I have documented all of the AMSI patches that I learned till now
- https://pre.empt.dev/posts/maelstrom-etw-amsi/#Antimalware_Scan_Interface_(AMSI)
- https://rastamouse.me/memory-patching-amsi-bypass/
- Patching AMSI via Hardware Breakpoint and VEH: In-Process Patchless AMSI Bypass
a. To Skip Entering amsi!AmsiOpenSession+0x4c
via jne, if all instructions succeed before the calling of jne
=> We would end up directly to amsi!AmsiCloseSession
.
Video link: https://drive.google.com/file/d/1H0JheGNGzIyWZ62HNLmJ_oeAAUtDGIKd/view?usp=sharing
Thanks to @D1rkMtr for showing the technique of using jne
from amsi!AmsiOpenSession
Github. I have used his AMSI patch code template and added other methods I have worked on till now.
b. To Skip Entering amsi!AmsiOpenSession+0x4c
(Opens a session within which multiple scan requests can be correlated) via ret, by directly pasting c3 at the beginning of the amsi!AmsiOpenSession
=> We would end up directly to amsi!AmsiCloseSession
.
Video link: https://drive.google.com/file/d/1_tpCfJ-aO1wzeEx3Id7b7bTJUyc5ExBw/view?usp=sharing
a. To Skip the execution of the main intructions of amsi!AmsiScanBuffer
via ret, by directly pasting c3 at the beginning of the amsi!AmsiScanBuffer
Video link: https://drive.google.com/file/d/1PljZld1aXz89nCO3gQCjYpwSqbEbi4J_/view?usp=sharing
b. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer
and returns, by directly pasting \\xB8\\x57\\x00\\x07\\x80\\xC3
('mov eax, 0x80070057; ret') at the beginning of the amsi!AmsiScanBuffer
Here, the value (rather error Value) of HRESULT being 'E_INVALIDARG' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)
Thanks to @_RastaMouse_ for this blog
c. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer
and returns, by directly pasting \\xB8\\x05\\x00\\x07\\x80\\xC3
('mov eax, 0x80070005; ret') at the beginning of the amsi!AmsiScanBuffer
Here, the value (rather error Value) of HRESULT being 'E_ACCESSDENIED' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)
d. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer
and returns, by directly pasting \\xB8\\x06\\x00\\x07\\x80\\xC3
('mov eax, 0x80070006; ret') at the beginning of the amsi!AmsiScanBuffer
Here, the value (rather error Value) of HRESULT being 'E_HANDLE' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)
e. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer
and returns, by directly pasting \\xB8\\x0E\\x00\\x07\\x80\\xC3
('mov eax, 0x8007000E; ret') at the beginning of the amsi!AmsiScanBuffer
Here, the value (rather error Value) of HRESULT being 'E_OUTOFMEMORY' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)
- AMSI Bypass With a Null Character: https://standa-note.blogspot.com/2018/02/amsi-bypass-with-null-character.html
- Win10: AMSI Internals: AMSI Bypass: Patching Technique: https://www.cyberark.com/resources/threat-research-blog/amsi-bypass-patching-technique
- Hunting AMSI Memory Tempering: https://blog.f-secure.com/hunting-for-amsi-bypasses/
- BlackHat 2018: https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf
- Exploring PowerShell AMSI, Script Block Logging and PowerShell Logging – Suspicious Strings Evasion: https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
- Disable AMSI WLDP Dotnet: https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
- BlackHat 2022: AMSI & Bypass: Review of Known AMSI Bypass Techniques and Introducing a New One: https://www.youtube.com/watch?v=8y8saWvzeLw
- Bypass AMSI in local process hooking NtCreateSection: https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/
- LifeTime AMSI bypass: Patch the first byte and change it from
JE
toJMP
so it returns directly... : https://github.com/ZeroMemoryEx/Amsi-Killer - Neutralising AMSI System-Wide as an Admin: https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin
- An effort to track security vendors' use of Microsoft's Antimalware Scan Interface: https://github.com/subat0mik/whoamsi
- Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime: https://github.com/CCob/SharpBlock
- AMS1 bypass Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
- Disable AMSI & ETW via an obfuscated DLL: https://github.com/icyguider/LightsOut