Introduction

AMSI (Antimalware Scan Interface) is one of the basic Windows software developed by the end-user to protect people's data, workloads and applications against malware. At the same time AMSI works as an integrated application. It allows software that developers have developed to defend against malware, and it works with that software in a complex way.

AMSI works integrated for Windows 10 and later versions.

• User Account Controls
• PowerShell
• Windows Script Host
• JavaScript and VBScript
• Office VBA macros

How AMSI Works

AMSI is a malware scanning API that can be integrated into applications that protect systems against malware. AMSI supports WIN32 API and COM interfaces for use by developers. AMSI works with a signature-based detection procedure called "signature-based detection". This working method is considered harmful URL, function, file, etc. means control of the conditions over the AMSI database. The function that fails the check is blocked by AMSI and its execution is prevented.

AmsiScanBuffer and AmsiScanString Functions

When running a command on PowerShell or opening PowerShell or cmd, amsi.dll is injected into the process memory area. When the user wants to run a command line or a file, the AmsiScanBuffer and AmsiScanString functions in amsi.dll are triggered. They begin to analyze the codes. As explained in the previous section, this control is provided by signature control. If it encounters a malicious signature in the database, it blocks the transaction. If the PowerShell process is examined in detail, it can be observed that amsi.dll is running.

AMSI Bypass Methods

There are multiple methods to bypass AMSI. Although some of them are blocked by system administrators, AMSI can be insufficient at some points in cases where an external security solution is not used.

Since commands such as "Amsiutils" "Invoke-Mimikatz" are among the known malicious signatures, these examples will be continued. In normal standards, these commands are blocked by AMSI when trying to run them with PowerShell.

Ok. If we start simple, how can we get over this situation?

PowerShell Downgrade

First, you can check your PowerShell version with the command "$PSVersionTable".

Actually Microsoft no longer supports PowerShell 2.0. However, it is installed by default when installing systems. If you downgrade the PowerShell version to 2.0, you can run your malicious command.

Base64 Encoding

Another existing technique is one of Matt Graeber's old bypass methods. With this technique you can disable scanning on behalf of the current process by setting the "AmsiInitFailed" function. Today, this technique is obsolete and cannot be used. But you can bypass using base64 encode.

Word Parse

Another available method is to break the syntax to use into parts. When you partition it, amsi.dll cannot detect it and you can execute the command successfully.

If you want to perform this operation through a program, it is simple to use. https://github.com/RythmStick/AMSITrigger The tool will help you.

AMSI Init Failed

One method to disable or bypass AMSI is to trigger the "AMSI Init Failed" error. What this error causes is that the malware fails the AMSI initialization process. This prevents AMSI from scanning for malicious code.

This method works best if AMSI is initially enabled and not detected and evaded by malware.

The situation that should be noted here is that the transaction that is intended to be performed by AMSI is blocked. For this reason, it may be necessary to use different hiding variants. Actually, there is no clear example of this and it is up to your own imagination. Of course, there are many different examples on the internet.

Memory Patching With Python

Memory patching is the process of changing the target memory region of a software at runtime. Memory patching for AMSI bypass is a method used to disable or disable AMSI. Here are the general steps followed:

1. Finding the Target Process: You need to find the target process for which you want to disable AMSI. This will usually be the application or process the malware is targeting.
2. Finding the Target Memory Address: You need to determine the memory addresses of the AMSI-related functions. For example, you may need to find the memory address of AMSI's "AmsiScanBuffer" function.
3. Injection of Unwanted Code: Many target processes have a structure that allows dynamic linking. In this case, you can use this dynamic linking mechanism to inject unwanted code into the target process's memory.
4. Memory Patching: You can target the memory addresses of AMSI-related functions in the memory of the target process and apply patches to these addresses. These patches may include changes such as assigning different functions to replace AMSI functions or disabling functions altogether.
5. Disable AMSI: Once the memory patch is applied, it will apply to the target process where AMSI functions are now disabled or disabled. In this way, the malware can avoid detection by AMSI.

Activating them manually can be tiring and complicated at times. For this reason, I wrote a Python code snippet and tested it on my own system. The desired result is realized and you can now run the command you want freely on the current process. Also you don't need PowerShell admin rights for this.

You can access the Python script via https://github.com/nullx3d/AmsiBypassWithPython

Sources

• https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/
• https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
• https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9
• http://amsi.fail/
• https://www.hackingarticles.in/a-detailed-guide-on-amsi-bypass/
• https://www.trendmicro.com/en_us/research/22/l/detecting-windows-amsi-bypass-techniques.html
• https://hackmag.com/security/fck-amsi/
• https://rastamouse.me/memory-patching-amsi-bypass/