SharpADS
Read, write and delete Alternate Data Streams (ADS) within NTFS, to hide malicious payloads
Install / Use
/learn @ricardojoserf/SharpADSREADME
SharpADS
C# program to write, read, delete or list Alternate Data Streams (ADS) within NTFS. It can "hide" payloads inside both files or directories.
Write one ADS value
Create or update and ADS value. The payload can be a string, a hexadecimal value or a url to download a file:
SharpADS.exe write FILE_PATH STREAM_NAME PAYLOAD
Example using a string:
SharpADS.exe write c:\Temp\test.txt ADS_name1 RandomString
Example using a hexadecimal value (payload starts with "0x..."):
SharpADS.exe write c:\Temp\test.txt ADS_name2 0x4142434445
Example using the content of a downloaded file (payload starts with "http..." or "https..."):
SharpADS.exe write c:\Temp\test.txt ADS_name3 http://127.0.0.1:8000/a.bin
Read one ADS value
SharpADS.exe read FILE_PATH STREAM_NAME
Example:
SharpADS.exe read c:\Temp\test.txt ADS_name1
Delete one ADS value
SharpADS.exe delete FILE_PATH STREAM_NAME
Example:
SharpADS.exe delete c:\Temp\test.txt ADS_name1
List all ADS values
SharpADS.exe list FILE_PATH
Example:
SharpADS.exe list c:\Temp\test.txt
Clear all ADS values
SharpADS.exe clear FILE_PATH
Example:
SharpADS.exe clear c:\Temp\test.txt
Credits
This is based on C++ code from Sektor7's Malware Development Advanced - Vol.1 course.
Related Skills
node-connect
343.1kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
90.0kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
343.1kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
343.1kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
