Skip to content

Alternative Data Streams – How to hide files within files that Windows 7 can’t detect – The Visual Guide


Windows has NTFS and FAT file systems, when NTFS is used, Alternative Data Streams can be created to hide malware within standard Windows Operating System files.  ADS cannot be detected using Explorer or Task Manager, both the executable and the processes are undetectable to the OS.  ADS was created to maintain compatibility with the MAC file system called HFS.

Step 1 – Create an ADS directory

Copy calc.exe and notepad.exe into this ADS directory – as you’ll be hiding the notepad.exe inside the calculator to prove how this works.

ads1ads1 ads1

Step 2 – Check the filesize of both calc and notepad

Check the filesizes of both calc.exe and notepad.exe before you start, so that you can see the OS is unable to report the hidden or secret file inside calc.exe.

ads2 ads2

Step 3 – INJECTION SYNTAX (Inject notepad into calc)

type c:\windows\system32\notepad.exe > calc.exe: notepad.exe

or the safer option

type c:\ADS\notepad.exe > c:\ADS\calc.exe:notepad.exe



Step 4 – Recheck filesizes of calc

Notice how Windows can not detect the change in filesize.

ads4 ads4

Step 5 – Execute malware with “Start”

start c:\ads\calc.exe

ads5 ads5

Calc will run.

 Step 6 – Use taskmanager to check only calc.exe is shown

Step 7 – Download a special tool to enumerate Alternative NTFS data streams.

ads6 ads6Install streams.  Run a new cmd prompt, change to streams dir.

streams c:\ADS\calc.exe

ads7 ads7

Streams displays calc.exe:notepad.exe:$DATA 193546.

This is showing that calc.exe has notepad hidden inside it, but Windows can’t detect that.

The malware datasize is 193546.

$DATA is the name of the attribute or the PRIMARY DATA STREAM.

We are hiding programmes in the SECONDARY data stream – which uses the : as a separator.  Calc.exe:notepad.exe = the secret stream is notepad.exe.  The syntax to hide hacking malware is:

type c:\malware.exe > c:\windows\system32\calc.exe:malware.exe


Step 8 – How to hide Calc.exe inside a JPEG file

We will hide the calc program inside a JPEG.  ADS7.jpg was created for this article.

type c:\ads\calc.exe > ads7.jpg:calc.exe

ads10 ads10

Double Check our Injection has worked

Streams c:\ads\ads7.jpg

ads11Streams reports that :calc.exe is hidden inside a secondary data stream.

We’ve INJECTED calc.exe into a very small JPEG file (65K).

ads8 ads8

So why is this important?

It’s important to realise that Windows 7 cannot detect secondary data streams – so rootkits and trojans can be hidden within windows system files or small photos.

So what?

You have created “malware” by hiding one program inside a windows system file or even a small photo.

Note how windows can’t detect the change in filesize or the running process.  This protects the hacker from discovery.

Only NTFS has ADS capabilities.

If you transfer a file from NTFS to FAT32 you’ll automatically destroy the Alternative Data Stream.


The countermeasure is Tripwire – which runs a hash against the files – system file hashing will detect ADS.  That’s why hashes are so important as a safety net.


One Comment
  1. Shahjee permalink

    But how do you execute the executable in win 7?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: