Skip to content

Instantly share code, notes, and snippets.

@chriselgee

chriselgee/AlternateDataStreams.md

Last active July 22, 2024 14:31
Show Gist options
  • Save chriselgee/bf41951d0b51d0ef9d2504a36921cd13 to your computer and use it in GitHub Desktop.
Save chriselgee/bf41951d0b51d0ef9d2504a36921cd13 to your computer and use it in GitHub Desktop.
Download ZIP
Finding and reading alternate data streams (ADS) with PowerShell on an NTFS partition
Raw
AlternateDataStreams.md

To find all streams within file.txt: Get-Item .\file.txt -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\file.txt::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\
PSChildName   : file.txt::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\file.txt
Stream        : :$DATA
Length        : 176

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\file.txt:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\
PSChildName   : file.txt:Zone.Identifier
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\file.txt
Stream        : Zone.Identifier
Length        : 104

We can then view that second stream: Get-Content .\file.txt:Zone.Identifier

[ZoneTransfer]
ZoneId=3
ReferrerUrl=http://10.10.1.15:8000/
HostUrl=http://10.10.1.15:8000/file.txt

Delete the stream with: Remove-Item .\file.txt -Stream Zone.Identifier

Add other streams with: Set-Content .\file.txt:Dank.Memes -Value "All your base"

In cmd.exe, you can:

  • dir /R to see all ADS in a directory
  • echo Hidden text > file1.txt:hidden to add text as an ADS
  • more < file1.txt:hidden to see the hidden text
  • type nc.exe > file1.txt:nc.exe to hide an executable in a text file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment