winapialternate-data-stream

How do you use Alternate Data Streams and what are the benefits?

I've read some documentations about Alternate Data Streams and I'm thinking about using them in my own projects. However there is so much unknown knowledge and open questions that I still have before I decide to use them. That's why I made this question list:

  1. How do you enum Streams without the Sysinternals tool streams?
  2. Does a stream affect the "Host" File's MD5 Value?
  3. What happens if I copy/cut the "Host" File to another (NTFS) Path? Do the streams copy/cut themselves too?
  4. What happens if I copy/cut the "Host" File to another Path that is NOT NTFS?
  5. Is it possible to have another Stream in an existing stream?
  6. Since you will have an actual filehandle for each stream, is it possible to change a stream's attributes?
  7. Can I use the LoadLibrary API to load a DLL from a stream?
  8. Is it possible to execute (e.g. ShellExecute) a stream?
  9. What are the advantages/benefits/disadvantages using Alternate Data Streams?
  10. What do I have to be cautious about if I use Alternate Data Streams?

I'm looking forward to your answers/infos/summarys. The preferable language is Delphi but any other language will do too, as long as it uses the WinAPI.

Solution

  • To answer your questions one by one:

    1. Enumeration: Use NtQueryInformationFile. Beginning with Windows Vista, you can also enumerate streams on the commandline using dir /r.

    2. Checksums: As you usually open only the unnamed data stream when you access a file by name, only the contents of this stream are used when calculating checksums.

    3. Copying to NTFS: Windows Explorer and the copy commandline utility copy all streams.

    4. Copying to other FS: The alternate data streams are lost.

    5. Nested streams: Not possible. A file simply consists of a list of streams, they cannot be nested.

    6. Attributes: Some attributes are file-based, some (encrypted, compressed, sparse) are stream-based.

    7. LoadLibrary seems to work on alternate data streams.

    8. ShellExecute on an ADS failed with ERROR_FILE_NOT_FOUND (2) on my computer.

      Note that is is possible to run an ADS from the commandline (not that this is a good idea):

      type calc.exe > dummy.txt:calc
wmic process call create "dummy.txt:calc"

    9. ADS are useful to store some non-critical information associated with a file. For example, executable files downloaded from the internet will have an ADS which causes Explorer to display a warning before the file is executed.

    10. Don't use them for critical data as the data may be lost during backup.