Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chainski/lifetime-amsi-etwpatch

Loads a C# binary in memory within powershell profile, patching AMSI + ETW.
https://github.com/chainski/lifetime-amsi-etwpatch

amsi-bypass amsi-evasion amsi-patch etw etw-bypass etw-evasion fud nim offensive-security offensivenim pentesting-tools powershell red-teaming

Last synced: about 1 month ago
JSON representation

Loads a C# binary in memory within powershell profile, patching AMSI + ETW.

Host: GitHub
URL: https://github.com/chainski/lifetime-amsi-etwpatch
Owner: Chainski
License: gpl-3.0
Created: 2024-06-27T14:43:11.000Z (8 months ago)
Default Branch: main
Last Pushed: 2024-06-27T19:06:24.000Z (8 months ago)
Last Synced: 2024-11-10T11:03:46.314Z (3 months ago)
Topics: amsi-bypass, amsi-evasion, amsi-patch, etw, etw-bypass, etw-evasion, fud, nim, offensive-security, offensivenim, pentesting-tools, powershell, red-teaming
Language: Nim
Homepage: https://github.com/Chainski/Lifetime-Amsi-EtwPatch
Size: 24.4 KB
Stars: 4
Watchers: 0
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

Lifetime AMSI+ETW Patch

This nim program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface) protections.

### Overview
The program modifies the PowerShell profile (`Microsoft.PowerShell_profile.ps1`) to apply two patches:

1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function, ```{ 0x31, 0xC0, 0xC3 }```.
2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing, ```{ 0xC3 }```.
3. Sets File attributes Hidden and System to : `Microsoft.PowerShell_profile.ps1`.

### Before
![before](https://github.com/Chainski/Lifetime-Amsi-EtwPatch/assets/96607632/0de546cf-5f0a-46a0-b7f8-25fd07d688a8)

### After
![after](https://github.com/Chainski/Lifetime-Amsi-EtwPatch/assets/96607632/7ce8fe7a-4cf0-4dc1-948b-e60133bc250f)

**Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.**

### Can this be removed ?

Run the powershell command below as admin to remove it

```ps1
$file = "$env:userprofile\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"
if (Test-Path $file) { Remove-Item $file -Force }
```

### Disclaimer
I, the creator, am not responsible for any actions, and or damages, caused by this software. You bear the full responsibility of your actions and acknowledge that this tool was created for educational purposes only. This tool's main purpose is NOT to be used maliciously, or on any system that you do not own, or have the right to use. By using this software, you automatically agree to the above.

### Credits
- https://github.com/EvilBytecode