Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@RythmStick
RythmStick authored Jun 12, 2020
1 parent 110fd2d commit d87fb45
Show file tree
Hide file tree
Showing 2 changed files with 109 additions and 71 deletions.
27 changes: 23 additions & 4 deletions AMSITrigger/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,20 @@ namespace AmsiTrigger

public static class Globals
{
public static int minSignatureLength = 6; // Playing with these can result in quicker execution time and less AMSIScanBuffer calls.
public static int maxSignatureLength = 2048; // It can also reduce the accuracy of trigger identification


public static int format = 1;
public static int max = 0;
public static Boolean help = false;
public static Boolean debug = false;
public static string inScript;
public static IntPtr amsiContext;
public static string inURL;
public static int lineNumber = 1;
public static int sampleIndex = 0;
public static int sampleIndex = 0;
public static int amsiCalls = 0;
}


Expand All @@ -43,7 +49,10 @@ static void Main(string[] args)
{

string infile = string.Empty;



var watch = System.Diagnostics.Stopwatch.StartNew();


if (!validParameters(args))
{
Expand All @@ -58,7 +67,16 @@ static void Main(string[] args)
Triggers.FindTriggers();

AmsiUninitialize(amsiContext);


watch.Stop();

if (debug)
{
Console.ForegroundColor = System.ConsoleColor.Gray;
Console.WriteLine($"\n\r\n\rAmsiScanBuffer Calls: {amsiCalls}");
Console.WriteLine($"Total Execution Time: {watch.Elapsed.TotalSeconds} s");
}

}


Expand All @@ -71,6 +89,7 @@ public static Boolean validParameters(string[] args)
{"i|inputfile=", "Powershell filename or", o => inScript = o},
{"u|url=", "URL eg. https://10.1.1.1/Invoke-NinjaCopy.ps1", o => inURL = o},
{"f|format=", "Output Format:"+"\n1 - Only show Triggers\n2 - Show Triggers with line numbers\n3 - Show Triggers inline with code\n4 - Show AMSI calls (xmas tree mode)", (int o) => format = o},
{"d|debug","Show debug info", o => debug = true},
{"h|?|help","Show Help", o => help = true},
};

Expand Down Expand Up @@ -133,7 +152,7 @@ public static void showHelp(OptionSet p)
Console.WriteLine(@" |___/ |___/ v2");
Console.WriteLine("@_RythmStick\n\n\n");


Console.WriteLine("Show triggers in Powershell file or URL.\nUsage:");
p.WriteOptionDescriptions(Console.Out);
}
Expand Down
153 changes: 86 additions & 67 deletions AMSITrigger/Triggers.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,14 @@ private enum AMSI_RESULT

private static byte[] bigSample;
private static byte[] chunkSample;
private static int chunkSize = 1024;

private static int chunkSize = 4096;
private static int triggerStart = 0;
private static int triggerEnd;
private static int startIndex = 0;
public static void FindTriggers()
{
int triggerStart;
int triggerEnd;
AMSI_RESULT result;



if (!protectionEnabled(amsiContext))
{
return;
Expand All @@ -53,8 +52,6 @@ public static void FindTriggers()
client.Proxy = WebRequest.GetSystemWebProxy();
client.Proxy.Credentials = CredentialCache.DefaultCredentials;
bigSample = client.DownloadData(inURL);


}
catch (Exception e)
{
Expand All @@ -74,72 +71,95 @@ public static void FindTriggers()



while (sampleIndex < bigSample.Length)
while (startIndex + chunkSize < bigSample.Length)
{
if (sampleIndex + chunkSize > bigSample.Length)
{
chunkSize = bigSample.Length - sampleIndex;
}
chunkSample = new byte[chunkSize];
Array.Copy(bigSample, sampleIndex, chunkSample, 0, chunkSize);

sampleIndex += chunkSize;
result = scanBuffer(chunkSample, amsiContext);
Array.Copy(bigSample, startIndex, chunkSample, 0, chunkSize);
processChunk(chunkSample);
}


while (startIndex < bigSample.Length)
{
chunkSample = new byte[bigSample.Length - startIndex];
Array.Copy(bigSample, startIndex, chunkSample, 0, chunkSample.Length);
processChunk(chunkSample);
}
}



if (result != AMSI_RESULT.AMSI_RESULT_DETECTED) // Chunk is clean
{
showText(chunkSample, 0, chunkSize/2, false);
sampleIndex -= chunkSize/2;

}
else // This line contains trigger(s), scrutinize it to find individual triggers
{

triggerEnd = findTriggerEnd(chunkSample);

if (triggerEnd > 0)
{
private static void processChunk(byte[] chunkSample )
{
AMSI_RESULT result;

triggerStart=findTriggerStart(chunkSample, triggerEnd);
showText(chunkSample, 0, triggerStart, false);
showText(chunkSample, triggerStart, triggerEnd-triggerStart, true);
sampleIndex += triggerEnd - chunkSize;
}

