December 03, 2020, 07:48:07 PM

Author Topic: [bmx] Using NTFS Alternative Data Streams by BlitzSupport [ 1+ years ago ]  (Read 655 times)

Offline BlitzBot

  • Jr. Member
  • **
  • Posts: 1
Title : Using NTFS Alternative Data Streams
Author : BlitzSupport
Posted : 1+ years ago

Description : I've just been playing with <a href="http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx" target="_blank">"Alternative Data Streams"[/url], a little-known feature of NTFS (the default filesystem on XP, Vista, etc). It allows you to write an arbitrary stream of bytes which are associated with a given file on an NTFS drive, but they don't appear in directory listings, etc.

All you have to do is append ":your_stream_name" to the end of a normal filename and read or write as you see fit using the standard file system commands.

Note that if you remove the BlitzMax-style comments, it'll work fine in BlitzPlus/3D too (though the printed text will be cut off).

Change the filename in f$, run it and type some text, then run it again after verifying that the contents of the file haven't been changed.


Code :
Code: BlitzMax
  1. ' Change this filename to one on your system! Either create an empty file on your system (on
  2. ' an NTFS-formatted drive), or use any existing (unimportant) file...
  3.  
  4. f$ = "test.txt"
  5.  
  6. stream$ = "StreamTest"
  7.  
  8. stream$ = ":" + stream$
  9.  
  10. Print ""
  11. Print "File size: " + FileSize (f$)
  12.  
  13. file = ReadFile (f$ + stream$)
  14.  
  15. If file
  16.  
  17.         Print ""
  18.  
  19.         ' Read from alternative data stream...
  20.        
  21.         While Not Eof (file)
  22.                 Print "Found ~q" + ReadLine (file) + "~q in alternative data stream!"
  23.         Wend
  24.  
  25.         CloseFile file
  26.        
  27. EndIf
  28.  
  29. ' Now to write a new data stream...
  30.  
  31. file = WriteFile (f$ + stream$)
  32.  
  33. If file
  34.  
  35.         Print ""
  36.  
  37.         ' Write to alternative data stream...
  38.        
  39.         ' Don't try *pasting* anything into the IDE output window, as a little
  40.         ' quirk means that although it looks like you've pasted text, it's only
  41.         ' gone into the output window's display. Input just receives Enter when
  42.         ' you press it, so you get an empty string!
  43.        
  44.         WriteLine file, Input ("Enter some text: ")
  45.         CloseFile file
  46.        
  47. EndIf
  48.        
  49. Print ""
  50. Print "Done!"
  51.  
  52. Print ""
  53. Print "File size is still: " + FileSize (f$)
  54.  
  55. Print ""
  56. Print "Now open the file in a text/hex editor to verify that it's empty,"
  57. Print "then run the program again to see your text in the zero-byte file!"
  58.  
  59. End


Comments :


BlitzSupport(Posted 1+ years ago)

 You can have multiple data streams per file (eg. test.txt:stream1, test.txt:stream2) and I believe they can be nested, as in test.txt:level1:level2:etc (not totally sure on that).One thing that these data streams are used for is XP's security warning feature, those annoying popups you get when trying to run an executable downloaded from the web. Find one of those and run this on it. (If you write 0 bytes into that stream, you should no longer receive the warning.)
Code: [Select]

f$ = "downloaded_program.exe" ' Use a file that gives a warning prompt when trying to run it...

stream$ = ":Zone.Identifier"

file = ReadFile (f$ + stream$)

If file

Print ""
Print "Contents of Alternative Data Stream:"
Print ""

' Read from alternative data stream...

While Not Eof (file)
Print ReadLine (file)
Wend

CloseFile file

EndIf



grable(Posted 1+ years ago)

 They are cool indeed, but i still havent found a good use for them. other than hiding stuff (poorly) that is..Btw, if you need to enumerate streams, check out an older entry of mine <a href="codearcsb349.html?code=2099" >NTFS Alternate Data Streams[/url].It uses an older API for compatibility with XP, instead of the new vista only ones.


BlitzSupport(Posted 1+ years ago)

 <div class="quote"> They are cool indeed, but i still havent found a good use for them </div>Those were my thoughts really! Your code looks a bit more thorough. (I did a Google search on our site for this stuff before posting, but it found nothing.)


xlsior(Posted 1+ years ago)

 Just wondering -- do the datastreams get copied along with the file if you move it to a different drive, or...?


BlitzSupport(Posted 1+ years ago)

 I just tried it here, and the streams do get copied. They'd be lost if moved to a non-NTFS drive. In fact, I've just tried it, and got a warning dialog I've never seen before:Also, bear in mind that although the file may appear to be of 0 bytes, the 'hidden' streams still take up diskspace! Some archivers provide an option to include the streams, but of course they would be larger than the file alone and the streams would only be recreated if the end user's archiver supported them (and it was unarchived to an NTFS drive).One possible use beyond grable's painfully accurate "hiding stuff poorly" could be to tag loads of your own files with certain data, and you'd write a utility that could write, edit, search/filter and display that data. [/i]

 

SimplePortal 2.3.6 © 2008-2014, SimplePortal