• Stars
    star
    181
  • Rank 212,110 (Top 5 %)
  • Language
    C#
  • Created almost 4 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SharpHandler

The tool is now live, but still in beta, I would not recommend using this in opsec heavy engagements for now :P you'll look like a fool if this tool flunks and you burn your opsec ;)

Inspired by this blogpost from @skelsec
For an in-depth explination of what this project is, please read Skelsec's excellent post! :)
This code has been made possible due to:

They are the real MVP's here :)

This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it.

Compile instructions

As I've been asked this question a lot, here is a mini tutorial on how to compile this project :) In visual studio, right click the Solution in Solution explorer and click Restore NuGet Packages. also change Any CPU to x64 you can do this by clicking the dropdown arrow next to Any CPU, click configuration manager a new window will pop up, click the dropdown on platform select new and then select x64.

IMPORTANT for D/Invoke!!!
For D/invoke's version of SharpHandler you will need to turn "optimize code" OFF. you can do this by right clicking SharpHandler -> Properties -> Build -> uncheck Optmize code. if you don't do this, the program WILL crash.

caveats

Small caveat, you have to open a handle to LSASS anyway to dupe the handle, but the access level is less than you need than to parse lsass or dump it. You could skip over lsass using the --skip-lsass option in the D/invoke edition, still need to make the change in the P/invoke edition.

bigger caveat, only X64 is supported (for now)

defences

  • This project will open a handle to every single userland process that is running, this is due to the inherit nature of how handle duplication works. You can only figure out the type and access of a handle programmatically, once you've obtained the handle. This should already be a major IoC

  • This project uses sharpdump and sharpkatz under the hood, so any IoC of those projects will automatically be an IoC for this project as well. Yeay IoC inheritance!

   _____ __                     __  __                ____
  / ___// /_  ____ __________  / / / /___ _____  ____/ / /__  _____
  \__ \/ __ \/ __ `/ ___/ __ \/ /_/ / __ `/ __ \/ __  / / _ \/ ___/
 ___/ / / / / /_/ / /  / /_/ / __  / /_/ / / / / /_/ / /  __/ /
/____/_/ /_/\__,_/_/  / .___/_/ /_/\__,_/_/ /_/\__,_/_/\___/_/
                     /_/

Duplicating handles to dump LSASS since 2021, inspired by @Skelsec
developed by @Jean_Maes_1994


 Usage:
  -h, -?, --help             Show Help


  -s, --scan                 Checks if there are dupeable handles to use
  -p, --process=VALUE        the process that you want to use to interact
                               with lsass (has to have a handle to lsass)
  -w, --write                Writes a minidump to location specified with -l
                               thx to sharpdump
  -c, --compress             compressess the minidump and deletes the normal
                               dump from disk (gzip format)
  -l, --location=VALUE       the location to write the minidumpfile to
  -i, --interactive          interactive mode (this mode cannot be used with
                               execute-assembly)
  -d, --dump, --logonpasswords
                             uses sharpkatz (only supports x64 architecture)
                               functionality to live parse lsass (equivalent of
                               logonpasswords)
                               

More Repositories

1

LazySign

Create fake certs for binaries using windows binaries and the power of bat files
PowerShell
543
star
2

SharpZipRunner

Executes position independent shellcode from an encrypted zip
C#
300
star
3

Invoke-DLLClone

Koppeling x Metatwin x LazySign
PowerShell
201
star
4

AmsiHooker

Hookers are cooler than patches.
C#
167
star
5

GG-AESY

Hide cool stuff in images :)
C#
144
star
6

TrustJack

Yet another PoC for https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
C#
142
star
7

SharpNukeEventLog

nuke that event log using some epic dinvoke fu
C#
114
star
8

SharpLNKGen-UI

UI for creating LNKs
C#
96
star
9

SharpRDPDump

Create a minidump of TermService for clear text pw extraction
C#
87
star
10

Backdoorplz

adding a backdooruser using win32api
C++
79
star
11

Red-EC2

Spin up RedTeam infrastructure on AWS via Ansible
59
star
12

DeepSleep

all credits go to @mgeeky
C
58
star
13

CSharpReflectionWorkshop

The repository that complements the From zero to hero: creating a reflective loader in C# workshop
C#
37
star
14

Clippi-B

C#
34
star
15

FunWithServerless

Python
23
star
16

Emulation-Workshop

The repository accompanying the Buer Emulation workshop
C#
23
star
17

Ansible-EmpireSuite

ansible roles to download and install empire (BC-Security),deathstar(byt3bl33der) and starkiller (BC-Security)
23
star
18

CMDLL

the most basic DLL ever to pop a cmd.
C++
22
star
19

Red-Route53-Interactive

17
star
20

talks-cons

aggregated repo for all conferences and talks I am giving
C#
17
star
21

Ansible-Cobalt-Strike

An Ansible role to install cobalt-strike
16
star
22

SharpXOR

XOR crypt/decrypt using C#
C#
12
star
23

blogposts-talks-and-tidbits

all random stuff that dont warrant a seperate repo
C
12
star
24

Parsers

parsers to make life easier
Python
12
star
25

DRegHide

fun stuff with null bytes and dinvoke
C#
8
star
26

sharpbysentinel

lol firewall
C#
7
star
27

impacket-nomulti-adcs-shadowcreds

in case clients are annoying with enforcing signing :)
Python
7
star
28

SEC565-Tools

PowerShell
5
star
29

NerveGas

messing around with ETW in C#
C#
4
star
30

x33fcon-workshop

PowerShell
3
star
31

RegFetch

Interfaces with winsockets to fetch a txt file, parses the file and changes the registry accordingly
C++
2
star
32

BeFree

get rid of pesky registry restrictions.
PowerShell
2
star
33

Get-ServiceACL

courtesey of a gist I found on github
PowerShell
1
star