Skip to content
/ AMSI-patches-learned-till-now Public

I have documented all of the AMSI patches that I learned till now

License

MIT license
68 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

reveng007/AMSI-patches-learned-till-now

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
compile.bat
compile.bat
 
 
patchAMSI.cpp
patchAMSI.cpp
 
 

Repository files navigation

AMSI-patches-learned-till-now

I have documented all of the AMSI patches that I learned till now

❗ My AMSI patch Learning till now. Doesn't belong to my Company's Asset!

DISCLAIMER: This code is not meant to be Evasive till now! Only a Conceptual Approach.

Links:

  1. https://pre.empt.dev/posts/maelstrom-etw-amsi/#Antimalware_Scan_Interface_(AMSI)
  2. https://rastamouse.me/memory-patching-amsi-bypass/

Still remaining to be Implemented:

  1. Patching AMSI via Hardware Breakpoint and VEH: In-Process Patchless AMSI Bypass

Image:

Capture

One of the Way of patching AMSI:

AMSI_patch

Concepts:

1. AmsiOpenSession: Opens a session within which multiple scan requests can be correlated.

a. To Skip Entering amsi!AmsiOpenSession+0x4c via jne, if all instructions succeed before the calling of jne
=> We would end up directly to amsi!AmsiCloseSession.

Video link: https://drive.google.com/file/d/1H0JheGNGzIyWZ62HNLmJ_oeAAUtDGIKd/view?usp=sharing

Thanks to @D1rkMtr for showing the technique of using jne from amsi!AmsiOpenSession Github. I have used his AMSI patch code template and added other methods I have worked on till now.

b. To Skip Entering amsi!AmsiOpenSession+0x4c (Opens a session within which multiple scan requests can be correlated) via ret, by directly pasting c3 at the beginning of the amsi!AmsiOpenSession
=> We would end up directly to amsi!AmsiCloseSession.

Video link: https://drive.google.com/file/d/1_tpCfJ-aO1wzeEx3Id7b7bTJUyc5ExBw/view?usp=sharing

2. AmsiScanBuffer: Scans a buffer-full of content for malware.

a. To Skip the execution of the main intructions of amsi!AmsiScanBuffer via ret, by directly pasting c3 at the beginning of the amsi!AmsiScanBuffer

Video link: https://drive.google.com/file/d/1PljZld1aXz89nCO3gQCjYpwSqbEbi4J_/view?usp=sharing

b. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer and returns, by directly pasting \\xB8\\x57\\x00\\x07\\x80\\xC3 ('mov eax, 0x80070057; ret') at the beginning of the amsi!AmsiScanBuffer

Here, the value (rather error Value) of HRESULT being 'E_INVALIDARG' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)

Thanks to @_RastaMouse_ for this blog

c. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer and returns, by directly pasting \\xB8\\x05\\x00\\x07\\x80\\xC3 ('mov eax, 0x80070005; ret') at the beginning of the amsi!AmsiScanBuffer

Here, the value (rather error Value) of HRESULT being 'E_ACCESSDENIED' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)

d. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer and returns, by directly pasting \\xB8\\x06\\x00\\x07\\x80\\xC3 ('mov eax, 0x80070006; ret') at the beginning of the amsi!AmsiScanBuffer

Here, the value (rather error Value) of HRESULT being 'E_HANDLE' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)

e. To Skip the branch that does the actual scanning in amsi!AmsiScanBuffer and returns, by directly pasting \\xB8\\x0E\\x00\\x07\\x80\\xC3 ('mov eax, 0x8007000E; ret') at the beginning of the amsi!AmsiScanBuffer

Here, the value (rather error Value) of HRESULT being 'E_OUTOFMEMORY' (Source: https://pre.empt.dev/posts/maelstrom-etw-amsi/#Historic_AMSI_Bypasses)

Other important Blogs:

  1. AMSI Bypass With a Null Character: https://standa-note.blogspot.com/2018/02/amsi-bypass-with-null-character.html
  2. Win10: AMSI Internals: AMSI Bypass: Patching Technique: https://www.cyberark.com/resources/threat-research-blog/amsi-bypass-patching-technique
  3. Hunting AMSI Memory Tempering: https://blog.f-secure.com/hunting-for-amsi-bypasses/
  4. BlackHat 2018: https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf
  5. Exploring PowerShell AMSI, Script Block Logging and PowerShell Logging – Suspicious Strings Evasion: https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
  6. Disable AMSI WLDP Dotnet: https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
  7. BlackHat 2022: AMSI & Bypass: Review of Known AMSI Bypass Techniques and Introducing a New One: https://www.youtube.com/watch?v=8y8saWvzeLw
  8. Bypass AMSI in local process hooking NtCreateSection: https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/
  9. LifeTime AMSI bypass: Patch the first byte and change it from JE to JMP so it returns directly... : https://github.com/ZeroMemoryEx/Amsi-Killer
  10. Neutralising AMSI System-Wide as an Admin: https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin
  11. An effort to track security vendors' use of Microsoft's Antimalware Scan Interface: https://github.com/subat0mik/whoamsi
  12. Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime: https://github.com/CCob/SharpBlock
  13. AMS1 bypass Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
  14. Disable AMSI & ETW via an obfuscated DLL: https://github.com/icyguider/LightsOut

About

I have documented all of the AMSI patches that I learned till now

Resources

Readme

License

MIT license
Activity

Stars

68 stars

Watchers

5 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages