SharpObfuscate - Payload obfuscation in C#
SharpObfuscate transforms a payload into a list of IPv4, IPv6, MAC or UUID strings. It takes the bytes from a hexadecimal string, a file in the system, a file downloaded from a URL or an ordinary string.
SharpProcessDump - Dump processes using C#
Dump memory regions of a process which are readable (no PAGE_NOACCESS protection) and are commited (MEM_COMMIT state) using only native API calls.
SharpNtdllOverwrite - API Unhooking overwriting ntdll.dll
Overwrite ntdll.dll’s “.text” section using a clean version of the DLL. It can help to evade security measures that install API hooks such as EDRs.
Persistence using Startup Folder II - Using Alternate Data Streams
Following the previous post where we used a shortcut in the Startup Folder to execute files with the hidden attribute, I did some tests using Alternate Data Streams to store all payloads inside a seemingly benign file.
Self-deleting a binary using C# and Alternate Data Streams
Under normal conditions it is not possible to delete a binary on Windows while it is running. However, using WinAPIs and Alternate Data Streams we will see a binary can delete itself.
Persistence using Startup Folder
One of the most simple persistence methods when you have access as a non-administrative user is using the Startup folder. However, it is not so easy to go completely unnoticed by the legitimate user.
DNS Exfiltration
Notes and custom scripts for DNS exfiltration using DigitalOcean and GoDaddy. This project is a complement for SharpCovertTube, it covers how to receive and decode the DNS exfiltrated data.