this repo contains information to patch AMSI and ETW using a single byte patch for both.
The idea was to limit detection of the patch itself since it's a single byte.
The idea is that AMSI perform a lot of validation check before hitting the critical AMSI "check" code. You can simply toggle one of the jz
for a jnz
and vice versa.
The red arrow in tthe figure above is showing where the critical code is located.
Example of checks that can be toggled to avoid calling the critical code.
In this case we patch the jnz
after the cmp dword ptr [rbx], 49534d41h
.
the patch is simply Address of AmsiScanBuffer + 0x83 = 0x74 (x64)
Instead of patching EtwEventWrite
simply patch the syscall NtTraceEvent
which is called by a lot of functions.
As shown in the figure below NtTraceEvent
is used by a lot of functions within ntdll.dll
The patch is simply force a return when the NtTraceEvent
function is called NtTraceEvent = 0xc3 (x64)