; ADS.asm Alternative Data Stream example
; Search for ADS - ADSSpy.exe
; http://www.afterdawn.com/software/security/system_cleanup/ads_spy.cfm
;
; To see the hidden stream, type more < testfile.txt:stream
; To delete the stream, delete testfile.txt
;
; Only works on NTFS volumes
.586p
.model flat,stdcall
option casemap:none
option proc:private
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\include\gdi32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\Comctl32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\shell32.inc
include \masm32\include\oleaut32.inc
include \masm32\macros\macros.asm
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\Comctl32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\oleaut32.lib
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
IFIDNI <y>,<>
sym db 0
ELSE
sym db y,0
ENDIF
CONST ends
EXITM <OFFSET sym>
ENDM
ASSUME FS:NOTHING
.data?
dwBytes DWORD ?
.data
message1 db "To see the hidden stream, type more < testfile.txt:stream",0
.code
ENTRY32:
invoke CreateFile,CTEXT("testfile.txt:stream"), GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, \
0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
.IF (eax==INVALID_HANDLE_VALUE)
invoke MessageBox, 0, CTEXT("Error!"), CTEXT("Can't create file"), MB_OK
invoke ExitProcess, -1
.ENDIF
mov ebx, eax
invoke WriteFile, ebx, ADDR message1, SIZEOF message1, addr dwBytes, 0
invoke CloseHandle, ebx
invoke ExitProcess, 0
END ENTRY32
Posted on 2010-09-09 22:43:15 by skywalker