SharpADS - Playing with Alternate Data Streams (ADS) using C#

C# program to write, read, delete or list Alternate Data Streams (ADS) within NTFS.

Repository: https://github.com/ricardojoserf/SharpADS

Write one ADS value

Create or update and ADS value. The payload can be a string, a hexadecimal value or a url to download a file:

SharpADS.exe write FILE_PATH STREAM_NAME PAYLOAD

Example using a string:

SharpADS.exe write c:\Temp\test.txt ADS_name1 RandomString

Example using a hexadecimal value (payload starts with “0x…”):

SharpADS.exe write c:\Temp\test.txt ADS_name2 0x4142434445

Example using the content of a downloaded file (payload starts with “http…” or “https…”):

SharpADS.exe write c:\Temp\test.txt ADS_name3 http://127.0.0.1:8000/a.bin

img

Read one ADS value

SharpADS.exe read FILE_PATH STREAM_NAME

Example:

SharpADS.exe read c:\Temp\test.txt ADS_name1

img

Delete one ADS value

SharpADS.exe delete FILE_PATH STREAM_NAME

Example:

SharpADS.exe delete c:\Temp\test.txt ADS_name1

img

List all ADS values

SharpADS.exe list FILE_PATH

Example:

SharpADS.exe list c:\Temp\test.txt

img

Clear all ADS values

SharpADS.exe clear FILE_PATH

Example:

SharpADS.exe clear c:\Temp\test.txt

img

Credits

This is based on C++ code from Sektor7’s Malware Development Advanced - Vol.1 course.

Written on August 22, 2023