A tool which bypasses AMSI (AntiMalware Scan Interface) and PowerShell CLM (Constrained Language Mode) and gives you a FullLanguage PowerShell reverse shell. Feel free to modiy and DM if you find some bugs :)
Usage:
First, Download the bypass.csproj file into the victim machine (Find writeable folder such as C:\Windows\Tasks or C:\Windows\Temp). After that just execute it with msbuild.exe.
Example: C:\windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe .\FullBypass.csproj
After that the code will do 2 things.
- Firstly code will bypass AMSI using memory hijacking method and will rewrite some instructions in AmsiScanBuffer fuction. With xor instruction the size argument will be 0 and AMSI cannot detect future scripts and command in powershell.
- Finally it will ask you your attacker IP and port to give you a powershell FullLanguage Mode reverse shell.
As you can see we catch powershell FullLanguageMode reverse shell.