将文件创建为“file.ext:file.ext"有什么作用?真的吗? [英] What does creating a file as "file.ext:file.ext" really do?
问题描述
我最近开始研究隐写术,我在网上找到了一个教程,为了在另一个文件中隐藏一个新的文本文件,教程提供者使用了类似于以下命令的东西:
I've recently started to look into steganography, and I've found a tutorial online where, to hide a new text file inside another file, the tutorial-giver used something similar to the following command:
notepad.exe file.ext:textfile.txt
我发现命令行中的 : 相当奇怪:记事本将其识别为文件的有效索引,并且原始文件 (file.ext) 现在在磁盘上增加了空间以包含新文本文件中的数据.由于我在学术生活中知之甚少并且很少使用cmd,我想知道这里发生了什么.这是什么特点?它的用途是什么?这是 Windows cmd 独有的还是 UNIX 上的等价物?
I find the : in the command line rather bizarre: Notepad recognized this as valid indexation for the file, and the original file (file.ext) now had an increased space on disk to contain the data from the new text file. As I know little and use cmd very scarcelly in my academic life, I would like to know what is going on here. What feature is this? What is it's intended use? Is this exclusive to the windows cmd or are there equivalences on UNIX?
推荐答案
TL;DR:
您正在查看的是 NTFS 文件系统 (FS) 中文件的备用数据流 (ADS).
TL;DR:
What you're looking at is an Alternate Data Streams (ADS) of a file in the NTFS file-system (FS).
在较旧的操作系统 (OS) 中,文件系统 (FS) 中的一个条目代表一组数据,这意味着文件只是一个文件.较新的操作系统具有现代 FS,允许一个条目代表一组或多组数据.在 NTFS 中,这些称为流,而在其他操作系统中,这些通常称为分叉.对于这种解释,这两个术语是同义词.
In older operating systems (OS), one entry in a file-systems (FS) represented one set of data, which means that a file was just a file. Newer OSes have modern FS which allow one entry to represent one or more sets of data. In NTFS, these are called streams, and in other OSes these are commonly called forks. For this explanation, the two terms are synonymous.
在今天的 FS 中,每个文件至少会有 1 个流.第一个流将没有名称,并且具有 $DATA 类型.第一个流有时称为主要流、默认流或匿名流.除了第一个之外的所有 ADS 都将具有名称和类型.默认和最常见的流类型是 $DATA.
In today's FS, every file will have at least 1 stream. The first stream will have no name, and will have a type of $DATA. The first stream is sometimes referred to as the primary, default, or anonymous stream. All ADS beyond the first will have both a name and a type. The default and most common stream type is $DATA.
流的全名格式如下:
<filename>:<stream name>:<stream type>
用法:
在 Windows 中(因为您提到了 notepad.exe,所以重点放在那里),ADS 有很多用途.人们最常见的 ADS 交互(甚至没有意识到)是 Zone.Identifier,它被添加到 Internet Explorer 和其他一些浏览器下载的文件中.这个额外的,这个额外的数据流被操作系统用作运行可能不安全"的标志.同样,当打开可能包含恶意宏的文档时,MS Office 应用程序将使用相同的流来警告用户.在所有这些情况下,都会警告用户,但不会阻止用户打开危险文件.
Usage:
In Windows (focusing there since you mentioned notepad.exe), there are many uses for ADS. The most common ADS people interact with (without even realizing it) is Zone.Identifier, which is added to files downloaded by Internet Explorer and some other browsers. This extra, this additional data stream is used by the OS as a flag for 'potentially unsafe to run'. Similarly, MS Office apps will use the same stream to caution users when opening docs which could contain malicious macros. In all these cases, the user is warned, but not prevented from opening dangerous files.
