ZTree.com  | ZEN  | About...  

 Index   Back

[Discuss] Alternate Data Stream features wanted   [Discuss]

By: Ian Binnie   Homepage   Sydney  
Date: Dec 13,2011 at 05:15
In Response to: [Discuss] Alternate Data Stream features wanted (John Montenigro)

> 1. Where every other directory on the drive has the proper owner
> (computer\user), ZTW's ALT-Info command lets me see that one of the
> unwanted directories has an owner of "BUILTIN\Administrators" which I've
> never seen before. Also, the directory's Attributes are shown as:
> .ashc....j..

"BUILTIN\Administrators" is a normal system account. It is used e.g. on System Volume Information.

> I'd like to change attributes on the directory, but I cannot gain
> access to the folder to log, delete, or change attributes. I haven't
> found a way to do so in ZTW. Does ZTW currently have this capability and
> I just haven't found a way to use it, or does it not have the capability?
> If not, could it?

This is a junction. Have you tried to find the target of this junction.
ZBarFileInfo will display this.

> 3. As for how to display ADSs on a file...

Are you aware of SysInternals Streams.exe? - this is now available from Microsoft.

> The problem with detecting ADS is that most of the online documentation
> says to use CreateFile() followed by the Backup API calls. But if malware
> has restricted permissions, CreateFile() will fail for lack of access
> priviledge. However, there are other calls that I have found (but haven't
> learned to use yet) that do not use CreateFile() and thus will skirt the
> permissions issue... Again, I'll refrain from full disclosure until given
> the OK... (However, I am OK with private emails. We can figure out later
> how to do that.)

Try:-
// dwDesiredAccess is zero, enables querying file and device attributes without accessing the device.
hDir = CreateFile(path, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OPEN_REPARSE_POINT|FILE_FLAG_BACKUP_SEMANTICS, NULL);

I use this in ZBarFileInfo

1,381 views      
Thread locked
 

Messages in this Thread

 
96,637 Postings in 12,231 Threads, 350 registered users, 58 users online (0 registered, 58 guests)
Index | Admin contact |   Forum Time: Mar 28, 2024 - 5:42 pm UTC  |  Hits:62,374,651  (27,048 Today )
RSS Feed