Putting data in Alternate data streams and how to execute it – part 2

I wrote a blogpost a while back about Alternate data streams that you can find here: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. As you probably already know if you read some of my stuff is that I am a big fan of Living off the land techniques.

The only method I knew about to inject data into a alternate data stream when I wrote the first post was the “type” command.
I have since my last blogpost discovered some other techniques as well. These techniques I have discovered can of course have been discovered by others and already been blogged about, if so please let me know and I will link to your blogpost.



First up is extrac32. If do not know this command you can read more about it here: https://ss64.com/nt/extract.html

Basically what you use it for is to extract cab files. What I figured out was that you also can use this command to add alternate data streams. The PoC for doing this (including creating a CAB) looks like this:

echo "empty file" > c:\ADS\file.txt
makecab c:\ADS\procexp.exe c:\ADS\procexp.cab
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
wmic process call create '"c:\ADS\file.txt:procexp.exe"'




Also in my research I found that Findstr can also be used to inject a payload into another file as an ADS stream. Findstr.exe is basically a command you use to find strings within files.
More about the binary here: https://ss64.com/nt/findstr.html

The cool thing I figured out was that you can search for a string that does not exist in a file and pipe that into a new file. And the cool thing is that it does allow it to be piped into a ADS stream of a file. It looks like this:

echo "empty file" > c:\ADS\file.txt
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
wmic process call create '"c:\ADS\file.txt:procexp.exe"'

The /V in the findstr command makes sure that everything that does not match the string I am searching for is showed. 🙂


Executing ADS binary

I found another way to execute a binary from a alternate data stream when I was digging into this. It is possible to create a service in Windows (this requires local admin rights) that executes content from an Alternate Data Stream. I use the SC command to execute the necessary commands to create the service as want using these commands:

echo "empty file" > c:\ADS\file.txt
type c:\windows\system32\cmd.exe > c:\ADS\file.txt:cmd.exe
sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
sc start evilservice

And it looks like this:

That’s all for this time. I have also updated my ADS gist here for other methods: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Hope you liked the post and as always I appreciate feedback. 🙂


16 thoughts on “Putting data in Alternate data streams and how to execute it – part 2

    1. That could be smart. You should start a post about it since you have some mapped out already


  1. I may be way off track here but a few years back I was trying to find a way to embed the URL for a downloaded file into the name of the file when it was downloaded. This so that if I had a folder full of various documents and utilities accumulated over time, I could always have a way of finding the location on the web where I originally found the file I wanted to work with.
    At the time, in theory, it sounded like it was something that could be done. But over time, I was never able to locate any code that could be employed to load the URL into an alternate stream of the file. Much the same as ‘Exif’ data is stored for a photo to show where it was taken and other details about it.
    You seem to be extremely well versed on the subject. When I ran across your blog I remembered my old project and wondered if anything had changed that might make this more possible. Or maybe there is a better way that isn’t so complex? The thought was to not have to do any more than drag and drop or download any file and have the URL it came from being added to one of the alt data streams attached to the file-name. Using the same technique in reverse, maybe via a ctrl+right click options could open the URL that the original file came from. Or am I stretching it too far?


  2. I have an ADS in a file:
    17/03/2021 17:27 100 test2.txt
    10 test2.txt:1:$DATA
    1 File(s) 100 bytes
    0 Dir(s) some bytes free
    which I got by type somefile > test2.txt:1 resulting in 10 byte ADS correctly.
    But when I DonaldTrump it from ADS to separate file, I get extra 2 bytes:
    findstr /V /L W3AllLov3DonaldTrump test.exe

    How do I avoid this (and get a 10 byte file like the original instead of a 12 byte file)?


  3. This site won’t let me post the correct code:
    findstr /V /L W3AllLov3DonaldTrump left arrow test2.txt:1 right arrow test.exe


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.