dir/r 来自 cmd.exe
Streams.exe 来自 SysInternals
Streams.exe from SysInternals
Get-Item 来自 powershell.exe
c:\temp> dir /r ads_test*
File Not Found
c:\temp> echo this is normal text>ads_test.txt
c:\temp> dir /r ads_test*
04/11/2019 01:11 AM 21 ads_test.txt
c:\temp> echo this is text for an ADS>ads_test.txt:myHiddenAds
c:\temp> dir /r ads_test*
04/11/2019 01:12 AM 21 ads_test.txt
25 ads_test.txt:myHiddenAds:$DATA
c:\temp> dir ads_test*
04/11/2019 01:12 AM 21 ads_test.txt
c:\temp> more < ads_test.txt
this is normal text
c:\temp> more < ads_test.txt:myHiddenAds
this is text for an ADS
c:\temp> type nul 2>ads_test.txt:myHiddenAds
c:\temp> dir /r ads_test*
04/11/2019 01:20 AM 21 ads_test.txt
0 ads_test.txt:myHiddenAds:$DATA
c:\temp> echo this is yet another ADS>ads_test.txt:CashMeOutside
c:\temp> dir /r ads_test*
04/11/2019 01:24 AM 21 ads_test.txt
25 ads_test.txt:CashMeOutside:$DATA
0 ads_test.txt:myHiddenAds:$DATA
c:\temp> powershell.exe -c "& {get-item -path 'c:\temp\ads_test.txt' -stream * | ft -property FileName,Stream,Length}"
FileName Stream Length
-------- ------ ------
C:\temp\ads_test.txt :$DATA 21
C:\temp\ads_test.txt CashMeOutside 25
C:\temp\ads_test.txt myHiddenAds 0
c:\temp> powershell.exe -c "& {remove-item -path 'c:\temp\ads_test.txt' -stream myHiddenAds}"
c:\temp> powershell.exe -c "& {get-item -path 'c:\temp\ads_test.txt' -stream * | ft -property FileName,Stream,Length}"
FileName Stream Length
-------- ------ ------
C:\temp\ads_test.txt :$DATA 21
C:\temp\ads_test.txt CashMeOutside 25
其他用途:
虽然并不常见,但目录也可以有 ADS.对于目录,没有默认数据流,但有默认目录流.目录是流类型 $INDEX_ALLOCATION.$INDEX_ALLOCATION 类型(目录流)的默认流名称是 $I30.虽然目录没有默认数据流,但它们可以有命名数据流.
Other Uses:
While it's not common, directories can have ADS as well. In the case of directories, there is no default data stream, but there is a default directory stream. Directories are the stream type $INDEX_ALLOCATION. The default stream name for the type $INDEX_ALLOCATION (a directory stream) is $I30. Although directories do not have a default data stream, they can have named data streams.
近年来,由于 ADS 被不法分子利用和滥用来编写隐藏数据、存储病毒和保持持久性,因此声誉不佳.即使在今天,与 ADS 相比,许多现代病毒扫描程序也更有能力检测来自主流的威胁.Microsoft Defender、高级威胁防护和 SmartScreen 可以像从主流中一样有效地检测 ADS 威胁.
In recent years, ADS have suffered some bad reputation since they have been used and abused by bad actors to write hidden data, store viruses, and maintain persistence. Even today, many modern virus scanners are more capable of detecing threats from primary streams, when compared to ADS. The Microsoft Defender, Advanced Threat Protection, and SmartScreen can detect ADS threats just as efficiently as from primary streams.
C:\temp> echo asdf > \\?\c:\temp\COM1.txt
C:\temp> type c:\windows\system32\calc.exe> \\?\c:\temp\COM1.txt:TotallyNotMalware.exe
C:\temp> wmic process call create "\\?\c:\temp\COM1.txt:TotallyNotMalware.exe"
C:\temp> dir /r
04/11/2019 01:30 AM 21 ads_test.txt
25 ads_test.txt:CashMeOutside:$DATA
04/11/2019 02:45 AM 7 COM1.txt
C:\temp> rem Notice above that the ADS doesn't show - This is because "COM1" is a system reserved name, and many internal and 3rd party programs deal with it wrong.
附加阅读:
这篇关于将文件创建为“file.ext:file.ext"有什么作用?真的吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
