Didier Stevens

Wednesday 25 December 2019


Filed under: My Software — Didier Stevens @ 13:52

I regularly want to test the behavior of applications opening files downloaded from the Internet.

On Windows, files downloaded from the Internet (with Internet Explorer or Edge, for example) have metadata in an Alternate Data Stream to indicate their origin. This is the Zone.Identifier ADS.

To simulate a download, I will add the ADS myself, and I often refer to my own blog post here and here, as I don’t remember the exact syntax and numbers.

Until recently.

Now, I wrote a small Go program that helps me creating (and removing) the appropriate ADS for a mark-of-web (Zone.Identifier).

Just running zoneidentifier with a filename, will add a Zone.Identifier ADS for zone 3 (Internet) to the file. Like this:

Option -id is used to specify a different zone ID, like this:

And option -remove is used to remove a Zone.Identifier ADS:

zoneidentifier_V0_0_1.zip (https)
MD5: CB1EB21013C6124CB3C1320F6A12207F
SHA256: E867AE693CB5EEA8CF0D252421E347B1309D7F36C9C6A427F7361CD5DD619839

Blog at WordPress.com.