A Nim-based tool that patches PowerShell profiles to permanently disable AMSI and ETW protections for stealthy PowerShell sessions.
Loads a C# binary in memory within powershell profile, patching AMSI + ETW.
This tool is used to bypass Windows security features AMSI and ETW by patching PowerShell profiles, enabling attackers or red teamers to run scripts without detection. It is primarily intended for security researchers, penetration testers, and red team operators who need to evade endpoint detection mechanisms during assessments.
Use this tool only on systems you own or have explicit permission to test, as it disables critical security features and can facilitate malicious activity. Always run removal commands as administrator to fully revert changes. The tool is designed for educational and red team use and carries inherent risks if misused.
Compile or run the Nim program to apply the patch
The program modifies the Microsoft.PowerShell_profile.ps1 file automatically
No additional dependencies or installations are specified$file = "$env:userprofile\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"; if (Test-Path $file) { Remove-Item $file -Force }
PowerShell command to remove the AMSI and ETW patch by deleting the patched PowerShell profile file.