blob: f37415e878d7bb11d764792903c1f833775f66da (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
# SharpAMSIGhosting
`SharpAMSIGhosting` is a C# port of the AMSI bypass technique originally developed and documented by Andrea Bocchetti in the article, ["Ghosting AMSI: Cutting RPC to Disarm AV"](https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80). Full credit goes to Andrea Bocchetti for pioneering this method, which patches `NdrClientCall3` in `rpcrt4.dll`, redirecting execution to a trampoline to disable AMSI scanning. This implementation adapts the technique into a reflective C# assembly for use in .NET-based offensive security tools.
Additional resources and contributions by Andrea Bocchetti can be found on [Packet Storm Security](https://packetstormsecurity.com/files/author/7655/) and [Exploit-DB](https://www.exploit-db.com/?author=7413).
> **WARNING**: This tool is for **authorized security testing only**. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system.
## Features
- **AMSI Bypass**: Patches `NdrClientCall3` in `rpcrt4.dll` to disable AMSI scanning.
- **Memory Manipulation**: Uses `VirtualAlloc`, `VirtualProtect`, and `FlushInstructionCache` for runtime memory modifications.
- **Trampoline Hook**: Redirects function execution to a custom trampoline (`mov eax, 0; ret`).
- **Reflective Assembly**: Designed to run as a reflective assembly for in-memory execution.
## Installation
### Prerequisites
- **.NET Framework**: Version 4.7.2 or later.
- **Visual Studio or MSBuild**: For compiling the C# source code.
- **Git**: To clone the repository.
- **Windows**: Compatible with Windows 10/11
- **Reflective Loader**: A tool like [`go-assembly-ldr`](https://github.com/heqnx/go-assembly-ldr) or Cobalt Strike to load the assembly reflectively.
### Steps
- Clone the repository:
```
PS C:\> git clone https://github.com/heqnx/SharpAMSIGhosting.git
PS C:\> cd SharpAMSIGhosting
```
- Compile the source code with Visual Studio by opening `SharpAMSIGhosting.sln`
- Alternatively, compile with MSBuild:
```
PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpAMSIGhosting.csproj
```
### Running as a Reflective Assembly
The `SharpAMSIGhosting` code must be executed as a reflective assembly to function correctly. This typically involves:
1. Compiling the C# code into an executable or DLL.
2. Using a reflective loader (e.g., PowerShell, MSBuild, or InstallUtil loader from [`go-assembly-ldr`](https://github.com/heqnx/go-assembly-ldr), or `execute-assembly` from CS) to inject the assembly into memory.
3. Executing the `Main` or `Execute` method to perform the AMSI bypass.
## Notes
- **Reflective Execution**: The tool relies on reflective loading to avoid disk-based detection. Ensure your loader supports .NET assemblies.
- **System Requirements**: The target system must have `rpcrt4.dll`.
- **Detection Risk**: While the tool aims to evade AMSI, modern EDR solutions may detect memory manipulation or hooking behavior.
## Automated Releases
Check the GitHub Releases page for the new release with attached binaries.
## License
This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details.
## Disclaimer
`SharpAMSIGhosting` is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments.
|