Full Disclosure mailing list archives

FW: [inbox] Re: Windows covert channel

From: "Henri123-Netzero" <henri123 () netzero net>
Date: Mon, 20 Oct 2003 13:24:38 -0400

If you need to get to the data in an ADS, there are several utilities that
will notify you and/or copy out the Alternate Data Stream from the file.
Just to name a few, Mares has one called copy_ads; Heysoft has one called
lads; and another one called streams.exe is out there as well.

To add to Curt's comment earlier, I believe Silkrope was one of the tools
you referred to that allows exe packing.

Henri

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Maynard,
David C
Sent: Monday, October 20, 2003 12:47 PM
To: full-disclosure () lists netsys com
Subject: RE: [inbox] Re: [Full-disclosure] Windows covert channel



I believe you are refering to editing a file and saving with a :hidden

Say you have a file test 4k you can open the that file with lets say
test:hidden and add as much info as you want and the orignial file size
never changes and test:hidden it not listed in file system but is
treated as a seprate file when edited.

You have to know the hidden info is attached to the test file to detect
the info.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Curt Purdy
Sent: Monday, October 20, 2003 9:49 AM
To: 'jazper'; full-disclosure () lists netsys com
Subject: RE: [inbox] Re: [Full-disclosure] Windows covert channel

You are probably thinking of ADS(Alternate Data Streams).

jazper

I seem to remember in the dim reaches of my memory a covert

channel in

the Windows file system where you could paste one file at

the end of

another without it being detectible when you edited the

orginal file.



It may be that he is referring to an exe packer as used to attach a
trojan to a legitimate exe aka whackamole.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: [inbox] Re: Windows covert channel Maynard, David C (Oct 20)
- <Possible follow-ups>
- FW: [inbox] Re: Windows covert channel Henri123-Netzero (Oct 20)