SharpHide is just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename. The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, …
Continue reading “SharpHide : Tool To Create Hidden Registry Keys”