Skip to content
/ Lifetime-Amsi-EtwPatch Public

Two in one, patch lifetime powershell console, no more etw and amsi!

61 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

EvilBytecode/Lifetime-Amsi-EtwPatch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
Patcher.go
Patcher.go
 
 
README.md
README.md
 
 

Repository files navigation

Lifetime-Amsi-EtwPatch

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface) protections.

INFO

The program modifies the PowerShell profile (Microsoft.PowerShell_profile.ps1) to apply two patches:

  1. AMSI Patch: Disables AMSI by modifying the AmsiScanBuffer function, { 0x31, 0xC0, 0xC3 }.
  2. ETW Patch: Modifies the EtwEventWrite function in ntdll.dll to prevent event tracing, { 0xC3 }.
  3. Sets File attributes to Hidden and System to : Microsoft.PowerShell_profile.ps1.

Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.

  • Made by codepulze aka evilbytecode.

Detections:

image https://www.virustotal.com/gui/file/e1f4539b28df895d02f361143d04f025e36668a9373985ef27b324431f68a0f5

About

Two in one, patch lifetime powershell console, no more etw and amsi!

Topics

pentesting etw fud red-teaming amsi amsi-bypass amsi-evasion etw-evasion amsi-patch etw-bypass

Resources

Readme
Activity

Stars

61 stars

Watchers

1 watching

Forks

10 forks
Report repository

Releases 1

BUILT VERSION Latest
Jun 22, 2024

Packages

No packages published

Languages