Breaking Software Integrity with NTFS Streams

Too Long; Didn't Read

For security purposes, many applications use hashing to ensure software integrity. On Windows based NTFS file systems, there is a weakness. Files can be hidden within or behind files. Under <strong>certain circumstances</strong>, these hidden files can be hashed and remain hidden. Intrigued yet? As luck would have it, WikiLeaks leaked out part of an old CIA operations manual during a mega disclosure in 2016/17. One leaky technique caught my eye, <a href="https://wikileaks.org/ciav7p1/cms/page_13763461.html" target="_blank">hiding data in NTFS data streams</a>. The full instructions were lacking; however, since some of us have secretly have enjoyed using this technique for many years, it was time to spread the joy. Microsoft kindly posted a <a href="https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/" target="_blank">blog</a> on it back in 2013 from a developer perspective. Not an evil (puts hoodie on) hacker perspective. Quick, hide under the covers from the evil hackers and everything will be alright. We’re going to get all CIA level and break some sh*t.