FileAlyzer does not show alternate data streams of directories

[olafp]

FileAlyzer does not show data that is hidden in alternate data streams of directories (which are in a way a kind of ordinary files). I've been not able opening a directory in the File dialog nor FileAlyzer is shown in a context menu when right clicking directories.
Happily FileAlyzer succeded in showing alternate data streams of ordinary files that contain forbidden letters and non ANSI symbols. I was missing an option to copy the contents of data streams from the FileAlyzer window (via clipboard). This would be of interest, because genuine windows tools also fail in this case (see below).


Background:
We had recently a malware from zylomgames.com that tried to infect a user's directory. The files were hidden in alternate data streams that were attached to some files of the folder "\my pictures" and to the directory file of the users programs and adjustments. The names of these data streams contained a lot of letters that are not allowed in file names so that windows commands were not able to handle or remove them.
Copying the contents of these streams failed for the same reason.
I have re-created the user's directory and manually granted the appropriate permissions.

[Rosenfeld]

As far as the file data are concerned, if you right click on the stream data, click extract stream, a bin file will be created in the folder you specify in the save as window that opens. The text part of this binary file can be read in Notepad (or if you have quick view plus, it will show both the text and hex contents; as would, I suppose any hex editor). I attach a picture that show the ADS file that is appended to one of my music files by the tag editor I use. I think it would be the same for any other ADS file

[PepiMK]

For streams associated to directories instead of files, the FileAlyzer package should also contain FoldAlyzer, the small brother for folders

[itchione]

I do not understand why there is a distinction made between the <Streams>
tab and <Hex Dump> tab.

It would be more intuative to me to only have the one <Hex Dump> tab but
incorporate a left pane to allow selection of the stream of interest. Then that
stream's hex data is displayed in a right pane (along with the options to
<Seach text> and <List strings>). The <Text preview> tab (or other preview
tab) would logically(?) interpret whatever stream was selected (default would
obviously be the main stream)

Would this be too difficult to implement in a new version ?

Also, what is contained within the 'Security' & 'Object Identifier' types within
the Streams tab (i guess they are standard windows ads) ?

Cheers, Itchione

[Rosenfeld]

As I understand it the hex dump shows the contents of the file itself. The ADS is a separate, appended file. I'm not a software developer, so cannot comment on whether it would be easy to display the contents of both in one pane. Personally, I think that might lead to confusion.

BTW if you don't already have it, you could try ADS Spy, a handy little utility to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems. Free from

http://www.richardthelionhearted.com...downloads.html

[PepiMK]

Everyone has little ADS tools available these days
Here also is a small scanner from us that allows you to search a full directory for attached ADS.

There are arguments for both sides. On the one hand, the main stream is just one of many streams. On the other hand, one would expect all the other main stream features to work on ADS, which they do not do currently. I'm switching to an improved hex display currently, which needs some manual adjustments to work for the old style; when that is finished, I may think about integrating both.

First up will be version 1.5.5 though, RegAlyzer and RunAlyzer have already been updated to have the "Works with Windows Vista" logo, FileAlyzer is next...