An all-in-one BOF to patch, check and revert AMSI and ETW for x64 process. Wrote this to avoid redundant AMSI / ETW patch.
Currently, it only checks the first 10+ bytes of AmsiScanBuffer and EtwEventWrite, since most of public available patch bytes are doing on first few lines. If thats not enough, additional bytes / function to compare can be added easily to the source code.
If you are not using the AMSI/ETW patch from this BOF and want to revert, you could refresh the whole AMSI and NTDLL as an alternative.
If there is no amsi.dll in current process, this bof will not load it to the process.
Update on 18 Aug 2022
- Added a new version doing indirect syscalls for NtApi
Update on 30 Sep 2022
- Added callback unhook on syscall version
Load patchit.cna
Check if AMSI & ETW are patched:
beacon> patchit check
Patch both AMSI and ETW:
beacon> patchit all
Patch AMSI:
beacon> patchit amsi
Patch ETW:
beacon> patchit etw
Revert both AMSI and ETW:
beacon> patchit revertAll
Revert AMSI:
beacon> patchit revertAmsi
Revert ETW:
beacon> patchit revertEtw
Run patchit check when amsi.dll is not loaded:
make
- https://download.cobaltstrike.com/aggressor-script/index.html
- https://blog.xpnsec.com/hiding-your-dotnet-etw/
- https://rastamouse.me/memory-patching-amsi-bypass/
- https://github.com/Cobalt-Strike/unhook-bof (Big thanks to @s4ntiago_p on demonstrating how to do indirect syscalls in BOF)