initial commit

1 files changed, 70 insertions, 0 deletions

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..4f2a40a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,70 @@
+# SharpAMSIGhosting
+
+`SharpAMSIGhosting` is a C# port of the AMSI bypass technique originally developed and documented by Andrea Bocchetti in the article, ["Ghosting AMSI: Cutting RPC to Disarm AV"](https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80). Full credit goes to Andrea Bocchetti for pioneering this method, which patches `NdrClientCall3` in `rpcrt4.dll`, redirecting execution to a trampoline to disable AMSI scanning. This implementation adapts the technique into a reflective C# assembly for use in .NET-based offensive security tools.
+
+Additional resources and contributions by Andrea Bocchetti can be found on [Packet Storm Security](https://packetstormsecurity.com/files/author/7655/) and [Exploit-DB](https://www.exploit-db.com/?author=7413).
+
+
+> **WARNING**: This tool is for **authorized security testing only**. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system.
+
+## Features
+
+- **AMSI Bypass**: Patches `NdrClientCall3` in `rpcrt4.dll` to disable AMSI scanning.
+- **Memory Manipulation**: Uses `VirtualAlloc`, `VirtualProtect`, and `FlushInstructionCache` for runtime memory modifications.
+- **Trampoline Hook**: Redirects function execution to a custom trampoline (`mov eax, 0; ret`).
+- **Reflective Assembly**: Designed to run as a reflective assembly for in-memory execution.
+
+## Installation
+
+### Prerequisites
+
+- **.NET Framework**: Version 4.7.2 or later.
+- **Visual Studio or MSBuild**: For compiling the C# source code.
+- **Git**: To clone the repository.
+- **Windows**: Compatible with Windows 10/11
+- **Reflective Loader**: A tool like `go-assembly-ldr` or Cobalt Strike to load the assembly reflectively.
+
+### Steps
+
+- Clone the repository:
+
+```
+PS C:\> git clone https://github.com/heqnx/SharpAMSIGhosting.git
+PS C:\> cd SharpAMSIGhosting
+```
+
+- Compile the source code with Visual Studio by opening `SharpAMSIGhosting.sln`
+
+- Alternatively, compile with MSBuild:
+
+```
+PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpAMSIGhosting.csproj
+```
+
+### Running as a Reflective Assembly
+
+The `SharpAMSIGhosting` code must be executed as a reflective assembly to function correctly. This typically involves:
+
+1. Compiling the C# code into an executable or DLL.
+2. Using a reflective loader (e.g., PowerShell, MSBuild, or InstallUtil loader from `go-assembly-ldr`, or `execute-assembly` from CS) to inject the assembly into memory.
+3. Executing the `Main` or `Execute` method to perform the AMSI bypass.
+
+## Notes
+
+- **Reflective Execution**: The tool relies on reflective loading to avoid disk-based detection. Ensure your loader supports .NET assemblies.
+- **System Requirements**: The target system must have `rpcrt4.dll`.
+- **Detection Risk**: While the tool aims to evade AMSI, modern EDR solutions may detect memory manipulation or hooking behavior.
+
+## Automated Releases
+
+Check the GitHub Releases page for the new release with attached binaries.
+
+## License
+
+This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details.
+
+## Disclaimer
+
+`SharpAMSIGhosting` is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments.
+
+