Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Transferring Data Using NTFS Alternate Data Streams (DTNtfsAds_BK - Brutal Kangaroo)
SECRET//NOFORN
OSB Library: Data Transfer
Module Name: DTNtfsAds_BK (Brutal Kangaroo)
Module Description: This module allows for transfer or storage of data by placing it in NTFSNTMicrosoft operating system filesystem (Windows) Alternate Data Streams. Each chunk (call to DumpData) creates a new stream. Chunks are identified by the ProgramID.
PSP/OS Issues: No known issues.
('excerpt' missing)
Sharing Level: Unilateral
Technique Origin: In-house (known vector)
Notes:
- wcPath should be the path to the NTFSNT filesystem (Windows) volume (if you want the ADSAda Specification (file) to be created at the root of the drive) or to a folder/file on an NTFSNT filesystem (Windows) volume
- Program ID should be unique and can't be 0. This ID is used to identify owners of a chunk.
- Multiple program IDs can be written to the same path. The module knows which ones are yours based upon ProgramId
- Stream names are of the format :ObjIdX where X is an incremented number for each DumpData call - could be an attribution issue if not changed
- A read and write chunk index are stored for optimization. If wishing to read with two different program IDs you must first read all the data from one program id before starting to read the next program's data
Module Specific Structures: N/A
Example Code:
//Create Object
IDataTransfer *dtTransfer = new DTNtfsAds_BK();
//dump and read multiple sets of data
WCHAR wcDrivePath[] = L"I:\\";
dtTransfer->DumpData(wcDrivePath, byData1, dwData1Len, 5, 0);
dtTransfer->DumpData(wcDrivePath, byData2, dwData2Len, 6, 0);
dtTransfer->DumpData(wcDrivePath, byData3, dwData3Len, 5, 0);
//Data Buffers
LPBYTE lpbReadData1 = NULL;
DWORD dwReadData1 = 0;
LPBYTE lpbReadData2 = NULL;
DWORD dwReadData2 = 0;
LPBYTE lpbReadData3 = NULL;
DWORD dwReadData3 = 0;
//Read from location
dtTransfer->ReadData(wcDrivePath, lpbReadData1, dwReadData1, 5);
dtTransfer->ReadData(wcDrivePath, lpbReadData2, dwReadData2, 5);
dtTransfer->ReadData(wcDrivePath, lpbReadData3, dwReadData3, 6);
//Cleanup
if (lpbReadData1) free(lpbReadData1);
if (lpbReadData2) free(lpbReadData2);
if (lpbReadData3) free(lpbReadData3);
delete dtTransfer;
SECRET//NOFORN