Skip to content

Kara-4search/BypassAMSI_CSharp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.vs/BypassAMSI/v16
.vs/BypassAMSI/v16
 
 
BypassAMSI
BypassAMSI
 
 
BypassAMSI.sln
BypassAMSI.sln
 
 
README.md
README.md
 
 

Repository files navigation

BypassAMSI_CSharp

Blog link: none

  • Bypassing AMSI via "patch memory".

  • Tested on x64/x86.

  • Steps

    1. Locate amsi.dll's address.
    2. finding the "DllCanUnloadNow" base on the address
    3. Using egg hunt to find the function we need to patch.
    4. Patch it with the byte[] "patch64/patch86".

  • You may need modify the code, make sure the code could by the EDR/AVs

  • I only tested on windows defender,works fine.

Usage

  1. Launch through a white-list application
  • Without bypassing AMSI avatar
  • With Bypassing AMSI avatar

TO-DO list

  • There are indeed other methods to bypass, I may gonna update about that.
  • Obfuscated the code.

Reference link:

None :)
Just Google it, too many documents about bypassing AMSI :)

About

Bypass AMSI

Topics

csharp bypass pentest-tool redteam redteam-tools bypass-amsi bypass-windows-defender

Resources

Readme
Activity

Stars

14 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages