Antimalware Scan Interface (AMSI)
Primer
The tracker below includes some commonly known memory-patching bypass techniques for AMSI & ETW:
Type
Target Function
Target DLL
Patch Type
AMSI
AmsiScanBuffer
amsi.dll
Consumer Patching
AMSI
AmsiScanString
amsi.dll
Consumer Patching
AMSI
DllGetClassObject
MpOav.dll
(differs between providers)
Provider Patching
ETW
EtwEventWrite
ntdll.dll
Consumer Patching
ETW
NtTraceEvent
ntdll.dll
Consumer Patching
ETW
EtwNotificationRegister
ntdll.dll
Consumer Patching
Last updated