AMSI.fail

Generate obfuscated PowerShell snippets that break or disable AMSI for the current process.

Generator

What is AMSI? Overview

AMSI (Antimalware Scan Interface) is a Windows interface that allows applications and services to scan script content for malicious usage. If a signature is registered by the AMSI antimalware service provider (Windows Defender by default), it will be blocked.

Here is how PowerShell integrates with AMSI:

  • When a PowerShell process is created, AMSI.DLL is loaded from disk into its address space.
  • Within AMSI.DLL, there's a function known as AmsiScanBuffer(), used to scan a script's content.
  • Any supplied content is first sent to AmsiScanBuffer() before any execution takes place.
  • AmsiScanBuffer() checks with the registered anti-virus to determine if any signatures have been created.
  • If the content is deemed malicious, it is blocked.

Since AMSI relies on being loaded within the process executing the script, techniques to break or patch specific functions within amsi.dll are well known.

Detection Defense

All demonstrated techniques rely on tampering with the amsi.dll library within the operating process. Generic tamper-detection of the loaded amsi.dll is key to identifying these bypasses at runtime.

Credits Attribution

Bypass Technique Authors
  • ForceError — amsiContext/amsiSession corruption — S3cur3Th1sSh1t
  • MattGRefl — amsiInitFailed reflection — Matt Graeber
  • MattGReflLog — Delegate-based reflection (WMF5 logging bypass) — Matt Graeber
  • MattGRef02 — amsiContext WriteInt32 overwrite — Matt Graeber
  • RastaBuf — AmsiScanBuffer memory patch — Rasta Mouse
  • FieldOffset — amsiContext Marshal::Copy — Matt Graeber
  • ScanBufferPatchAlt — AmsiScanBuffer patch (no csc.exe) — Rasta Mouse + MDSec
  • ReflectionFromAssembly — AppDomain assembly enumeration — MDSec (@am0nsec)
  • BlankAmsiProviders — Null amsiContext + amsiSession — Context corruption variant
  • HardwareBreakpoint — VEH + debug registers — @CCob, adapted by Rasta Mouse
Project