Skip to content
Tool to create hidden registry keys.
Branch: master
Clone or download
Latest commit 9a4bca0 Oct 23, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
SharpHide Parameter Bugfix Oct 23, 2019
.gitattributes Initial commit Oct 20, 2019 Fix Arguments Oct 22, 2019
SharpHide.sln First commit Oct 20, 2019


Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.

More info about this technique can be found in the following whitepaper:

The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"


To Create hidden registry (Run) key:

SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe" 

To Create a hidden registry (Run) key with parameters:

SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe" arguments="arg1 arg2"

Delete hidden registry (Run) key:

SharpHide.exe action=delete

This tool also works with Cobalt Strike's execute-assembly.


Author: Cornelis de Plaa (@Cneelis) / Outflank

You can’t perform that action at this time.