; ADS.asm Alternative Data Stream example 
;        Search for ADS - ADSSpy.exe
;        http://www.afterdawn.com/software/security/system_cleanup/ads_spy.cfm
;
;        To see the hidden stream, type more < testfile.txt:stream
;        To delete the stream, delete testfile.txt
;
;        Only works on NTFS volumes
.586p
.model flat,stdcall
option casemap:none
option proc:private

    include \masm32\include\windows.inc
    include \masm32\include\masm32.inc
    include \masm32\include\gdi32.inc
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\Comctl32.inc
    include \masm32\include\comdlg32.inc
    include \masm32\include\shell32.inc
    include \masm32\include\oleaut32.inc
    include \masm32\macros\macros.asm

    includelib \masm32\lib\masm32.lib
    includelib \masm32\lib\gdi32.lib
    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    includelib \masm32\lib\Comctl32.lib
    includelib \masm32\lib\comdlg32.lib
    includelib \masm32\lib\shell32.lib
    includelib \masm32\lib\oleaut32.lib

CTEXT MACRO y:VARARG
LOCAL sym

CONST segment
IFIDNI <y>,<>
sym db 0
ELSE
sym db y,0
ENDIF
CONST ends

EXITM <OFFSET sym>
ENDM

ASSUME FS:NOTHING

.data?

dwBytes DWORD ?

.data

message1  db "To see the hidden stream, type more < testfile.txt:stream",0
     
.code

ENTRY32:       
invoke CreateFile,CTEXT("testfile.txt:stream"), GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, \
0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
.IF (eax==INVALID_HANDLE_VALUE)
invoke MessageBox, 0, CTEXT("Error!"), CTEXT("Can't create file"), MB_OK
invoke ExitProcess, -1
.ENDIF

mov ebx, eax
invoke WriteFile, ebx, ADDR message1, SIZEOF message1, addr dwBytes, 0

invoke CloseHandle, ebx

invoke ExitProcess, 0

END ENTRY32

Posted on 2010-09-09 22:43:15 by skywalker