Skip to content
Tool to create hidden registry keys.
C#
Branch: master
Clone or download
Latest commit 9a4bca0 Oct 23, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
SharpHide Parameter Bugfix Oct 23, 2019
.gitattributes Initial commit Oct 20, 2019
README.md Fix Arguments Oct 22, 2019
SharpHide.sln First commit Oct 20, 2019

README.md

SharpHide

Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.

More info about this technique can be found in the following whitepaper: https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf

The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Usage

To Create hidden registry (Run) key:

SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe" 

To Create a hidden registry (Run) key with parameters:

SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe" arguments="arg1 arg2"

Delete hidden registry (Run) key:

SharpHide.exe action=delete

This tool also works with Cobalt Strike's execute-assembly.

Credits

Author: Cornelis de Plaa (@Cneelis) / Outflank

You can’t perform that action at this time.