1

On Windows 7, starting a program located in an Alternate Data Stream (e.g. start c:\temp\application.exe:hiddenProgram.exe) does not work anymore!

Using Process Monitor, I see that the access result is OK, but somehow, the OS is blocking access to this file. On Vista and earlier versions, this method used to work.

alt text

Does anyone knows how to start it using windows 7 ?

Joseph Hansen
  • 12,665
  • 8
  • 50
  • 68
mox
  • 6,084
  • 2
  • 23
  • 35
  • Some newer antiviruses block programs like this. My question is, what genuine purpose do you have for hiding an exe file like this? – James Jan 06 '11 at 08:11
  • the purpose is not to hide malicious code but to increase portability and user confort. – mox Jan 06 '11 at 09:38

1 Answers1

0

Do what Marc Russinovich does with the Sysinternals tools: store additional executables as resources in the main EXE and unpack them when needed.

There is an additional advantage over ADS: portability. ADS do not survive being stored on FAT formatted volumes, for example.

This technique can indeed be helpful if you want to distribute single EXEs that unpack required device drivers or other helper tools when needed (-> Sysinternals).

Helge Klein
  • 8,829
  • 8
  • 51
  • 71
  • Nice to see you here Helge! Remember PeStudio on your blog? Yes of course, ADS is only supported on NTFS. This is the reason why the Windows Journal, which is located in an ADS (\$Extend\$UsnJrnl:Data$), only exist in NTFS. Nevertheless, does anyone have an idea about how to resolve my question? Thanks. – mox Jan 06 '11 at 12:13
  • Marc, what do you mean by that? – Helge Klein Jan 06 '11 at 12:15
  • I meant that ADS per se are fully ok. I would like to put my application in ADS attached to another application and not in resources within applications like other tools. – mox Jan 06 '11 at 13:14