https://github.com/evilbytecode/lifetime-amsi-etwpatch
Two in one, patch lifetime powershell console, no more etw and amsi!
https://github.com/evilbytecode/lifetime-amsi-etwpatch
amsi amsi-bypass amsi-evasion amsi-patch etw etw-bypass etw-evasion fud pentesting red-teaming
Last synced: 29 days ago
JSON representation
Two in one, patch lifetime powershell console, no more etw and amsi!
- Host: GitHub
- URL: https://github.com/evilbytecode/lifetime-amsi-etwpatch
- Owner: EvilBytecode
- License: other
- Created: 2024-06-22T13:28:20.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-04-27T16:42:24.000Z (5 months ago)
- Last Synced: 2025-04-27T17:35:44.838Z (5 months ago)
- Topics: amsi, amsi-bypass, amsi-evasion, amsi-patch, etw, etw-bypass, etw-evasion, fud, pentesting, red-teaming
- Language: Go
- Homepage:
- Size: 10.7 KB
- Stars: 88
- Watchers: 2
- Forks: 18
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Lifetime-Amsi-EtwPatch
## Telegram:
- https://t.me/ebytelabs
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface) protections.
### INFO
The program modifies the PowerShell profile (`Microsoft.PowerShell_profile.ps1`) to apply two patches:
1. **AMSI Patch**: Disables AMSI by modifying the `AmsiScanBuffer` function, ```{ 0x31, 0xC0, 0xC3 }```.
2. **ETW Patch**: Modifies the `EtwEventWrite` function in `ntdll.dll` to prevent event tracing, ```{ 0xC3 }```.
3. Sets File attributes to Hidden and System to : `Microsoft.PowerShell_profile.ps1`.
### Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.
- Made by codepulze aka evilbytecode.
## Detections:
https://www.virustotal.com/gui/file/e1f4539b28df895d02f361143d04f025e36668a9373985ef27b324431f68a0f5
## License
This project is licensed under the MIT License. See the LICENSE file for details.