Martin Fischer
Martin Fischer
Is this an issue where the `*` character causes PowerShell to malfunction once r77 is installed, or are you suggesting to hide registry value by name using wildcards (`*`)? I'm...
I can confirm that when r77 is installed, wildcard searches behave differently. When you look at ProcessMonitor, you will see that `RegOpenKey` is used when accessing a key directly. However,...
I assume you're talking about AMSI within your Powershell process - or in general, not the AMSI bypass of the r77 startup routine? If so, then that's an interesting thought......
So, the new version **1.5.2** implements a systemwide AMSI bypass by hooking `AmsiScanBuffer` in every process, not just during the startup. Meaning, that any injected process will no longer communicate...
Yeah, the name of the pipe was simply wrong. Also, you only need to send the two bytes of `CONTROL_USER_UNNISTALL` without the other parameters, they will be ignored. Check out...
@NotCapengeR I have, too, realized, that Windows 24H2 broke RunPE, so I stumbled upon your suggestion. I tried it (with `VirtualProtectEx` before `WriteProcessMemory`), but without success, yet. I will do...
This is possibly due to AMSI. It basically means, that powershell sends your binary to AV for analysis. Try google "AMSI bypass". I've done an implementation in my other project...
Weird... Also tricky to debug it. Can you pinpoint what server is not working (RDP, HTTP or FTP) ? A reproduction on Windows client OS would be preferrable, as I...
I see where the error lies. I target .NET 4.0 in order to have the highest compatibility with PowerShell. However, since the .NET 4.0 developer package is no longer available,...
Thanks for your quick response Jonathan! For a comment, I think the end tag is not useful to the DOM. However, the code does not represent a comment: ```\r\nbar\r\n]]>``` Specifically,...