Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/evilbytecode/lifetime-amsi-etwpatch
Two in one, patch lifetime powershell console, no more etw and amsi!
https://github.com/evilbytecode/lifetime-amsi-etwpatch
amsi amsi-bypass amsi-evasion amsi-patch etw etw-bypass etw-evasion fud pentesting red-teaming
Last synced: about 22 hours ago
JSON representation
Two in one, patch lifetime powershell console, no more etw and amsi!
- Host: GitHub
- URL: https://github.com/evilbytecode/lifetime-amsi-etwpatch
- Owner: EvilBytecode
- Created: 2024-06-22T13:28:20.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2024-06-27T06:43:25.000Z (6 months ago)
- Last Synced: 2024-12-23T02:17:09.669Z (11 days ago)
- Topics: amsi, amsi-bypass, amsi-evasion, amsi-patch, etw, etw-bypass, etw-evasion, fud, pentesting, red-teaming
- Language: Go
- Homepage:
- Size: 7.81 KB
- Stars: 83
- Watchers: 1
- Forks: 14
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Lifetime-Amsi-EtwPatch
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface) protections.
### INFO
The program modifies the PowerShell profile (`Microsoft.PowerShell_profile.ps1`) to apply two patches:
1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function, ```{ 0x31, 0xC0, 0xC3 }```.
2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing, ```{ 0xC3 }```.
3. Sets File attributes to Hidden and System to : `Microsoft.PowerShell_profile.ps1`.
### Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.
- Made by codepulze aka evilbytecode.
## Detections:
https://www.virustotal.com/gui/file/e1f4539b28df895d02f361143d04f025e36668a9373985ef27b324431f68a0f5