Replying to @_RastaMouse @_xpn_
Yeah if he finally recovered from his hangover πŸ˜„
1
0
2
Ha Just seen this, I'm getting too old now, need to just drink coke on a night out 🀣. Just taking a quick look at this now, what's happened, has the update broke the previous .NET 4.8 AMSI patch?
1
0
5
Quick way to look at what's happening, create an Assembly.Load sample in C# like you have, and run it in WinDBG. Add a breakpoint on clr!AmsiScan which is used within clr.dll to call out to AMSI. Then you can step through and see what is going on.
2
9
45
If we go Mimikatz patch style (finding a signature and patching), you can just patch out clr!AmsiScan, something like this for x64: gist.github.com/xpn/9453fa32…
1
14
35
Think this one looks good for x86 or ANY CPU, need to come up with something more robust... but my brain isn't working too well today ;) gist.github.com/xpn/5c6058cc…
3
13
44
This is the sign for Windows 10 18.09 Enterprise edition { 0x48,0x8b,0x35,0x52,0x61,0x42,0x00} It is a game after your instructions 😁
2
1
4
Awesome πŸ‘ The aim is to find a signature that doesn’t change too often between versions. Or walking from AmsiScan and finding a more reliable check that can be patched, following ptrs from .data section etc... it’s a fun game tho πŸ˜„
1
0
0
Offset from clr.dll base address to "mov rsi, cs:?g_csDownload@@3PEAXEA" on v1903 = 0x1805FC1A7. So get the ImageBase address of clr.dll using NtQuerySystemInformation, add the offset and patch it 😜
1
0
4
If I make no mistakes the v1809 offeset is 0x1805fcf37
1
0
1
Yeah minus 0x18000000 (that's the default base address of IDA), so your offset is 0x5fcf37
1
0
1
Got the bypass in the way suggested by @Cneelis but as we have already seen yesterday it also depends on the version.

9:46 PM Β· Sep 9, 2019

2
0
2
Awesome, so cool to see πŸ‘
0
0
2
Cool, nice to an alternative approach πŸ‘
1
0
2
I like the use of ProcessModuleCollection.
0
0
1