15 September 2015

How Microsoft SmartScreen works and how it stores data in NTFS streams

Windows 10 (and 8) has a feature called Microsoft SmartScreen. It is split in two parts: one purely for the web and one for files downloaded for the web. I’ll try to explain how SmartScreen for downloaded files work. But first we need to know how streams works

ADS or just ”streams” is a feature in Microsoft NTFS file system feature that allows for ”hidden” data in a file. You can access the hidden data by using the colon separator.
Copy ftp.exe from C:\Windows\System32 to c:\temp\. I used ftp.exe because it is an unsigned executable that you probably can find on your hard drive. Use Windows PowerShell for these commands. Create an alternative stream by using notepad:
PS C:\temp> notepad ftp.exe:LennartStream
Answer yes in Notepad. Enter the content ”Hello World!”, save and close the file/stream. We can now open the file/stream by the same Notepad command again. No actual new file was created on the hard drive. It just created a new stream. You can list the streams by using Windows Sysinternals Streams program or just use PowerShell:
 PS C:\temp> Get-Item ftp.exe -Stream *

   FileName: C:\temp\ftp.exe

Stream                   Length
------                   ------
:$DATA                    55808
LennartStream.txt            12

As you can see my ”LennartStream” is there and it takes 12 bytes (the ”Hello World!” string). The main program for ftp takes 55808 bytes.

Microsoft SmartScreen
SmartScreen (https://en.wikipedia.org/wiki/Microsoft_SmartScreen) provides some protection for executing downloaded files from the internet. When a file is downloaded in the web browser (for example Firefox), a stream called “Zone.Identifier” is created. If the Zone is “dangerous” a warning dialog may be presented to the user when the file is run. In Windows 10 the settings for SmartScreen is in Control Panel\System and Security\Security and Maintenance.

Use notepad to edit the Zone.Identifier stream:
PS C:\temp> notepad ftp.exe:Zone.Identifier
Create a new stream and enter this content:

Now double click on ftp.exe to run it. You will now get a dialog like this:
“Windows protected your PC. Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk”

Press “More info”:

Choose “Run anyway” and then just close the ftp program. View the Zone.Identifier stream again:
PS C:\temp> notepad ftp.exe:Zone.Identifier
The content has now changed to:

As you can see SmartScreen has updated the stream data with respect to your answer in the dialog.

Please note that if the file is signed with a certificate and Microsoft can verify it (with some magical “reputation” system I don’t know the details on) the dialog may not be shown and the stream will not be changed.

No comments:

Post a Comment