1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
17 * Dumps every NTFS ADS found in a directory (recursive)
21 int os_get_streams(char *full_path);
22 int read_sys_dir(char *dir_name);
23 int read_sys_file(char *file_name);
25 /* Global variables */
29 /* Print out streams of a file */
30 int os_get_streams(char *full_path)
35 char stream_name[MAX_PATH + 1];
36 char final_name[MAX_PATH + 1];
37 DWORD dwRead, shs, dw1, dw2;
40 file_h = CreateFile(full_path,
45 FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_POSIX_SEMANTICS,
48 if (file_h == INVALID_HANDLE_VALUE) {
53 ZeroMemory(&sid, sizeof(WIN32_STREAM_ID));
55 /* Get stream header size -- should be 20 bytes */
56 shs = (LPBYTE)&sid.cStreamName - (LPBYTE)&sid + sid.dwStreamNameSize;
59 if (BackupRead(file_h, (LPBYTE) &sid, shs, &dwRead,
60 FALSE, FALSE, &context) == 0) {
67 stream_name[0] = '\0';
68 stream_name[MAX_PATH] = '\0';
69 if (BackupRead(file_h, (LPBYTE)stream_name,
71 &dwRead, FALSE, FALSE, &context)) {
74 snprintf(final_name, MAX_PATH, "%s%S", full_path,
75 (WCHAR *)stream_name);
76 tmp_pt = strrchr(final_name, ':');
80 printf("Found NTFS ADS: '%s' \n", final_name);
86 if (!BackupSeek(file_h, sid.Size.LowPart, sid.Size.HighPart,
87 &dw1, &dw2, &context)) {
96 int read_sys_file(char *file_name)
101 os_get_streams(file_name);
102 if (stat(file_name, &statbuf) < 0) {
106 /* If directory, read the directory */
107 else if (S_ISDIR(statbuf.st_mode)) {
108 return (read_sys_dir(file_name));
114 int read_sys_dir(char *dir_name)
117 struct dirent *entry;
120 /* Get the number of nodes. The total number on opendir
123 if (stat(dir_name, &statbuf) < 0) {
127 /* Must be a directory */
128 if (!S_ISDIR(statbuf.st_mode)) {
132 /* Open the directory given */
133 dp = opendir(dir_name);
138 /* Read every entry in the directory */
139 while ((entry = readdir(dp)) != NULL) {
140 char f_name[MAX_PATH + 2];
142 /* Ignore . and .. */
143 if ((strcmp(entry->d_name, ".") == 0) ||
144 (strcmp(entry->d_name, "..") == 0)) {
148 /* Create new file + path string */
149 snprintf(f_name, MAX_PATH + 1, "%s\\%s", dir_name, entry->d_name);
151 read_sys_file(f_name);
159 int main(int argc, char **argv)
161 printf("%s: NTFS ADS dumper (GPL v2)\n", argv[0]);
162 printf("by Daniel B. Cid - dcid at ossec.net\n\n");
164 /* Print every NTFS ADS found */
166 printf("%s dir\n", argv[0]);
171 read_sys_file(argv[1]);
173 if (ads_found == 0) {
174 printf("No NTFS ADS found.\n");