contains my name:
more < names.txt


Get the size of the file:
dir names.txt


You should see that the file contains 8 bytes.  That’s 5 bytes for my name, 2 bytes for the CRLF, and 1 byte for the space.  (Look closely at the command.  There’s a space between my name and the “>” character.)  This is all very normal.  Now let’s mess with some alternate streams.


Add my wife’s name to the file, in an alternate data stream:
echo Tammy > names.txt:wife


Prove that the file contains both names:
more < names.txt
more < names.txt:wife


Get the size of the file:
dir names.txt


There are now two separate sets of data in this one file.  One, the default, contains my name.  The alternate stream contains my wife’s name.  However, the directory listing shows 8 bytes, not the 16 that are actually there.  The dir command is not aware of alternate data streams, so it doesn’t account for them in its listing.  Some of the file’s data is now hidden.


Let go one step further.  Add my son’s name:
echo > Evan names.txt:son


Check out the results as we did before.  You now have 23 bytes of data contained in three steams, but the directory listing still shows 8.


Neat, huh?


I’ll leave the rest to you.  Remember that we are talking data streams here, not text.  There is a demo on the web that shows how to hide calc.exe inside sol.exe.  You can execute either program, too.  The possibilities run deep.


Now, why did I bring this up?  I’ll tell you more in another post.  However, for right now, you should know that many programs take advantage of these streams.  For example, some virus scanners hide tracking data in the files that they scan.  Some viruses hide themselves in there too.  Stay turned for more.

Comments (8)

  1. fkautz says:

    If we delete a file, does it delete all the data streams associated with that file? Also, is there a way to see all data streams associated with a file?

  2. Jerry Dixon says:

    Hi fkautz,

    Yes, deleting a file deletes all of the streams associated with it.  (Thank goodness!)  Otherwise, we’d be in a world of hurt.  Alternate Data Streams are used a lot more often that you might think.  

    To view all of the streams in a file, you need to access the file using low-level APIs.  Fortunately for those of us that don’t want to write stuff like this, there are numerous programs on the web that do it for us.  The one that I’ve heard the most about is called LADS (List Alternate Data Streams), and can be downloaded from http://www.heysoft.de/Frames/f_sw_la_en.htm.  Give it a try.  You might be surprised at the number of alternate streams in use on your system.

  3. fkautz says:

    The website you linked from heysoft.de mentions we can use “dir /r” in Windows Vista. I tried it out and it does show alternate streams.

  4. In a previous post , I talked about Alternate Data Streams and how some virus-scanning engines use them

  5. Dennijr says:

    is there a way to separate the ADS from the file it is stored on and save the ADS as a file on your computer, eg; say i want to store an exe file as an ADS on a program or file then i want to retrieve that ADS and save it onto my computer with a different name

  6. Dennijr says:

    is it possible to take an ADS off a file (say an image or an executable file) and save it somewhere as a new file?

  7. Jerry Dixon says:

    Hi Dennijr,

    Yes, you can do what you ask.  However, the only way that I know to do it would be to write a program using the low-level file APIs.  You can learn more here: http://msdn.microsoft.com/msdnmag/issues/06/01/NETMatters/.  There is also an interesting FAQ here: http://www.heysoft.de/Frames/f_faq_ads_en.htm.