Skip to content
/ SharpNado Public

Repository to gather the .NET malware I will be developing

11 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ricardojoserf/SharpNado

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
FakeRebootAlert @ eb2f47c
FakeRebootAlert @ eb2f47c
 
 
GetModuleHandle @ fcb59ff
GetModuleHandle @ fcb59ff
 
 
GetModuleHandleRemote @ 279f04f
GetModuleHandleRemote @ 279f04f
 
 
GetProcAddress @ 83d3356
GetProcAddress @ 83d3356
 
 
GetProcessByName @ 2717e5e
GetProcessByName @ 2717e5e
 
 
GuardPagesHooking @ 552ee22
GuardPagesHooking @ 552ee22
 
 
Jeringuilla @ 5ea08c7
Jeringuilla @ 5ea08c7
 
 
Lsass-dumper-csharp @ ff1713e
Lsass-dumper-csharp @ ff1713e
 
 
MinidumpParser @ a04cd72
MinidumpParser @ a04cd72
 
 
NativeBypassCredGuard @ ea8269d
NativeBypassCredGuard @ ea8269d
 
 
NativeDump @ 40837f7
NativeDump @ 40837f7
 
 
Non-ms-binaries @ d95ed7e
Non-ms-binaries @ d95ed7e
 
 
P-invoke.net @ 0e444d3
P-invoke.net @ 0e444d3
 
 
SharpADS @ ea6d0b9
SharpADS @ ea6d0b9
 
 
SharpCovertTube @ b5a5cc6
SharpCovertTube @ b5a5cc6
 
 
SharpEA @ 278b27c
SharpEA @ 278b27c
 
 
SharpNtdllOverwrite @ c84c6b5
SharpNtdllOverwrite @ c84c6b5
 
 
SharpObfuscate @ 939baec
SharpObfuscate @ 939baec
 
 
SharpProcessDump @ 59dafaf
SharpProcessDump @ 59dafaf
 
 
SharpSelfDelete @ d6be187
SharpSelfDelete @ d6be187
 
 
StealthyEnv @ 7f1fc1e
StealthyEnv @ 7f1fc1e
 
 
TrickDump @ 4cc1eff
TrickDump @ 4cc1eff
 
 
WhoamiAlternatives @ e97ec88
WhoamiAlternatives @ e97ec88
 
 
.gitmodules
.gitmodules
 
 
README.md
README.md
 
 

Repository files navigation

SharpNado

Repository to link to the tools or implementations related with malware I will be writting in C#:

  • FakeRebootAlert: Simple Windows Forms App to deceive users into rebooting the system upon login

  • GetModuleHandle: GetModuleHandle implementation in C# using only NtQueryInformationProcess by walking the PEB in 32-bit or 64-bit processes

  • GetModuleHandleRemote: GetModuleHandle implementation in C# for remote processes using only NTAPIs

  • GetProcAddress: GetProcAddress implementation in C# using only NtReadVirtualMemory by walking the PEB in 32-bit or 64-bit processes

  • GetProcessByName: Get processes from process name using NtGetNextProcess and GetProcessImageFileName syscalls

  • GuardPagesHooking: C# implementation of Guard Pages API Hooking (also known as VEH hooking)

  • Jeringuilla: Process injection framework in C#. It uses dynamic function loading using delegates and AES-encryption for strings and payloads

  • Lsass-dump-csharp: Custom lsass.exe dump using C#: XOR-encoding, Dynamic function resolution, using NTAPIs...

  • MinidumpParser - C# program to parse Microsoft Minidump files

  • NativeBypassCredGuard: Bypass Credential Guard by patching WDigest.dll using only NTAPI functions

  • NativeDump - Dump lsass using only NTAPIs by hand-crafting Minidump files (without MinidumpWriteDump)

  • Non-ms-binaries: Code snippet to create a process using the "PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON" flag

  • P-Invoke.net - P/Invoke definitions from the now offline pinvoke.net - Website: https://www.p-invoke.net/

  • SharpADS: Read, write and delete Alternate Data Streams (ADS) within NTFS, to hide malicious payloads

  • SharpCovertTube: Youtube as covert-channel - Control Windows systems remotely and execute commands by uploading videos to Youtube

  • SharpEA: Read, write and delete Extended Attributes (EAs) within NTFS, to hide malicious payloads

  • SharpObfuscate: Obfuscate payloads using IPv4, IPv6, MAC or UUID strings

  • SharpNtdllOverwrite: Overwrite ntdll.dll ".text" section to bypass API hooking. Getting the clean ntdll.dll from disk, Knowndlls folder, a debugged process or a URL

  • SharpProcessDump: Dump memory regions of a process using only native API calls (NtQueryVirtualMemory and NtReadVirtualMemory)

  • SharpSelfDelete: PoC to self-delete a binary in C#. The process continues but the .exe file is removed from disk

  • StealthyEnv: Stealthier alternative to whoami.exe in C#, it gets environment variables from PEB (PRTL_USER_PROCESS_PARAMETERS)

  • TrickDump: Dump lsass using only NTAPIS running 3 programs to create 3 JSON and 1 ZIP file... and generate the Minidump later!

  • WhoamiAlternatives: Different methods to get current username without using whoami, based on vx-underground posts

About

Repository to gather the .NET malware I will be developing

Topics

malware-research malware-development

Resources

Readme
Activity

Stars

11 stars

Watchers

1 watching

Forks

3 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors