AMSI
Anti Malware Scan Interface
AMSI is loaded into every PowerShell process and interacts with AV (by default Windows Defender). Exposed API:
AmsiInitialize
AmsiOpenSession
AmsiScanString
AmsiScanBuffer
AmsiCloseSession
AmsiScanBuffer is used to check a buffer for malicious code. In case of ret = 32768, it is indeed malicious, ret = 1 means its clean.
Tracing AMSI with Frida
Install Frida: Install python3 and then pip install frida-tools
.
Trace AMSI (open PowerShell, then run the following):
When running a PowerShell command, we can see AmsiScanBuffer being called. On startup, Frida creates handlers - we can edit these to modify the trace behavior. We can for example log the argument buffer:
Bypass: Zero out AmsiContext
AmsiContext has a PTR to a buffer that starts with the string "AMSI", if we patch this string out, AMSI is disabled.
We can do this by using Reflection to get the pointer to AmsiContext and then write zero to the buffer:
Alternatively we can also set the "AmsiInitialize"-Field to null using the same technique (to evade AV use the same technique as above to improve it):
Bypass: Patch AMSI Instructions
AMSI and JScript
Each command is handled in just one session, where as with PowerShell each command has its own session. We can not access Win32 APIs from JScript so we need another way using the Registry:
Alternativly we can copy/rename wscript.exe to AMSI.dll, causing AMSI loading to fail:
Last updated