Skip to content

Patching AmsiOpenSession by forcing an error branching.

Notifications You must be signed in to change notification settings

Gurpreet06/AMSI_Patcher

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 

Repository files navigation

AMSI_Patcher

Thanks to @D1rkMtr for the technique of using jne from amsi!AmsiOpenSession. I have used his AMSI patch code template and added other methods. This script skips entering amsi!AmsiOpenSession+0x4c via ret, by directly pasting c3 at the beginning of the amsi!AmsiOpenSession. As a result, we end up directly at amsi!AmsiCloseSession.

Methods Added

  • The script checks whether NtProtectVirtualMemory and NtAllocateVirtualMemory are hooked by any security vendor or not.

Proof

image