Closed jsdhasfedssad closed 1 year ago
My pattern is different then what was coded so it is not working for me:
amsi!AmsiOpenSession:
00007ffd`a7df37e0 4885d2 test rdx,rdx
00007ffd`a7df37e3 7447 je amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37e5 4885c9 test rcx,rcx
00007ffd`a7df37e8 7442 je amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37ea 8139414d5349 cmp dword ptr [rcx],49534D41h
00007ffd`a7df37f0 753a jne amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37f2 4883790800 cmp qword ptr [rcx+8],0
00007ffd`a7df37f7 7433 je amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
Updating the BYTE pattern[] to the following fixed the issue for me:
BYTE pattern[] = { 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' };
Hello @jsdhasfedssad , yes, it's working perfectly. The problem in your case is that there is another PowerShell program running in the background. Please go to the task manager, terminate any open PowerShell programs, and then try again. This will solve your issue.
if the problem solved lemme know to close the issue ticket @jsdhasfedssad .
I've run this on 2 separate Windows machines and have the same issue. Your search pattern does not match the memory location in my amsi!AmsiOpenSession.
hello @xenoantic Please go the task manager and terminate any open PowerShell programs, and then try again
it seems that i should add a functionality to close any open powershell in the background or spawn a patched one !!
I do not have any other PowerShell sessions open except the one I'm attached to in WinDBG which needs to be open in order to access the AmsiOpenSession. It seems your code does not account for all versions my 8139414d5349 cmp instruction is different then the one in your screenshots and thus your pattern does not match mine. I've given you a solution above and implemented it and have a working program:
@xenoantic thank you for mentioning it ,can you tell me what windows version you have ?
problem solved
Closing other Powershell sessions does not help. This is executed on Server 2019.
hello @jsdhasfedssad the search pattern has been updated to work in all windows versions , please try again wth the updated version of the program .
tested on windows server 2022
This does not seem to work for me. Alternatively, I am doing something wrong.