|
| 1 | +# AMSI Bypass Tool |
| 2 | + |
| 3 | +## Overview |
| 4 | +The AMSI Bypass Tool is a Rust program designed to demonstrate bypassing the Windows Antimalware Scan Interface (AMSI) by using hardware breakpoints to intercept and manipulate the `AmsiScanBuffer` function. This tool is intended for educational and research purposes only, to understand AMSI's behavior and potential vulnerabilities in a controlled environment. |
| 5 | + |
| 6 | +## How It Works |
| 7 | + |
| 8 | +### Purpose |
| 9 | +AMSI is a Windows interface that allows applications (e.g., PowerShell, Windows Defender) to scan content for malicious code. The tool bypasses AMSI's scanning by intercepting calls to the `AmsiScanBuffer` function and forcing it to return a "clean" result (`AMSI_RESULT_CLEAN`), effectively preventing detection of malicious content. |
| 10 | + |
| 11 | +### Key Components |
| 12 | +1. **AMSI API Bindings**: |
| 13 | + - The program defines external bindings to AMSI functions (`AmsiInitialize`, `AmsiScanBuffer`, etc.) to interact with the AMSI library (`amsi.dll`). |
| 14 | + - These functions are used to initialize AMSI, open a session, and scan buffers. |
| 15 | + |
| 16 | +2. **NT API Bindings**: |
| 17 | + - Uses `NtGetContextThread` and `NtSetContextThread` to manipulate thread context for setting hardware breakpoints. |
| 18 | + |
| 19 | +3. **AmsiContext Struct**: |
| 20 | + - A Rust struct that encapsulates AMSI context and session management. |
| 21 | + - Provides methods to initialize AMSI, scan buffers, and clean up resources when dropped. |
| 22 | + |
| 23 | +4. **Hardware Breakpoints**: |
| 24 | + - The bypass uses hardware breakpoints to trap execution when `AmsiScanBuffer` is called. |
| 25 | + - Breakpoints are set on the address of `AmsiScanBuffer` using debug registers (`Dr0-Dr3`, `Dr7`). |
| 26 | + - When triggered, the exception handler manipulates the execution context to skip the scan and return a clean result. |
| 27 | + |
| 28 | +5. **Exception Handler**: |
| 29 | + - A vectored exception handler catches single-step exceptions (`EXCEPTION_SINGLE_STEP`) triggered by the hardware breakpoint. |
| 30 | + - It checks if the exception occurred at the `AmsiScanBuffer` address, then: |
| 31 | + - Sets the scan result to `AMSI_RESULT_CLEAN`. |
| 32 | + - Adjusts the instruction pointer (`Rip`) to the return address, skipping the scan. |
| 33 | + - Modifies the stack and registers to simulate a successful function call. |
| 34 | + - Clears the breakpoint to prevent further triggers. |
| 35 | + |
| 36 | +6. **Bypass Setup**: |
| 37 | + - The `setup_amsi_bypass` function: |
| 38 | + - Loads `amsi.dll` and retrieves the address of `AmsiScanBuffer`. |
| 39 | + - Registers the exception handler. |
| 40 | + - Sets a hardware breakpoint on `AmsiScanBuffer` using the current thread's context. |
| 41 | + |
| 42 | +7. **Test Function**: |
| 43 | + - The `test_amsi_bypass` function tests the bypass by scanning a known malicious string (EICAR test string) before and after setting up the bypass. |
| 44 | + - It prints whether AMSI detects the string as malicious and confirms if the bypass worked. |
| 45 | + |
| 46 | +8. **Error Handling**: |
| 47 | + - Uses the `thiserror` crate to define a custom `AmsiError` enum for robust error handling. |
| 48 | + - Covers errors like failed library loading, invalid string conversions, and AMSI initialization failures. |
| 49 | + |
| 50 | +### Workflow |
| 51 | +1. **Initialization**: |
| 52 | + - The program initializes an AMSI context with a test application name (`TestApp`). |
| 53 | + - It opens an AMSI session for scanning. |
| 54 | + |
| 55 | +2. **Pre-Bypass Test**: |
| 56 | + - Scans the EICAR test string to verify that AMSI detects it as malicious. |
| 57 | + |
| 58 | +3. **Bypass Setup**: |
| 59 | + - Loads `amsi.dll`, retrieves the `AmsiScanBuffer` address, and sets a hardware breakpoint. |
| 60 | + - Registers an exception handler to intercept `AmsiScanBuffer` calls. |
| 61 | + |
| 62 | +4. **Post-Bypass Test**: |
| 63 | + - Scans the same EICAR string again. |
| 64 | + - The exception handler intercepts the `AmsiScanBuffer` call, sets the result to `AMSI_RESULT_CLEAN`, and skips the scan. |
| 65 | + - The program confirms whether the bypass was successful. |
| 66 | + |
| 67 | +5. **Pause for Debugging**: |
| 68 | + - Includes a `pause` function to allow inspection of the process (e.g., using PE-SIEVE) for hooks or anomalies. |
| 69 | + |
| 70 | +## Usage |
| 71 | +1. **Prerequisites**: |
| 72 | + - Rust compiler (`cargo`). |
| 73 | + - Install dependencies: `winapi`, `widestring`, `thiserror`. |
| 74 | + |
| 75 | +2. **Build**: |
| 76 | + ```powershell |
| 77 | + cargo build --release |
| 78 | + ``` |
| 79 | + |
| 80 | +3. **Run**: |
| 81 | + ```powershell |
| 82 | + cargo run --release |
| 83 | + ``` |
| 84 | + - The program will: |
| 85 | + - Test AMSI scanning before and after the bypass. |
| 86 | + - Print results to confirm whether the bypass worked. |
| 87 | + - Pause for manual inspection (press Enter to continue). |
| 88 | + |
| 89 | + |
| 90 | +## Limitations |
| 91 | +- **Detection**: Some antivirus solutions may detect the use of hardware breakpoints or exception handlers. |
| 92 | +- **Scope**: Only bypasses `AmsiScanBuffer` calls within the process. |
| 93 | +- **Stability**: Manipulating thread contexts and debug registers can cause instability if not handled correctly. |
| 94 | + |
| 95 | +## License |
| 96 | +This project is licensed under the MIT License. See the `LICENSE` file for details. |
| 97 | + |
| 98 | + |
| 99 | +## Credits / Reference |
| 100 | + |
| 101 | +* https://www.cyberark.com/resources/threat-research-blog/amsi-bypass-redux |
| 102 | +* https://www.trendmicro.com/en_in/research/22/l/detecting-windows-amsi-bypass-techniques.html |
| 103 | + |
| 104 | +## Author |
| 105 | + |
| 106 | +[@5mukx](https://github.com/5mukx) |
0 commit comments