✅ This repository has been updated to enhance functionality. The following improvements were added:
- Automatic elevation to Administrator (UAC prompt).
- Passive monitoring of
powershell.exeprocesses. - Automatic patching of
amsi.dllif detected loaded in memory. - Signature-based memory patching using known AMSI bypass patterns.
- Continuous scanning with deduplication of previously patched targets.
Monitor processes in the system and check if amsi.dll is loaded in the process powershell.exe. If it is detected that amsi.dll is loaded, call the second script (amsi.py) to apply the patch.
Main functions:
The use of these scripts is intended for educational purposes and security research. Misuse in environments without proper authorization may violate laws or regulations.
https://github.com/ZeroMemoryEx
https://github.com/S1lkys/SharpKiller
| 48:85D2 | test rdx, rdx |
| 74 3F | je amsi.7FFAE957C694 |
| 48:85C9 | test rcx, rcx |
| 74 3A | je amsi.7FFAE957C694 |
| 48:8379 08 00 | cmp qword ptr ds : [rcx + 8] , 0 |
| 74 33 | je amsi.7FFAE957C694 |
- the search pattern will be like this:
{ 0x48,'?','?', 0x74,'?',0x48,'?','?',0x74,'?',0x48,'?','?','?','?',0x74,0x33 }
Feel free to submit issues or pull requests to improve the functionality and error handling in these scripts.