Adding some character to Alternate Data Streams

August 2, 2018 in Anti-*, Random ideas

Update

After I published it Vess suggested a test with \x08 (backspace) – it was a pretty cool idea so here is the result of testing:

  • c:\test\test.exe:foo\x08\x08\x08\x08\x08\x08\x08\x08\x08bar

Old Post

One of the file name restrictions that is listed on the classic Naming Files, Paths, and Namespaces page is this:

  • Characters whose integer representations are in the range from 1 through 31, except for alternate data streams where these characters are allowed. For more information about file streams, see File Streams.

I was curious how it works in practice with the ADS so here is the result of a test where I create the following file:

  • c:\test\test.exe:foo\x13\x10bar

So… creating the ADS using characters \x00-\x1F can produce unexpected results and possibly break various parsers. Not a biggie, but worth knowing about!

You can download the test file here. Just place it in c:\test\test.exe and run it.

Comments are closed.