Is this working? - Githubissues

ZeroMemoryEx / Amsi-Killer

Lifetime AMSI bypass

586 stars 88 forks source link

Is this working? #4

Closed jsdhasfedssad closed 1 year ago

jsdhasfedssad commented 1 year ago

This does not seem to work for me. Alternatively, I am doing something wrong.

amsi1

xenoantic commented 1 year ago

My pattern is different then what was coded so it is not working for me:

amsi!AmsiOpenSession:
00007ffd`a7df37e0 4885d2          test    rdx,rdx
00007ffd`a7df37e3 7447            je      amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37e5 4885c9          test    rcx,rcx
00007ffd`a7df37e8 7442            je      amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37ea 8139414d5349    cmp     dword ptr [rcx],49534D41h
00007ffd`a7df37f0 753a            jne     amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37f2 4883790800      cmp     qword ptr [rcx+8],0
00007ffd`a7df37f7 7433            je      amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)

Updating the BYTE pattern[] to the following fixed the issue for me:

BYTE pattern[] = { 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' };

ZeroMemoryEx commented 1 year ago

Hello @jsdhasfedssad , yes, it's working perfectly. The problem in your case is that there is another PowerShell program running in the background. Please go to the task manager, terminate any open PowerShell programs, and then try again. This will solve your issue.

ZeroMemoryEx commented 1 year ago

if the problem solved lemme know to close the issue ticket @jsdhasfedssad .

xenoantic commented 1 year ago

I've run this on 2 separate Windows machines and have the same issue. Your search pattern does not match the memory location in my amsi!AmsiOpenSession.

ZeroMemoryEx commented 1 year ago

hello @xenoantic Please go the task manager and terminate any open PowerShell programs, and then try again

ZeroMemoryEx commented 1 year ago

it seems that i should add a functionality to close any open powershell in the background or spawn a patched one !!

xenoantic commented 1 year ago

I do not have any other PowerShell sessions open except the one I'm attached to in WinDBG which needs to be open in order to access the AmsiOpenSession. It seems your code does not account for all versions my 8139414d5349 cmp instruction is different then the one in your screenshots and thus your pattern does not match mine. I've given you a solution above and implemented it and have a working program:

ZeroMemoryEx commented 1 year ago

@xenoantic thank you for mentioning it ,can you tell me what windows version you have ?

ZeroMemoryEx commented 1 year ago

problem solved

jsdhasfedssad commented 1 year ago

Closing other Powershell sessions does not help. This is executed on Server 2019.

ZeroMemoryEx commented 1 year ago

hello @jsdhasfedssad the search pattern has been updated to work in all windows versions , please try again wth the updated version of the program .

ZeroMemoryEx commented 1 year ago

ZeroMemoryEx commented 1 year ago

tested on windows server 2022