Ha Just seen this, I'm getting too old now, need to just drink coke on a night out π€£. Just taking a quick look at this now, what's happened, has the update broke the previous .NET 4.8 AMSI patch?
1
0
5
Quick way to look at what's happening, create an Assembly.Load sample in C# like you have, and run it in WinDBG. Add a breakpoint on clr!AmsiScan which is used within clr.dll to call out to AMSI. Then you can step through and see what is going on.
2
9
45
If we go Mimikatz patch style (finding a signature and patching), you can just patch out clr!AmsiScan, something like this for x64: gist.github.com/xpn/9453fa32β¦
1
14
35
Think this one looks good for x86 or ANY CPU, need to come up with something more robust... but my brain isn't working too well today ;) gist.github.com/xpn/5c6058ccβ¦
3
13
44
This is the sign for Windows 10 18.09 Enterprise edition
{ 0x48,0x8b,0x35,0x52,0x61,0x42,0x00}
It is a game after your instructions π
2
1
4
Awesome π The aim is to find a signature that doesnβt change too often between versions. Or walking from AmsiScan and finding a more reliable check that can be patched, following ptrs from .data section etc... itβs a fun game tho π
1
0
0
Offset from clr.dll base address to "mov rsi, cs:?g_csDownload@@3PEAXEA" on v1903 = 0x1805FC1A7.
So get the ImageBase address of clr.dll using NtQuerySystemInformation, add the offset and patch it π
1
0
4
Got the bypass in the way suggested by @Cneelis but as we have already seen yesterday it also depends on the version.
9:46 PM Β· Sep 9, 2019
2
0
2










