https://github.com/evilbytecode/lifetime-amsi-etwpatch

Two in one, patch lifetime powershell console, no more etw and amsi!
https://github.com/evilbytecode/lifetime-amsi-etwpatch

amsi amsi-bypass amsi-evasion amsi-patch etw etw-bypass etw-evasion fud pentesting red-teaming

Last synced: 4 months ago
JSON representation

Two in one, patch lifetime powershell console, no more etw and amsi!

• Host: GitHub
• URL: https://github.com/evilbytecode/lifetime-amsi-etwpatch
• Owner: EvilBytecode
• Created: 2024-06-22T13:28:20.000Z (10 months ago)
• Default Branch: main
• Last Pushed: 2024-06-27T06:43:25.000Z (10 months ago)
• Last Synced: 2024-12-23T02:17:09.669Z (4 months ago)
• Topics: amsi, amsi-bypass, amsi-evasion, amsi-patch, etw, etw-bypass, etw-evasion, fud, pentesting, red-teaming
• Language: Go
• Homepage:
• Size: 7.81 KB
• Stars: 83
• Watchers: 1
• Forks: 14
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Lifetime-Amsi-EtwPatch



This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface) protections.

### INFO

The program modifies the PowerShell profile (`Microsoft.PowerShell_profile.ps1`) to apply two patches:

1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function, ```{ 0x31, 0xC0, 0xC3 }```.

2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing, ```{ 0xC3 }```.

3. Sets File attributes to Hidden and System to : `Microsoft.PowerShell_profile.ps1`.

### Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.

- Made by codepulze aka evilbytecode.

## Detections:

![image](https://github.com/EvilBytecode/Lifetime-Amsi-EtwPatch/assets/151552809/57cbd173-922c-4f6a-ada7-e086ed4f4977)

https://www.virustotal.com/gui/file/e1f4539b28df895d02f361143d04f025e36668a9373985ef27b324431f68a0f5