Giter Club home page Giter Club logo

amsi_bypass_in_2023's Introduction

Amsi Bypass on Windows 11 In 2023

Technical details can be found in the article: https://medium.com/@gustavshen/bypass-amsi-on-windows-11-75d231b2cac6

Attack_AmsiOpenSession.ps1

HRESULT AmsiOpenSession(
[in] HAMSICONTEXT amsiContext,
[out] HAMSISESSION *amsiSession
);

This powershell script can be used to bypass AMSI by patching AmsiOpenSession. According to the assemble codes, if any of the following conditions are met, the function will exit with E_INVALIDARG error.

  1. RCX is 0
  2. RDX is 0
  3. The 2nd QWORD of HAMSICONTEXT structure is 0
  4. The 3rd QWORD of HAMSICONTEXT structure is 0

image

This script patches AmsiOpenSession by setting RCX to 0.

image

Patching AmsiOpenSession cannot bypass AMSI for Assembly.Load()

Attack_AmsiScanBuffer.ps1

HRESULT AmsiScanBuffer(
[in] HAMSICONTEXT amsiContext,
[in] PVOID buffer,
[in] ULONG length,
[in] LPCWSTR contentName,
[in, optional] HAMSISESSION amsiSession,
[out] AMSI_RESULT *result
);

This powershell script can be used to bypass AMSI by patching AmsiScanBuffer. The script patches AmsiScanBuffer by setting RAX to the value of error E_INVALIDARG and return immediately.

image

Patching AmsiScanBuffer can bypass AMSI for Assembly.Load()

image

one-liner-payload.md

This file contains one-liner payloads that can be used in the current powershell session and immediately bypass AMSI. However, it cannot bypass AMSI for Assembly.Load().

Details can be found in this file.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.