diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..4f2a40a --- /dev/null +++ b/README.md @@ -0,0 +1,70 @@ +# SharpAMSIGhosting + +`SharpAMSIGhosting` is a C# port of the AMSI bypass technique originally developed and documented by Andrea Bocchetti in the article, ["Ghosting AMSI: Cutting RPC to Disarm AV"](https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80). Full credit goes to Andrea Bocchetti for pioneering this method, which patches `NdrClientCall3` in `rpcrt4.dll`, redirecting execution to a trampoline to disable AMSI scanning. This implementation adapts the technique into a reflective C# assembly for use in .NET-based offensive security tools. + +Additional resources and contributions by Andrea Bocchetti can be found on [Packet Storm Security](https://packetstormsecurity.com/files/author/7655/) and [Exploit-DB](https://www.exploit-db.com/?author=7413). + + +> **WARNING**: This tool is for **authorized security testing only**. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system. + +## Features + +- **AMSI Bypass**: Patches `NdrClientCall3` in `rpcrt4.dll` to disable AMSI scanning. +- **Memory Manipulation**: Uses `VirtualAlloc`, `VirtualProtect`, and `FlushInstructionCache` for runtime memory modifications. +- **Trampoline Hook**: Redirects function execution to a custom trampoline (`mov eax, 0; ret`). +- **Reflective Assembly**: Designed to run as a reflective assembly for in-memory execution. + +## Installation + +### Prerequisites + +- **.NET Framework**: Version 4.7.2 or later. +- **Visual Studio or MSBuild**: For compiling the C# source code. +- **Git**: To clone the repository. +- **Windows**: Compatible with Windows 10/11 +- **Reflective Loader**: A tool like `go-assembly-ldr` or Cobalt Strike to load the assembly reflectively. + +### Steps + +- Clone the repository: + +``` +PS C:\> git clone https://github.com/heqnx/SharpAMSIGhosting.git +PS C:\> cd SharpAMSIGhosting +``` + +- Compile the source code with Visual Studio by opening `SharpAMSIGhosting.sln` + +- Alternatively, compile with MSBuild: + +``` +PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpAMSIGhosting.csproj +``` + +### Running as a Reflective Assembly + +The `SharpAMSIGhosting` code must be executed as a reflective assembly to function correctly. This typically involves: + +1. Compiling the C# code into an executable or DLL. +2. Using a reflective loader (e.g., PowerShell, MSBuild, or InstallUtil loader from `go-assembly-ldr`, or `execute-assembly` from CS) to inject the assembly into memory. +3. Executing the `Main` or `Execute` method to perform the AMSI bypass. + +## Notes + +- **Reflective Execution**: The tool relies on reflective loading to avoid disk-based detection. Ensure your loader supports .NET assemblies. +- **System Requirements**: The target system must have `rpcrt4.dll`. +- **Detection Risk**: While the tool aims to evade AMSI, modern EDR solutions may detect memory manipulation or hooking behavior. + +## Automated Releases + +Check the GitHub Releases page for the new release with attached binaries. + +## License + +This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details. + +## Disclaimer + +`SharpAMSIGhosting` is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments. + + |