aboutsummaryrefslogtreecommitdiff

SharpAMSIGhosting

SharpAMSIGhosting is a C# port of the AMSI bypass technique originally developed and documented by Andrea Bocchetti in the article, "Ghosting AMSI: Cutting RPC to Disarm AV". Full credit goes to Andrea Bocchetti for pioneering this method, which patches NdrClientCall3 in rpcrt4.dll, redirecting execution to a trampoline to disable AMSI scanning. This implementation adapts the technique into a reflective C# assembly for use in .NET-based offensive security tools.

Additional resources and contributions by Andrea Bocchetti can be found on Packet Storm Security and Exploit-DB.

WARNING: This tool is for authorized security testing only. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system.

Features

  • AMSI Bypass: Patches NdrClientCall3 in rpcrt4.dll to disable AMSI scanning.
  • Memory Manipulation: Uses VirtualAlloc, VirtualProtect, and FlushInstructionCache for runtime memory modifications.
  • Trampoline Hook: Redirects function execution to a custom trampoline (mov eax, 0; ret).
  • Reflective Assembly: Designed to run as a reflective assembly for in-memory execution.

Installation

Prerequisites

  • .NET Framework: Version 4.7.2 or later.
  • Visual Studio or MSBuild: For compiling the C# source code.
  • Git: To clone the repository.
  • Windows: Compatible with Windows 10/11
  • Reflective Loader: A tool like go-assembly-ldr or Cobalt Strike to load the assembly reflectively.

Steps

  • Clone the repository:
PS C:\> git clone https://github.com/heqnx/SharpAMSIGhosting.git
PS C:\> cd SharpAMSIGhosting

  • Compile the source code with Visual Studio by opening SharpAMSIGhosting.sln

  • Alternatively, compile with MSBuild:

PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpAMSIGhosting.csproj

Running as a Reflective Assembly

The SharpAMSIGhosting code must be executed as a reflective assembly to function correctly. This typically involves:

  1. Compiling the C# code into an executable or DLL.
  2. Using a reflective loader (e.g., PowerShell, MSBuild, or InstallUtil loader from go-assembly-ldr, or execute-assembly from CS) to inject the assembly into memory.
  3. Executing the Main or Execute method to perform the AMSI bypass.

Notes

  • Reflective Execution: The tool relies on reflective loading to avoid disk-based detection. Ensure your loader supports .NET assemblies.
  • System Requirements: The target system must have rpcrt4.dll.
  • Detection Risk: While the tool aims to evade AMSI, modern EDR solutions may detect memory manipulation or hooking behavior.

Automated Releases

Check the GitHub Releases page for the new release with attached binaries.

License

This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details.

Disclaimer

SharpAMSIGhosting is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments.

generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 21:03:30 +0000