# SharpAMSIGhosting `SharpAMSIGhosting` is a C# port of the AMSI bypass technique originally developed and documented by Andrea Bocchetti in the article, ["Ghosting AMSI: Cutting RPC to Disarm AV"](https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80). Full credit goes to Andrea Bocchetti for pioneering this method, which patches `NdrClientCall3` in `rpcrt4.dll`, redirecting execution to a trampoline to disable AMSI scanning. This implementation adapts the technique into a reflective C# assembly for use in .NET-based offensive security tools. Additional resources and contributions by Andrea Bocchetti can be found on [Packet Storm Security](https://packetstormsecurity.com/files/author/7655/) and [Exploit-DB](https://www.exploit-db.com/?author=7413). > **WARNING**: This tool is for **authorized security testing only**. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system. ## Features - **AMSI Bypass**: Patches `NdrClientCall3` in `rpcrt4.dll` to disable AMSI scanning. - **Memory Manipulation**: Uses `VirtualAlloc`, `VirtualProtect`, and `FlushInstructionCache` for runtime memory modifications. - **Trampoline Hook**: Redirects function execution to a custom trampoline (`mov eax, 0; ret`). - **Reflective Assembly**: Designed to run as a reflective assembly for in-memory execution. ## Installation ### Prerequisites - **.NET Framework**: Version 4.7.2 or later. - **Visual Studio or MSBuild**: For compiling the C# source code. - **Git**: To clone the repository. - **Windows**: Compatible with Windows 10/11 - **Reflective Loader**: A tool like [`go-assembly-ldr`](https://github.com/heqnx/go-assembly-ldr) or Cobalt Strike to load the assembly reflectively. ### Steps - Clone the repository: ``` PS C:\> git clone https://github.com/heqnx/SharpAMSIGhosting.git PS C:\> cd SharpAMSIGhosting ``` - Compile the source code with Visual Studio by opening `SharpAMSIGhosting.sln` - Alternatively, compile with MSBuild: ``` PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpAMSIGhosting.csproj ``` ### Running as a Reflective Assembly The `SharpAMSIGhosting` code must be executed as a reflective assembly to function correctly. This typically involves: 1. Compiling the C# code into an executable or DLL. 2. Using a reflective loader (e.g., PowerShell, MSBuild, or InstallUtil loader from [`go-assembly-ldr`](https://github.com/heqnx/go-assembly-ldr), or `execute-assembly` from CS) to inject the assembly into memory. 3. Executing the `Main` or `Execute` method to perform the AMSI bypass. ## Notes - **Reflective Execution**: The tool relies on reflective loading to avoid disk-based detection. Ensure your loader supports .NET assemblies. - **System Requirements**: The target system must have `rpcrt4.dll`. - **Detection Risk**: While the tool aims to evade AMSI, modern EDR solutions may detect memory manipulation or hooking behavior. ## Automated Releases Check the GitHub Releases page for the new release with attached binaries. ## License This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details. ## Disclaimer `SharpAMSIGhosting` is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments.