10

ADS, or alternate data streams, were added in to Windows in 1993 (First Windows NT version) as a feature of the new NTFS file system to help support some features of the Mac OS at the time. I like to read about security stuff, and I recently read about how viruses, trojans, keyloggers, etc. like to hide using ADS because the file is invisible - not like a hidden file, but completely invisible to Windows Explorer, and even the dir command in Command Prompt. Basically it's like the Anne Frank for computer viruses, it hides there and no one knows it, which is why it could be a threat to computer users.

Is there a way to detect these ADS files without the use of a specialized program, and if not what would be a progrm / method to detect these files?

cutrightjm
  • 1,714
  • 4
  • 18
  • 31

2 Answers2

12

In a command-line environment, dir /R includes ADSes in the directory listing. Its other options work as usual, so dir can list a single file, wildcards, or (default) the entire directory; and optionally all subdirectories.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>dir /?
Displays a list of files and subdirectories in a directory.

DIR [drive:][path][filename] [/A[[:]attributes]] [/B] [/C] [/D] [/L] [/N]
  [/O[[:]sortorder]] [/P] [/Q] [/R] [/S] [/T[[:]timefield]] [/W] [/X] [/4]

  [drive:][path][filename]
              Specifies drive, directory, and/or files to list.

  /A          Displays files with specified attributes.
  attributes   D  Directories                R  Read-only files
               H  Hidden files               A  Files ready for archiving
               S  System files               I  Not content indexed files
               L  Reparse Points             -  Prefix meaning not
  /B          Uses bare format (no heading information or summary).
  /C          Display the thousand separator in file sizes.  This is the
              default.  Use /-C to disable display of separator.
  /D          Same as wide but files are list sorted by column.
  /L          Uses lowercase.
  /N          New long list format where filenames are on the far right.
  /O          List by files in sorted order.
  sortorder    N  By name (alphabetic)       S  By size (smallest first)
               E  By extension (alphabetic)  D  By date/time (oldest first)
               G  Group directories first    -  Prefix to reverse order
  /P          Pauses after each screenful of information.
  /Q          Display the owner of the file.

  /R          Display alternate data streams of the file.

  /S          Displays files in specified directory and all subdirectories.
  /T          Controls which time field displayed or used for sorting
  timefield   C  Creation
              A  Last Access
              W  Last Written
  /W          Uses wide list format.
  /X          This displays the short names generated for non-8dot3 file
              names.  The format is that of /N with the short name inserted
              before the long name. If no short name is present, blanks are
              displayed in its place.
  /4          Displays four-digit years

Switches may be preset in the DIRCMD environment variable.  Override
preset switches by prefixing any switch with - (hyphen)--for example, /-W.

dir has no option to list only files that have ADSes. See also https://stackoverflow.com/questions/16333782/how-to-display-only-files-that-have-alternate-data-streams-in-command-prompt

Community
  • 1
cpt_fink
  • 236
  • 2
  • 6
6

In addition to using the "dir /R" switch in CMD here's a fairly comprehensive list of Alternative Data Stream (ADS) management and scanning tools. While the DIR command only lists the ADS files in the present directory, the below tools give you the ability to scan entire drives and view them easily.

ADSManager

FlexHex Streams

Also check this link for more ADS info and resources

LADS - List Alternate Data Streams by Frank Heyne

Streams.exe from SysInternals:

ScanADS command line tool:

ADS Spy GUI Scanner:

Crucial ADS GUI Scanner:

ADS Detector for Explorer:

Windows ports of Unix tools like CAT: http://unxutils.sourceforge.net/

NULLZ
  • 11,426
  • 17
  • 77
  • 111
  • LNS: http://ntsecurity.nu/toolbox/lns/ –  Apr 12 '13 at 08:46
  • Re: DIR command only lists the ADS files in the present directory. - I've tested `dir /r` to work in other directories in Win 10 eg. `dir /r virus\gnome.exe` – Zimba Mar 16 '21 at 13:52