ADSman is a command-line tool for managing Alternate Data Streams (ADS) on NTFS file systems. It allows users to find, add, remove, and extract ADS from files.
Alternate Data Streams (ADS) are hidden data layers within files on NTFS file systems. Unlike regular file contents, ADS are not visible in File Explorer or standard directory listings. They allow additional data to be stored within a file without changing its size in the main view.
- Originally designed for compatibility with macOS metadata when NTFS was introduced.
- Used by Windows system features for storing extra file information.
- Sometimes exploited by malware to hide malicious payloads inside seemingly harmless files.
- A file can have multiple ADS attached to it.
- ADS are accessed using the format:
filename:streamname
ADSman.exe [--file/-f <file>] [--add/-a <source> --to/- <target>] [--remove/-rm <adsName> --from-file/-ff <file>] [--nobanner/-n] [--help/-h]-f, --file <filename>Find ADS within the specified file.-a, --add <source>Add an ADS from the specified source file.-t, --to <target>Specify the target file to attach the ADS to.-e, --extract <adsName>Extract the specified ADS from a file.-rm, --remove <adsName>Remove the specified ADS from a file.-ff, --from-file <file>Specify the file from which to remove the ADS.-n, --nobannerSuppress the banner output.-h, --helpDisplay this help message.
This tool is part of the 8gudbitsKit project. To download the executable for Windows, visit the 8gudbitsKit repository.
- Uses Windows API (
FindFirstStreamW,FindNextStreamW) to detect ADS. - Reads and writes ADS using std::ifstream and std::ofstream.
- Supports adding, extracting, and removing ADS using NTFS stream paths.
- Handles wide-character filenames for full Windows compatibility.
- Ensures safe ADS removal using
DeleteFileW(). - Provides detailed output to help users understand ADS presence.