Skip to content

Instantly share code, notes, and snippets.

View sharpicx's full-sized avatar

sharpicx

View GitHub Profile
@sharpicx
sharpicx / amsi-bypass.md
Created July 14, 2024 19:44 — forked from D3Ext/amsi-bypass.md
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@sharpicx
sharpicx / AmsiContextHook.cpp
Created August 7, 2024 18:11 — forked from rxwx/AmsiContextHook.cpp
Bypass AMSI on Windows 11 by hooking the AMSI context VTable on the heap with a ROP gadget. Look ma, no code patches!
#include <Windows.h>
#include <Psapi.h>
#include <metahost.h>
#include <comutil.h>
#include <mscoree.h>
#include "patch_info.h"
#include "base\helpers.h"
/**
* For the debug build we want: