Amsi Killer Save

Lifetime AMSI bypass

Project README

Lifetime AMSI bypass

Opcode Scan

  • we get the exact address of the jump instruction by searching for the first byte of each instruction this technique is effective even in the face of updates or modifications to the target data set.

  • for example :

    | 48:85D2 | test rdx, rdx |

    | 74 3F | je amsi.7FFAE957C694 |

    | 48 : 85C9 | test rcx, rcx |

    | 74 3A | je amsi.7FFAE957C694 |

    | 48 : 8379 08 00 | cmp qword ptr ds : [rcx + 8] , 0 |

    | 74 33 | je amsi.7FFAE957C694 |

  • the search pattern will be like this :

    { 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' ,0x48,'?' ,'?' ,'?' ,'?',0x74,0x33}

    image

Patch

Before Patch

  • The program tests the value of RDX against itself. If the comparison evaluates to 0, the program executes a jump to return. Otherwise, the program proceeds to evaluate the next instruction

    image

  • we cant execute "Invoke-Mimikatz"

    image

After Patch

  • we patch the first byte and change it from JE to JMP so it return directly

    Screenshot 2023-02-26 195848

    image

  • now we execute "Invoke-Mimikatz"

    Screenshot 2023-02-26 195914

Open Source Agenda is not affiliated with "Amsi Killer" Project. README Source: ZeroMemoryEx/Amsi-Killer
Stars
562
Open Issues
0
Last Commit
7 months ago
Repository
ZeroMemoryEx/Amsi-Killer
Tags
Amsi Bypass Amsi Patch Red Team Win32 Amsi Evasion Red Teaming

Open Source Agenda Badge

Open Source Agenda Rating
Submit Review Review Your Favorite Project
Submit Resource Articles, Courses, Videos
Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?