Skip to content
/ NoAmci Public

Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load().

Notifications You must be signed in to change notification settings

med0x2e/NoAmci

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 

Repository files navigation

TLDR:

A PoC for using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). .Net tradecraft can be compressed, encoded (encrypted if required) in order to keep the assembly size less than 1MB, then embedded as a resource to be loaded after patching amsi.dll memory.

Testing Notes:

  • Make sure that both the default Class and Main method have the 'public' access modifier before compressing/encoding your assembly (Ghostpack ..etc).
  • favicon.ico corresponds to an encoded and compressed version of safetykatz using DeflateStream and GzipStream APIs, this helped reducing the size of assemblies then embedded as resources in order to be able to use them with execute-assembly
  • Helper.cs have methods which can be used to compress other .Net binaries (Ghostpack ..etc).
  • Source code for DInvoke was copied from SharpSploit PR submitted by @FuzzySecurity and @TheWover. (all doc comments removed)
  • Tested via cobalt strike execute-assemby on Windows Build 1909/1903 and against a common EDR product (after removing all comments) -> no detections were triggered.
  • Build with VS2017 & .NET framework 4.x

TODO:

  • Assemblies can be encrypted and hosted on a remote endpoint, then loaded and injected into memory (NET-Assembly-Inject-Remote for a PoC) this would decouple NoAmci from Assemblies and allow to dynamically load an assembly of choice at runtime while keeping NoAmci.exe size small.

Disclaimer:

should be used for authorized red teaming and/or nonprofit educational purposes only. Any misuse of this software will not be the responsibility of the author. Use it at your own networks and/or with the network owner's permission.

About

Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load().

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages