{"id":5218,"date":"2018-08-02T23:23:17","date_gmt":"2018-08-02T23:23:17","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5218"},"modified":"2018-08-03T08:48:06","modified_gmt":"2018-08-03T08:48:06","slug":"adding-some-character-to-alternate-data-streams","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/08\/02\/adding-some-character-to-alternate-data-streams\/","title":{"rendered":"Adding some character to Alternate Data Streams"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>After I published it <a href=\"https:\/\/twitter.com\/VessOnSecurity\">Vess<\/a> <a href=\"https:\/\/twitter.com\/VessOnSecurity\/status\/1025279834812022784\">suggested<\/a> a test with \\x08 (backspace) &#8211; it was a pretty cool idea so here is the result of testing:<\/p>\n<ul>\n<li>c:\\test\\test.exe:foo\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08bar<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_8.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-5223\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_8.png\" alt=\"\" width=\"359\" height=\"30\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_8.png 359w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_8-300x25.png 300w\" sizes=\"(max-width: 359px) 100vw, 359px\" \/><\/a><strong>Old Post<\/strong><\/p>\n<p>One of the file name restrictions that is listed on the classic <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/fileio\/naming-a-file\">Naming Files, Paths, and Namespaces<\/a> page is this:<\/p>\n<ul>\n<li>Characters whose integer representations are in the range from 1 through 31, except for alternate data streams where these characters are allowed. For more information about file streams, see File Streams.<\/li>\n<\/ul>\n<p>I was curious how it works in practice with the ADS so here is the result of a test where I create the following file:<\/p>\n<ul>\n<li>c:\\test\\test.exe:foo\\x13\\x10bar<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_crlf.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-5219\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_crlf.png\" alt=\"\" width=\"384\" height=\"361\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_crlf.png 384w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/08\/ads_crlf-300x282.png 300w\" sizes=\"(max-width: 384px) 100vw, 384px\" \/><\/a>So&#8230; creating the ADS using characters \\x00-\\x1F can produce unexpected results and possibly break various parsers. Not a biggie, but worth knowing about!<\/p>\n<p>You can download the test file <a href=\"https:\/\/hexacorn.com\/examples\/2018-08-03_test.exe\">here<\/a>. Just place it in c:\\test\\test.exe and run it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update After I published it Vess suggested a test with \\x08 (backspace) &#8211; it was a pretty cool idea so here is the result of testing: c:\\test\\test.exe:foo\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08bar Old Post One of the file name restrictions that is listed on the &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/08\/02\/adding-some-character-to-alternate-data-streams\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,58],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5218"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5218"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5218\/revisions"}],"predecessor-version":[{"id":5224,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5218\/revisions\/5224"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}