MinidumpParser
C# program to parse Microsoft Minidump files.
SharpObfuscate - Payload obfuscation in C#
SharpObfuscate transforms a payload into a list of IPv4, IPv6, MAC or UUID strings. It takes the bytes from a hexadecimal string, a file in the system, a file downloaded from a URL or an ordinary string.
SharpProcessDump - Dump processes using C#
Dump memory regions of a process which are readable (no PAGE_NOACCESS protection) and are commited (MEM_COMMIT state) using only native API calls.
SharpNtdllOverwrite - API Unhooking overwriting ntdll.dll
Overwrite ntdll.dll’s “.text” section using a clean version of the DLL. It can help to evade security measures that install API hooks such as EDRs.
Persistence using Startup Folder II - Using Alternate Data Streams
Following the previous post where we used a shortcut in the Startup Folder to execute files with the hidden attribute, I did some tests using Alternate Data Streams to store all payloads inside a seemingly benign file.
Self-deleting a binary using C# and Alternate Data Streams
Under normal conditions it is not possible to delete a binary on Windows while it is running. However, using WinAPIs and Alternate Data Streams we will see a binary can delete itself.
Persistence using Startup Folder
One of the most simple persistence methods when you have access as a non-administrative user is using the Startup folder. However, it is not so easy to go completely unnoticed by the legitimate user.