SharpNado

Repository to link to the tools or implementations related with malware I will be writting in C#:

GetModuleHandle: GetModuleHandle implementation in C# using only NtQueryInformationProcess by walking the PEB in 32-bit or 64-bit processes
GetModuleHandleRemote: GetModuleHandle implementation in C# for remote processes using only NTAPIs.
GetProcAddress: GetProcAddress implementation in C# using only NtReadVirtualMemory by walking the PEB in 32-bit or 64-bit processes
GetProcessByName: Get processes from process name using NtGetNextProcess and GetProcessImageFileName syscalls
GuardPagesHooking: C# implementation of Guard Pages API Hooking (also known as VEH hooking)
Jeringuilla: Process injection framework in C#. It uses dynamic function loading using delegates and AES-encryption for strings and payloads
Lsass-dump-csharp: Custom lsass.exe dump using C#: XOR-encoding, Dynamic function resolution, using NTAPIs...
MinidumpParser - C# program to parse Microsoft Minidump files
NativeDump - Dump lsass using only NTAPIs by hand-crafting Minidump files (without MinidumpWriteDump)
Non-ms-binaries: Code snippet to create a process using the "PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON" flag
P-Invoke.net - P/Invoke definitions from the now offline pinvoke.net - Website: https://www.p-invoke.net/
SharpADS: Read, write and delete Alternate Data Streams (ADS) within NTFS, to hide malicious payloads
SharpCovertTube: Youtube as covert-channel - Control Windows systems remotely and execute commands by uploading videos to Youtube
SharpEA: Read, write and delete Extended Attributes (EAs) within NTFS, to hide malicious payloads
SharpObfuscate: Obfuscate payloads using IPv4, IPv6, MAC or UUID strings
SharpNtdllOverwrite: Overwrite ntdll.dll ".text" section to bypass API hooking. Getting the clean ntdll.dll from disk, Knowndlls folder, a debugged process or a URL
SharpProcessDump: Dump memory regions of a process using only native API calls (NtQueryVirtualMemory and NtReadVirtualMemory)
SharpSelfDelete: PoC to self-delete a binary in C#. The process continues but the .exe file is removed from disk
StealthyEnv: Stealthier alternative to whoami.exe in C#, it gets environment variables from PEB (PRTL_USER_PROCESS_PARAMETERS)
WhoamiAlternatives: Different methods to get current username without using whoami, based on vx-underground posts

Name		Name	Last commit message	Last commit date
Latest commit History 39 Commits
GetModuleHandle @ fcb59ff		GetModuleHandle @ fcb59ff
GetModuleHandleRemote @ 279f04f		GetModuleHandleRemote @ 279f04f
GetProcAddress @ 83d3356		GetProcAddress @ 83d3356
GetProcessByName @ 2717e5e		GetProcessByName @ 2717e5e
GuardPagesHooking @ 552ee22		GuardPagesHooking @ 552ee22
Jeringuilla @ 5ea08c7		Jeringuilla @ 5ea08c7
Lsass-dumper-csharp @ ff1713e		Lsass-dumper-csharp @ ff1713e
MinidumpParser @ a04cd72		MinidumpParser @ a04cd72
NativeDump @ 70fa3f5		NativeDump @ 70fa3f5
Non-ms-binaries @ d95ed7e		Non-ms-binaries @ d95ed7e
P-invoke.net @ 0e444d3		P-invoke.net @ 0e444d3
SharpADS @ ea6d0b9		SharpADS @ ea6d0b9
SharpCovertTube @ dffecc2		SharpCovertTube @ dffecc2
SharpEA @ 278b27c		SharpEA @ 278b27c
SharpNtdllOverwrite @ 9fc6582		SharpNtdllOverwrite @ 9fc6582
SharpObfuscate @ 939baec		SharpObfuscate @ 939baec
SharpProcessDump @ 5574b34		SharpProcessDump @ 5574b34
SharpSelfDelete @ d6be187		SharpSelfDelete @ d6be187
StealthyEnv @ 7f1fc1e		StealthyEnv @ 7f1fc1e
WhoamiAlternatives @ e97ec88		WhoamiAlternatives @ e97ec88
.gitmodules		.gitmodules
README.md		README.md

ricardojoserf/SharpNado

Folders and files

Latest commit

History

Repository files navigation

SharpNado

About

Topics

Resources

Stars

Watchers

Forks

Sponsor this project