Alternate Data Streams and the programs that use them (reference)

General discussion related to "Everything".
Post Reply
raccoon
Posts: 684
Joined: Thu Oct 18, 2018 1:24 am

Alternate Data Streams and the programs that use them (reference)

Post by raccoon » Thu Jan 27, 2022 2:55 am

Quick reference thread for known Alternate Data Stream (Alt Stream) (ADS) names in the wild and the programs that use them. Add to this list. Only reference programs and specimens you yourself use and have encountered. Do not copypasta from elsewhere on the Internet.

:Zone.Identifier -- File was downloaded by any modern web browser and is assumed to be unsafe for execution.

Code: Select all

[ZoneTransfer]
ZoneId=3
:fc_verify -- FastCopy optional "[x]Add verifyInfo AltStream" option.

Code: Select all

{done=20220126-185643(0x1d8132122331050), ftime=20220115-021835(0x1d809f0df897399), size=48, sha512=81e10db57bab3c1728ed079cd5ed0a650bfd5e9a1dc1095a89eed1ef7d928018ef58c10df0fda40f2553daf8759f63d18aadb9c62e8643619368f6f2267cc68f}
7-Zip can archive files and their ads, and extract them again intact. You have to use the uncompressed .wim (Windows Imaging) container and checkmark "[x]Store alternate data streams". You can then compress this container with .zip or .7z, for example, myarchive.wim.7z

Post Reply