Alternate Data Streams Windows 2003 Test
Needless to say, I was inspired by an article on Windows Security
that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Now, I have decided to test it using Windows 2003. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that opens in a new window):
ADS test using Windows 2003
1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 4/3/2003 8:00AM and the size is 113KB.
Here is a listing in DOS that shows the directory with the copied calc.exe file.
2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).
Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change.
3. Next, I executed the new ADS notepad.exe using the standard command start.
On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.
4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows 2003 displayed the calc.exe name and ADS command, much like Windows XP.
This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different.
With programs like many common Anti-Viruses and Adware and Spyware removers such as Ad-Aware realizing this technique that can be used, many companies - such as Lavasoft (makers of Ad-Aware) - are adding scanning features for this type of exploit in their programs. Although there is protection, the threat still exists.
To see this demonstration using Windows XP, I have posted it at Alternate Data Streams and Windows XP Test
Top of the Page Article Series
Alternate Data Streams
- NTFS Alternate Data Streams
- Alternate Data Streams and Windows XP Test
- Alternate Data Streams Windows 2003 Test
Previous: Alternate Data Streams and Windows XP Test
Related Articles on Aleeya.net:
- NTFS Alternate Data Streams
- Alternate Data Streams and Windows XP Test
- Winsock: How can you tell if your Winsock is corrupt? Windows XP Method 2
- Linux+ Update
- Followed by Google? The On-going Story...
Recent Entries:
- 07/05/2008: Windows Does not Report All Memory
- 01/01/2008: Firefox 3 beta - Minefield
- 01/01/2008: Happy New Year!
- 01/01/2008: Photoshop Thumbnails (.psd)
- 01/01/2008: Adobe Photoshop CS3 error
Search: Cosmos | BlogPulse
Bookmark: Del.icio.us | Furl It | Spurl | Tag!RawSugar | Simpy This! | Shadows Tag! | Blink It | My Web
Aleeya dotNet Tags: Alternate Data Streams, Windows 2003, security
Technorati Tags: Alternate, Data, Streams, Windows, 2003, security
Filed under: Security (Technorati) , Ramblings (Technorati) , 2003 (Technorati) , Windows (Technorati) .
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
This entry was posted on Sunday, September 18th, 2005 at 10:30 am
You can also choose to read Alternate Data Streams and Windows XP Test, which is the previous entry, or PayPal Scam from guest@bf-l.ch, the next entry.
Top of the Page