hi nikos,
i work as a virus analyst for a computer security company, and find x2 an invaluable tool in my day-to-day work. however i think that with regards to alternate data streams an obvious feature is missing which i would dearly appreciate.
we have an anti-rootkit tool which obtains files from our customers' machines and archives them. this tool preserves any ADS streams, and recently there have been more frequent occurences when malware is stored in an ADS stream.
the obvious feature which i would like in x2 is simple to extract a file from an ADS stream. i see there is your 'bundle' feature which i am sure is useful for some in certain circumstances. but is not simple extraction from an ADS stream a more basic function that might be added? (as well as the inverse to put a file into a stream)
it appears that to bundle a zero-byte file with malware in the ADS stream is close to this operation, but places a header on the file which involves tinkering in a hex editor to remove.
at the moment i have to use a microsoft command-line tool to perform this operation, and would love to see it in x2, and believe it would add to its completeness as a feature-rich and powerful file manager.
thanks,
jazzcat
ADS file extraction
Moderators: fgagnon, nikos, Site Mods
-
nikos
- Site Admin
- Posts: 16295
- Joined: 2002 Feb 07, 15:57
- Location: UK
i suppose you have a point, but i wonder if there's any other user except for you that finds ADS management important -- i bet 99% don't even have a clue what ADS is 
once you have a file and you know the name of the stream, you can try from the command line:
if you want quick indications about suspect files, put side to side "size" and "size on disk" columns; the latter shows space occupied by streams, if any. Also, a high stream count (Streams column) is another giveaway
once you have a file and you know the name of the stream, you can try from the command line:
Code: Select all
copy filename.exe:streamname outfile-
jazzcat
- Member
- Posts: 41
- Joined: 2006 Feb 06, 13:34
- Location: UK
perhaps you are right that not many would use such a feature, and that most may not know what ADS is...
i do think that this might be because of the fact that it is so inaccessible though, not because it is unuseful or uninteresting. the fact is that NTFS is capable of so much more than most people realise, and x2 helps open up these features to the masses, junctions and hard links being perfect examples. i think it would be nice if x2 completed the set - it would be nice to think of any filesystem operation that x2 can do it!
the command line i currently use it in essence the same as that which you describe, so i will continue to use this if needs be... but i think x2 intergration would be ideal :D
i do think that this might be because of the fact that it is so inaccessible though, not because it is unuseful or uninteresting. the fact is that NTFS is capable of so much more than most people realise, and x2 helps open up these features to the masses, junctions and hard links being perfect examples. i think it would be nice if x2 completed the set - it would be nice to think of any filesystem operation that x2 can do it!
the command line i currently use it in essence the same as that which you describe, so i will continue to use this if needs be... but i think x2 intergration would be ideal :D
-
snakebyte
- Gold Member
- Posts: 430
- Joined: 2003 May 07, 07:14
- Location: Seattle
Hi jazzcat,
I feel that you can integrate the Microsoft tool you are talking about with xplorer2 using user commands. User commands support a rich set of tokens. For eg: you can create a user command similar to following and add it to your toolbar (and maybe assign a hotkey to it as well)
> copy $N:$? $B.ads
Just select the file you want to extract the stream from and press the user command button on your toolbar. This trick will work for bunch of files as well.
If you want to do something really complicated then you can write a autohotkey or a vb script which accepts xplorer2 commands tokens as input parameters and perform the custom action on the selected files. E.g write a log file or upload files to ftp etc.
You can also try awxShellFish shell extension which adds user command like functionality to windows context menu.
http://arniworld.de/downloads.htm
The best thing I like about awxShellFish is that I can use my xplorer2 user command scripts in windows explorer as well.
I feel that you can integrate the Microsoft tool you are talking about with xplorer2 using user commands. User commands support a rich set of tokens. For eg: you can create a user command similar to following and add it to your toolbar (and maybe assign a hotkey to it as well)
> copy $N:$? $B.ads
Just select the file you want to extract the stream from and press the user command button on your toolbar. This trick will work for bunch of files as well.
If you want to do something really complicated then you can write a autohotkey or a vb script which accepts xplorer2 commands tokens as input parameters and perform the custom action on the selected files. E.g write a log file or upload files to ftp etc.
You can also try awxShellFish shell extension which adds user command like functionality to windows context menu.
http://arniworld.de/downloads.htm
The best thing I like about awxShellFish is that I can use my xplorer2 user command scripts in windows explorer as well.
Help! I'm an AI running around in someone's universe simulator.
-
jazzcat
- Member
- Posts: 41
- Joined: 2006 Feb 06, 13:34
- Location: UK