Skip to content

Latest commit

 

History

History
54 lines (28 loc) · 4.06 KB

README.md

File metadata and controls

54 lines (28 loc) · 4.06 KB

SharpNado

Repository to link to the tools or implementations related with malware I will be writting in C#:

  • FakeRebootAlert: Simple Windows Forms App to deceive users into rebooting the system upon login

  • GetModuleHandle: GetModuleHandle implementation in C# using only NtQueryInformationProcess by walking the PEB in 32-bit or 64-bit processes

  • GetModuleHandleRemote: GetModuleHandle implementation in C# for remote processes using only NTAPIs

  • GetProcAddress: GetProcAddress implementation in C# using only NtReadVirtualMemory by walking the PEB in 32-bit or 64-bit processes

  • GetProcessByName: Get processes from process name using NtGetNextProcess and GetProcessImageFileName syscalls

  • GuardPagesHooking: C# implementation of Guard Pages API Hooking (also known as VEH hooking)

  • Jeringuilla: Process injection framework in C#. It uses dynamic function loading using delegates and AES-encryption for strings and payloads

  • Lsass-dump-csharp: Custom lsass.exe dump using C#: XOR-encoding, Dynamic function resolution, using NTAPIs...

  • MinidumpParser - C# program to parse Microsoft Minidump files

  • NativeBypassCredGuard: Bypass Credential Guard by patching WDigest.dll using only NTAPI functions

  • NativeDump - Dump lsass using only NTAPIs by hand-crafting Minidump files (without MinidumpWriteDump)

  • Non-ms-binaries: Code snippet to create a process using the "PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON" flag

  • P-Invoke.net - P/Invoke definitions from the now offline pinvoke.net - Website: https://www.p-invoke.net/

  • SharpADS: Read, write and delete Alternate Data Streams (ADS) within NTFS, to hide malicious payloads

  • SharpCovertTube: Youtube as covert-channel - Control Windows systems remotely and execute commands by uploading videos to Youtube

  • SharpEA: Read, write and delete Extended Attributes (EAs) within NTFS, to hide malicious payloads

  • SharpObfuscate: Obfuscate payloads using IPv4, IPv6, MAC or UUID strings

  • SharpNtdllOverwrite: Overwrite ntdll.dll ".text" section to bypass API hooking. Getting the clean ntdll.dll from disk, Knowndlls folder, a debugged process or a URL

  • SharpProcessDump: Dump memory regions of a process using only native API calls (NtQueryVirtualMemory and NtReadVirtualMemory)

  • SharpSelfDelete: PoC to self-delete a binary in C#. The process continues but the .exe file is removed from disk

  • StealthyEnv: Stealthier alternative to whoami.exe in C#, it gets environment variables from PEB (PRTL_USER_PROCESS_PARAMETERS)

  • TrickDump: Dump lsass using only NTAPIS running 3 programs to create 3 JSON and 1 ZIP file... and generate the Minidump later!

  • WhoamiAlternatives: Different methods to get current username without using whoami, based on vx-underground posts