}
result = scanBuffer(chunkSample, amsiContext);


if (result != AMSI_RESULT.AMSI_RESULT_DETECTED)
{
if (chunkSample.Length > maxSignatureLength)
{
showText(chunkSample, 0, chunkSize - maxSignatureLength, false);
startIndex += chunkSize - maxSignatureLength;
} else
{
showText(chunkSample, 0, chunkSample.Length, false);
startIndex+=chunkSample.Length;
}

return;
}
triggerEnd = findTriggerEnd(chunkSample) + 1;
triggerStart = findTriggerStart(chunkSample, triggerEnd);

showText(chunkSample, 0, triggerStart, false);
showText(chunkSample, triggerStart, triggerEnd-triggerStart, true);
startIndex += triggerEnd;
return;

}




private static int findTriggerEnd(byte[] smallSample)
private static int findTriggerEnd(byte[] smallSample)
{

AMSI_RESULT result;
byte[] tmpSample;
int lastBytes;

for (int sampleIndex = 2; sampleIndex < smallSample.Length; sampleIndex++)
for (int sampleIndex = 2; sampleIndex < smallSample.Length + minSignatureLength; sampleIndex += minSignatureLength)
{

if (sampleIndex> smallSample.Length) {
sampleIndex = smallSample.Length;
}
tmpSample = new byte[sampleIndex];
Array.Copy(chunkSample, 0, tmpSample, 0, sampleIndex);
string ssstring = Encoding.Default.GetString(tmpSample);
result = scanBuffer(tmpSample, amsiContext);




if (result == AMSI_RESULT.AMSI_RESULT_DETECTED)
{
return sampleIndex;

for (lastBytes = 0; lastBytes < minSignatureLength; lastBytes++)
{

tmpSample = new byte[sampleIndex - lastBytes];
Array.Copy(chunkSample, 0, tmpSample, 0, sampleIndex - lastBytes);
ssstring = Encoding.Default.GetString(tmpSample);
result = scanBuffer(tmpSample, amsiContext);
if (result != AMSI_RESULT.AMSI_RESULT_DETECTED)
{
return sampleIndex - lastBytes;
}
}
return sampleIndex - lastBytes;
}

}

return 0;
}

Expand All @@ -148,7 +168,6 @@ private static int findTriggerEnd(byte[] smallSample)




private static int findTriggerStart(byte[] smallSample,int triggerEnd)
{
AMSI_RESULT result;
Expand All @@ -164,25 +183,23 @@ private static int findTriggerStart(byte[] smallSample,int triggerEnd)

if (result == AMSI_RESULT.AMSI_RESULT_DETECTED)
{

return sampleIndex;
}

}

return 0;
}








private static void showText(byte[] output, int start, int length, Boolean highLight)
{

byte[] tmpSample = new byte[length];
Array.Copy(output, start, tmpSample, 0, length);


switch (format)
{

Expand All @@ -191,17 +208,14 @@ private static void showText(byte[] output, int start, int length, Boolean highL
if (highLight)
{
Console.ForegroundColor = System.ConsoleColor.Gray;
Console.WriteLine(Encoding.Default.GetString(tmpSample));
}
Console.WriteLine("[+] \"" + Encoding.Default.GetString(tmpSample) + "\"");
}
break;
case 2:
if (highLight)
{
byte[] tmp2Sample = new byte[sampleIndex + start + length - chunkSize];
Array.Copy(bigSample, 0, tmp2Sample, 0, sampleIndex - chunkSize + length + start);
lineNumber = returnsInSample(tmp2Sample) + 1;
Console.ForegroundColor = System.ConsoleColor.Gray;
Console.WriteLine("(" + lineNumber + ")\t\"" + Encoding.Default.GetString(tmpSample) + "\"");
Console.WriteLine("[" + lineNumber + "]\t\"" + Encoding.Default.GetString(tmpSample) + "\"");
}
break;

Expand All @@ -210,28 +224,31 @@ private static void showText(byte[] output, int start, int length, Boolean highL
{
Console.ForegroundColor = System.ConsoleColor.Red;
Console.Write(Encoding.Default.GetString(tmpSample));
}
}
else
{
Console.ForegroundColor = System.ConsoleColor.Gray;
Console.Write(Encoding.Default.GetString(tmpSample));
}
break;
}
break;

case 4:
Console.ForegroundColor = System.ConsoleColor.Gray;
Console.WriteLine(Encoding.Default.GetString(tmpSample));
break;

}

if (format == 2) { lineNumber += returnsInSample(tmpSample, length);}

}

private static int returnsInSample(byte[] sample)


private static int returnsInSample(byte[] sample,int numBytes)
{

return new Regex(@"\n").Matches(Encoding.Default.GetString(sample)).Count;
return new Regex(@"\n").Matches(Encoding.Default.GetString(sample).Substring(0,numBytes)).Count;



Expand All @@ -249,6 +266,8 @@ private static AMSI_RESULT scanBuffer(byte[] sample, IntPtr amsiContext)


returnValue = AmsiScanBuffer(amsiContext, sample, (uint)sample.Length, "Sample", IntPtr.Zero, out result);
amsiCalls++;

return result;
}

Expand Down

0 comments on commit d87fb45

Please sign in to comment.