Antimalware Scan Interface (AMSI)

Primer

This is a C# implementation of a new AMSI patching technique, known as Ghosting AMSI by Andrea Bocchetti. With this addition, the tracker below has been updated to include some commonly known memory-patching bypass techniques for AMSI & ETW.

Evasion Type

Target Function

Target DLL

Patch Type

AMSI

AmsiScanBuffer

amsi.dll

Consumer Patching

AMSI

AmsiScanString

amsi.dll

Consumer Patching

AMSI

NdrClientCall3

rpcrt4.dll

Consumer Patching

AMSI

DllGetClassObject

MpOav.dll

(differs between providers)

Provider Patching

ETW

EtwEventWrite

ntdll.dll

Consumer Patching

ETW

NtTraceEvent

ntdll.dll

Consumer Patching

ETW

EtwNotificationRegister

ntdll.dll

Consumer Patching

PoC | GTFO

GhostingAMSI.cs

PreviousMemory Scanner NextEvent Tracing for Windows (ETW)

Last updated 2 months ago