Uses p/invoke to copy an encoded shellcode in memory, 100 bytes (chunks) at the time, rather than all at once
ProgramPatchAmsiEtw
also patches AmsiScanBuffer
and EtwEventWrite
Yes the code is shit, but meh so what - not like I have the whole day to write good pocs
Tested with Meterpreter staged rev HTTPS payload (encode_shellcode.cs
or py version is the code I used to encode the raw one)
ProgramPatchAmsiEtw.cs against SentinelOne (used Babel .net obfuscator - free version - twice on the resulting exe)
Program.cs against Defender