Contains a CPP program that bypasses AMSI
As the code uses the Windows API, it is necessary to have the required headers installed.
If you have gcc
already installed, jump to step 3
- Install scoop
- Use
scoop
to installgcc
:scoop install gcc
- Compile:
g++ AmsiMemoryPatch.cpp -o AmsiMemoryPatch.exe -fpermissive
cl .\AmsiMemoryPatch.cpp /EHsc /link /out:AmsiMemoryPatch.exe
g++ .\AmsiMemoryPatch.cpp -fpermissive -o AmsiMemoryPatch.exe
Or paste it into visual studio and hit build
If you have mingw-w64-gcc
already installed, jump to step 2
- Install Arch
- Install
mingw-w64
:pacman -S mingw-w64-gcc
- Compile:
x86_64-w64-mingw32-g++ -static AmsiMemoryPatch.cpp -o AmsiMemoryPatch.exe -fpermissive
- Install Asahi Linux
- Follow the linux installation instructions
- You are able to overwrite the memory, even though the memory protection status is set to 0x20 = RX (no write). The code theoretically also works without the
VirtualProtectEx
function call. Check the docs here - You are able to query the permissions, even though OpenProcess is called without the PROCESS_QUERY_INFORMATION parameter. The docs state that this permission is required to be able to query information about a process.
- In a normal PowerShell window, the code works as expected with all compilers. However, when opening a Developer Powershell window and trying to patch said process (
--parent
), only the version compiled withcl
seems to be able to patch AMSI. The other two return0x1
forVirtualQueryEx
and0x1E7
forVirtualProtectEx
. IgnoringVirtualProtectEx
and directly tryingWriteProcessMemory
with0x3E6
. - The version compiled with
cl
returns different addresses forLoadLibraryA
andGetProcAddress
. This is probably related to the issue listed above. - The version compiled with
g++
prints the addresses in lowercase.