A technical demonstration developed as part of my learning in MalDev Academy, exploring AMSI evasion concepts on Windows. The project examines process injection and remote memory manipulation techniques used to alter AMSI behavior in PowerShell prior to execution, strictly for educational and research purposes.
This tool spawns a PowerShell process in a suspended state, loads the AMSI library into the target process, patches the AmsiScanBuffer function in remote process memory, and then resumes execution. The result is a PowerShell session with AMSI scanning disabled.
The implementation uses the following Windows API techniques:
- Process Creation with Suspension: PowerShell is created using
CreateProcessAwith theCREATE_SUSPENDEDflag - Remote DLL Loading:
amsi.dllis loaded into the target process viaCreateRemoteThreadandLoadLibraryA - Memory Patching: The
AmsiScanBufferfunction is patched usingWriteProcessMemoryafter adjusting memory protection withVirtualProtectEx - Process Resumption: The main thread is resumed using
ResumeThreadafter patching completes
The patch replaces the beginning of AmsiScanBuffer with the following x86-64 assembly:
xor eax, eax ; Set return value to 0 (success)
ret ; Return immediatelyThis causes AMSI to always return success without performing any scanning.
PatchRemoteAMSI(): Locates and patches the AMSI function in the remote processEnumProcessModules(): Finds the base address ofamsi.dllin the target processVirtualProtectEx(): Modifies memory protection to allow writing to executable codeWriteProcessMemory(): Writes the patch bytes to the remote process
- Windows 10/11 (x64)
- Microsoft Visual Studio 2022 or later
- Windows SDK
Using Visual Studio Developer Command Prompt:
cl.exe /O2 /GS- /Fe:final.exe final.c Psapi.lib /link /SUBSYSTEM:WINDOWS /ENTRY:WinMainCRTStartupCompiler flags:
/O2: Optimize for speed/GS-: Disable buffer security checks/SUBSYSTEM:WINDOWS: Create a GUI application (no console window)/ENTRY:WinMainCRTStartup: Specify entry point
Execute the compiled binary:
final.exeA PowerShell window will open with AMSI bypassed. You can verify by running:
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'This test string normally triggers AMSI detection but will execute without errors when AMSI is bypassed.
This technique may be detected by:
- Behavioral Analysis: Process creation with suspended state followed by remote thread creation
- Memory Scanning: Modifications to AMSI.dll in memory
- API Monitoring: Calls to
VirtualProtectExandWriteProcessMemorytargeting security-critical modules - Signature Detection: Known patch patterns in AMSI functions
Organizations can defend against this technique by:
- Protected Process Light (PPL): Enable PPL for PowerShell to prevent memory manipulation
- Code Integrity: Use Windows Defender Application Control (WDAC) to enforce code integrity
- EDR Solutions: Deploy endpoint detection and response tools that monitor process injection
- Logging: Enable detailed process creation and thread creation logging
- Behavioral Monitoring: Alert on suspended process creation followed by remote thread injection
This tool is provided for educational and authorized security research purposes only. Unauthorized use of this tool to bypass security controls on systems you do not own or have explicit permission to test is illegal and unethical.
Users are responsible for ensuring compliance with all applicable laws and regulations. The authors assume no liability for misuse of this software.
For security research purposes, it is recommended to:
- Use isolated virtual machines or dedicated test systems
- To Compile it, you must add the research directories to antivirus exclusions:
Add-MpPreference -ExclusionPath "C:\Path\To\Research"
- v1.0: Initial release with remote process injection and AMSI patching
This project is released for educational purposes. Use at your own risk and only on systems you are authorized to test.