Blog link: none
-
Bypassing AMSI via "patch memory".
-
Tested on x64/x86.
-
Steps
- Locate amsi.dll's address.
- finding the "DllCanUnloadNow" base on the address
- Using egg hunt to find the function we need to patch.
- Patch it with the byte[] "patch64/patch86".
-
You may need modify the code, make sure the code could by the EDR/AVs
-
I only tested on windows defender,works fine.
- Launch through a white-list application
- Without bypassing AMSI
- With Bypassing AMSI
- There are indeed other methods to bypass, I may gonna update about that.
- Obfuscated the code.
None :)
Just Google it, too many documents about bypassing AMSI :)