[<prev] [next>] [day] [month] [year] [list]
Message-ID: <NAECKNKGHJKHCLJBLOBHCEJOCEAA.henri123@netzero.net>
From: henri123 at netzero.net (Henri123-Netzero)
Subject: FW: [inbox] Re: Windows covert channel
If you need to get to the data in an ADS, there are several utilities that
will notify you and/or copy out the Alternate Data Stream from the file.
Just to name a few, Mares has one called copy_ads; Heysoft has one called
lads; and another one called streams.exe is out there as well.
To add to Curt's comment earlier, I believe Silkrope was one of the tools
you referred to that allows exe packing.
Henri
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Maynard,
David C
Sent: Monday, October 20, 2003 12:47 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [inbox] Re: [Full-Disclosure] Windows covert channel
I believe you are refering to editing a file and saving with a :hidden
Say you have a file test 4k you can open the that file with lets say
test:hidden and add as much info as you want and the orignial file size
never changes and test:hidden it not listed in file system but is
treated as a seprate file when edited.
You have to know the hidden info is attached to the test file to detect
the info.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Curt Purdy
Sent: Monday, October 20, 2003 9:49 AM
To: 'jazper'; full-disclosure@...ts.netsys.com
Subject: RE: [inbox] Re: [Full-Disclosure] Windows covert channel
> You are probably thinking of ADS(Alternate Data Streams).
>
> jazper
>
>
> > I seem to remember in the dim reaches of my memory a covert
> channel in
> > the Windows file system where you could paste one file at
> the end of
> > another without it being detectible when you edited the
> orginal file.
It may be that he is referring to an exe packer as used to attach a
trojan to a legitimate exe aka whackamole.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions
----------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists