Amsi-Killer icon indicating copy to clipboard operation
Amsi-Killer copied to clipboard

Published 20 hours ago verified publisher icon ZeroMemoryEx

Is this working?

Open jsdhasfedssad opened this issue 2 years ago • 4 comments

This does not seem to work for me. Alternatively, I am doing something wrong.

amsi1

jsdhasfedssad avatar Mar 01 '23 14:03 jsdhasfedssad

My pattern is different then what was coded so it is not working for me:

amsi!AmsiOpenSession:
00007ffd`a7df37e0 4885d2          test    rdx,rdx
00007ffd`a7df37e3 7447            je      amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37e5 4885c9          test    rcx,rcx
00007ffd`a7df37e8 7442            je      amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37ea 8139414d5349    cmp     dword ptr [rcx],49534D41h
00007ffd`a7df37f0 753a            jne     amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)
00007ffd`a7df37f2 4883790800      cmp     qword ptr [rcx+8],0
00007ffd`a7df37f7 7433            je      amsi!AmsiOpenSession+0x4c (00007ffd`a7df382c)

Updating the BYTE pattern[] to the following fixed the issue for me:

BYTE pattern[] = { 0x48,'?','?', 0x74,'?',0x48,'?' ,'?' ,0x74,'?' };

xenoantic avatar Mar 01 '23 14:03 xenoantic

Hello @jsdhasfedssad , yes, it's working perfectly. The problem in your case is that there is another PowerShell program running in the background. Please go to the task manager, terminate any open PowerShell programs, and then try again. This will solve your issue.

ZeroMemoryEx avatar Mar 01 '23 16:03 ZeroMemoryEx

if the problem solved lemme know to close the issue ticket @jsdhasfedssad .

ZeroMemoryEx avatar Mar 01 '23 16:03 ZeroMemoryEx

I've run this on 2 separate Windows machines and have the same issue. Your search pattern does not match the memory location in my amsi!AmsiOpenSession.

xenoantic avatar Mar 01 '23 17:03 xenoantic

hello @xenoantic Please go the task manager and terminate any open PowerShell programs, and then try again

ZeroMemoryEx avatar Mar 01 '23 18:03 ZeroMemoryEx

it seems that i should add a functionality to close any open powershell in the background or spawn a patched one !!

ZeroMemoryEx avatar Mar 01 '23 18:03 ZeroMemoryEx

I do not have any other PowerShell sessions open except the one I'm attached to in WinDBG which needs to be open in order to access the AmsiOpenSession. It seems your code does not account for all versions my 8139414d5349 cmp instruction is different then the one in your screenshots and thus your pattern does not match mine. I've given you a solution above and implemented it and have a working program:

image

xenoantic avatar Mar 01 '23 18:03 xenoantic

@xenoantic thank you for mentioning it ,can you tell me what windows version you have ?

ZeroMemoryEx avatar Mar 01 '23 20:03 ZeroMemoryEx

problem solved

ZeroMemoryEx avatar Mar 02 '23 10:03 ZeroMemoryEx

Closing other Powershell sessions does not help. This is executed on Server 2019.

jsdhasfedssad avatar Mar 02 '23 15:03 jsdhasfedssad

hello @jsdhasfedssad the search pattern has been updated to work in all windows versions , please try again wth the updated version of the program .

ZeroMemoryEx avatar Mar 03 '23 13:03 ZeroMemoryEx

image

ZeroMemoryEx avatar Mar 03 '23 17:03 ZeroMemoryEx

tested on windows server 2022

ZeroMemoryEx avatar Mar 03 '23 17:03 ZeroMemoryEx