zeromemoryex / amsi-killer Goto Github PK
View Code? Open in Web Editor NEWLifetime AMSI bypass
Lifetime AMSI bypass
Hello! I've been testing your project.
I've been able to replace the specific PID target (e.g., powershell.exe) with:
tpid = GetCurrentProcessId();
so that I can use it in Nettitude's RunPE: https://github.com/nettitude/RunPE/
I've been trying to add command line arguments so that I can target a specific PID, a specific process name (e.g., powershell.exe) or if no arguments are passed, just use it's own ProcessID.
I'm having issues with GetPID function and passing in command line arguments. For RunPE, the program needs to use CommandLineToArgvW
Detailed Here: nettitude/RunPE#11
I'm having trouble getting GetPID to allow me to pass an argument with LPWSTR instead of LPCSTR, but I have been unsuccessful. Even trying to pass a PID directly doesn't seem to work.
Sample code below:
int
wmain() {
int nArgs;
LPWSTR* szArglist;
szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);
BYTE pattern[] = { 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' ,0x48,'?' ,'?' ,'?' ,'?',0x74,0x33 };
DWORD patternSize = sizeof(pattern);
DWORD tpid = 0;
if (nArgs > 1) {
if (wcscmp(L"-i", szArglist[1]) == 0) {
tpid = std::stoi(szArglist[2]);
}
if (wcscmp(L"-n", szArglist[1]) == 0) {
USES_CONVERSION;
tpid = GetPID(W2A(szArglist[2]));
}
}
else {
tpid = GetCurrentProcessId();
}
if (!tpid) {
printf("Did not get a handle to the process. Exiting.");
return -1;
}
printf("PID: %d\n", tpid);
When i try to run amsi-killer, no outpt nor any help menu and when i passed exe as argument still no output and no changes in passed exe.
Really helpful if you tell how to use
thanks for sharing, actually i get this error compiling the code
Build started...
1>------ Build started: Project: Amsi-Killer, Configuration: Release x64 ------
1>Source.cpp
1>C:\temp\Amsi-Killer\Amsi-Killer\Source.cpp(33,10): error C2664: 'int _stricmp(const char *,const char *)': cannot convert argument 1 from 'WCHAR [260]' to 'const char *'
1>C:\temp\Amsi-Killer\Amsi-Killer\Source.cpp(33,21): message : Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or parenthesized function-style cast
1>C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\ucrt\string.h(189,22): message : see declaration of '_stricmp'
1>C:\temp\Amsi-Killer\Amsi-Killer\Source.cpp(33,10): message : while trying to match the argument list '(WCHAR [260], LPCSTR)'
1>Done building project "Amsi-Killer.vcxproj" -- FAILED.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========
using windows 10 version 21h2 (build 19044.2604
Microsoft Visual Studio Community 2022
Version 17.5.0
VisualStudio.17.Release/17.5.0+33414.496
Microsoft .NET Framework
Version 4.8.09037
Installed Version: Community
Visual C++ 2022 00482-90000-00000-AA885
Microsoft Visual C++ 2022
ASP.NET and Web Tools 17.5.317.37931
ASP.NET and Web Tools
Azure App Service Tools v3.0.0 17.5.317.37931
Azure App Service Tools v3.0.0
C# Tools 4.5.0-6.23109.5+6a5a63bbc9f4449d9bd1e95a8f9624939c3ccdc3
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
Cookiecutter 17.0.22336.2
Provides tools for finding, instantiating and customizing templates in cookiecutter format.
Microsoft JVM Debugger 1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
Node.js Tools 1.5.50105.3 Commit Hash:882de61a7c99ae988d4c62029301292a3e0b1d56
Adds support for developing and debugging Node.js apps in Visual Studio
NuGet Package Manager 6.5.0
NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
Python - Profiling support 17.0.22336.2
Profiling support for Python projects.
Python with Pylance 17.0.22336.2
Provides IntelliSense, projects, templates, debugging, interactive windows, and other support for Python developers.
Test Adapter for Boost.Test 1.0
Enables Visual Studio's testing tools with unit tests written for Boost.Test. The use terms and Third Party Notices are available in the extension installation directory.
Test Adapter for Google Test 1.0
Enables Visual Studio's testing tools with unit tests written for Google Test. The use terms and Third Party Notices are available in the extension installation directory.
TypeScript Tools 17.0.20105.2003
TypeScript Tools for Microsoft Visual Studio
Visual Basic Tools 4.5.0-6.23109.5+6a5a63bbc9f4449d9bd1e95a8f9624939c3ccdc3
Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
Visual F# Tools 17.5.0-beta.23053.5+794b7c259d9646a7eb685dad865aa27da7940a21
Microsoft Visual F# Tools
Visual Studio IntelliCode 2.2
AI-assisted development for Visual Studio.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.