Skip to content

EvilBytecode/Lifetime-Amsi-EtwPatch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
LICENSE
LICENSE
 
 
Patcher.go
Patcher.go
 
 
README.md
README.md
 
 

Repository files navigation

Lifetime-Amsi-EtwPatch

Telegram:

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface) protections.

INFO

The program modifies the PowerShell profile (Microsoft.PowerShell_profile.ps1) to apply two patches:

  1. AMSI Patch: Disables AMSI by modifying the AmsiScanBuffer function, { 0x31, 0xC0, 0xC3 }.
  2. ETW Patch: Modifies the EtwEventWrite function in ntdll.dll to prevent event tracing, { 0xC3 }.
  3. Sets File attributes to Hidden and System to : Microsoft.PowerShell_profile.ps1.

Effect: Once applied, PowerShell sessions initiated afterward will have AMSI and ETW bypassed.

  • Made by codepulze aka evilbytecode.

Detections:

image https://www.virustotal.com/gui/file/e1f4539b28df895d02f361143d04f025e36668a9373985ef27b324431f68a0f5

License

This project is licensed under the MIT License. See the LICENSE file for details.

About

Two in one, patch lifetime powershell console, no more etw and amsi!

Topics

pentesting etw fud red-teaming amsi amsi-bypass amsi-evasion etw-evasion amsi-patch etw-bypass

Resources

Readme

License

View license
Activity

Stars

98 stars

Watchers

2 watching

Forks

22 forks
Report repository

Releases 1

BUILT VERSION Latest
Jun 22, 2024

Packages

No packages published

Languages