This write up is based upon the work of Matt Graeber @Mattifestation https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9 Tools Used IDAhttps://www.hex-rays.com/products/ida/support/download_freeware/ Windbghttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools If we load up amsi.dll in IDA or equivalent tool and start looking at AmsiScanBuffer we can see that there is a check to see if the value which is pointed to via rbx equals 49534D41h (AMSI). IfContinue reading AMSI in the HEAP x32
My previous couple of posts have all been centred around VBA, AMSI and Macros. This isn’t going to be different!. This makes for the easiest AMSI and Windows Defender bypass. Whilst reading through MSDN, which incidentally makes great bedtime reading…., I read that it was possible to use ordinal numbers with VBA when declaring functionsContinue reading Ordinal Numbers and VBA can be fun – who knew!
This is really just a variation on a theme, however I thought I’d write a quick post none the less. As previously stated the traditional way to get to AMSI function addresses was through LoadLibrary and then GetProcAddress. Microsoft blacklisted some function names to make using GetProcAddress unavailable which is why my my colleague andContinue reading Are we nearly there yet? Walking Half the PEB with VBA
My previous post covers walking the PEB using VBA within a x32 version of Microsoft Office. Upon reflection, I realised that my previous post could be more detailed so I thought I’d address the x64 version and try and cover some of the bits I left out. For anyone who wants a little more backgroundContinue reading Walking the PEB with VBA x64
A few months back I wrote a post about some work my colleague and I did about patching AMSI with VBA. Whilst AMSI bypasses aren’t new, we put a little twist on it by dynamically calculating the address in memory which needed patching, at that point, I also hadn’t seen a working example in VBA.Continue reading Walking the PEB with VBA
By Richard Davy (@rd_pentest) & Gary Nield (@Monobehaviour) As most Pentesters know, Windows Defender is installed by default on Windows 10 and all new versions of Windows Server. During an engagement this can sometimes be frustrating, when wanting to obtain access to a remote machine, especially during a Phishing engagement. There are multiple AMSI bypassesContinue reading Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA