Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/byt3n33dl3/gxc-bloodhuntr

Veins and Blood hunting knife collections for Active Directory Execution process.

https://github.com/byt3n33dl3/gxc-bloodhuntr

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (7.4%) to scientific vocabulary

Keywords

active-directory bloodhound cybersecurity dll-injection hash offensive
Last synced: 5 months ago · JSON representation

Repository

Veins and Blood hunting knife collections for Active Directory Execution process.

Basic Info
  • Host: GitHub
  • Owner: byt3n33dl3
  • License: lgpl-2.1
  • Language: C#
  • Default Branch: main
  • Homepage:
  • Size: 3.96 MB
Statistics
  • Stars: 2
  • Watchers: 1
  • Forks: 0
  • Open Issues: 0
  • Releases: 1
Topics
active-directory bloodhound cybersecurity dll-injection hash offensive
Created 11 months ago · Last pushed 11 months ago
Metadata Files
Readme Funding License

README.md

BloodHuntr

Veins and Blood hunting knife for Active Directory Execution process.

Projects of

  • BlockingDLL: This toolset is for testing blocking DLL process. See README.md.
  • CloneProcess ./CloneProcess :nThis directory is for process forking and reflection. See README.md.
  • CommandLineSpoofing ./CommandLineSpoofing : This PoC performs Command Line Spoofing. This technique may not work for Windows 11.
  • DarkLoadLibrary ./DarkLoadLibrary : PoCs in this directory are for testing Dark Load Library. See README.md
  • GhostlyHollowing ./GhostlyHollowing : This PoC performs Ghostly Hollowing.
  • Misc ./Misc : This directory is for helper tools to development PoCs in this repository.
  • PhantomDllHollower ./PhantomDllHollower : This PoC performs Phantom DLL Hollowing. See README.md.
  • PPIDSpoofing ./PPIDSpoofing : This PoC performs PPID Spoofing.
  • ProcessDoppelgaenging ./ProcessDoppelgaenging : This PoC performs Process Doppelgänging. Due to kernel protection improvement for Microsoft Defender, this technique does not work for recent Windows OS (since about 2021, maybe). So if you want to test this technique in newer environment, must be stop Microsoft the Windows Defender Antivirus Service. See the issue
  • ProcessGhosting ./ProcessGhosting : This PoC performs Process Ghosting. Due to kernel protection, this technique does not work for newer Windows from 22H2.
  • ProcessHerpaderping : This PoC performs Process Herpaderping. Due to file lock issue, if you choose a fake image file smaller than you want to execute, file size shrinking will be failed and corrupt file signature for herpaderping process. To take full advantage of this technique, fake image file size should be larger than you want to execute. Due to kernel protection, this technique does not work for newer Windows from 22H2.
  • ProcessHollowing : This PoC performs Process Hollowing. Unlike the original, the PE image is parsed into a new memory area instead of using ZwUnmapViewOfSection or NtUnmapViewOfSection.
  • ProcMemScan : This is a diagnostic tool to investigate remote process. See README.md.
  • ProtectedProcess : This toolset is for testing Protected Process. See README.md.
  • ReflectiveDLLInjection : This toolset is for testing Reflective DLL Injection. See README.md.
  • sRDI : This directory is for tool to sRDI (Shellcode Reflective DLL Injection). See README.md.
  • TransactedHollowing : This PoC performs Transacted Hollowing.
  • WmiSpawn : This PoC tries to spawn process with WMI. The processes will be spawn as child processes of WmiPrvSE.exe. Supports local machine process execution and remote machine process execution. The usage can see README.md.

Reference

Blocking DLL

Command Line Spoofing

Process Herpaderping

  • Process Herpaderping
  • Process Herpaderping (Mitre:T1055)

Process Hollowing - Process Injection: Process Hollowing - Process Hollowing and Portable Executable Relocations

Ghostly Hollowing and Transacted Hollowing

Protected Process

Acknowledgments

Thanks for your research:

Owner

  • Name: Sulaiman
  • Login: byt3n33dl3
  • Kind: user
  • Location: Error 403: Not on earth

I N F R A X 8 6

GitHub Events

Total
  • Watch event: 1
  • Public event: 1
Last Year
  • Watch event: 1
  • Public event: 1

Committers

Last synced: 8 months ago

All Time
  • Total Commits: 8
  • Total Committers: 1
  • Avg Commits per committer: 8.0
  • Development Distribution Score (DDS): 0.0
Past Year
  • Commits: 8
  • Committers: 1
  • Avg Commits per committer: 8.0
  • Development Distribution Score (DDS): 0.0
Top Committers
Name Email Commits
Sulaiman s****9@g****m 8

Issues and Pull Requests

Last synced: 8 months ago

All Time
  • Total issues: 0
  • Total pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Total issue authors: 0
  • Total pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels

Dependencies

BlockingDLL/BlockingDLLProcessSpawn/BlockingDLLProcessSpawn.csproj nuget
BlockingDLL/DLLInjector/DLLInjector.csproj nuget
BlockingDLL/RemoteCodeInjector/RemoteCodeInjector.csproj nuget
BlockingDLL/SelfDefend/SelfDefend.csproj nuget
CloneProcess/RemoteForking/RemoteForking.csproj nuget
CloneProcess/SnapshotDump/SnapshotDump.csproj nuget
CommandLineSpoofing/CommandLineSpoofing/CommandLineSpoofing.csproj nuget
DarkLoadLibrary/DarkLibraryLoader/DarkLibraryLoader.csproj nuget
GhostlyHollowing/GhostlyHollowing/GhostlyHollowing.csproj nuget
Misc/CalcRor13Hash/CalcRor13Hash/CalcRor13Hash.csproj nuget
Misc/EaDumper/EaDumper/EaDumper.csproj nuget
Misc/HandleScanner/HandleScanner/HandleScanner.csproj nuget
Misc/HashResolveTester/HashResolveTester/HashResolveTester.csproj nuget
Misc/PeRipper/PeRipper/PeRipper.csproj nuget
Misc/ProcAccessCheck/ProcAccessCheck/ProcAccessCheck.csproj nuget
PPIDSpoofing/PPIDSpoofing/PPIDSpoofing.csproj nuget
PhantomDllHollower/PhantomDllHollower/PhantomDllHollower.csproj nuget
ProcMemScan/ProcMemScan/ProcMemScan.csproj nuget
ProcessDoppelgaenging/ProcessDoppelgaenging/ProcessDoppelgaenging.csproj nuget
ProcessGhosting/ProcessGhosting/ProcessGhosting.csproj nuget
ProcessHerpaderping/ProcessHerpaderping/ProcessHerpaderping.csproj nuget
ProcessHollowing/ProcessHollowing/ProcessHollowing.csproj nuget
ProtectedProcess/SdDumper/SdDumper/SdDumper.csproj nuget
ReflectiveDLLInjection/ReflectiveInjector/ReflectiveInjector.csproj nuget
TransactedHollowing/TransactedHollowing/TransactedHollowing.csproj nuget
WmiSpawn/WmiSpawn/WmiSpawn.csproj nuget
sRDI/ShellcodeReflectiveInjector/ShellcodeReflectiveInjector.csproj nuget