DebugAmsi is another way to bypass AMSI through the Windows process debugger mechanism.
How It Works
One day I’ve discovered an interesting function DebugActiveProcess which allows us to become a debugger for a process. Full-fledged debugging will be available if our process has the SeDebug privilege or the ability to call OpenProcess()
with the PROCESS_ALL_ACCESS
mask.
Once our process becomes a debugger, it can handle the LOAD_DLL_DEBUG_EVENT
event, which is generated by the Windows system when any DLL is loaded into the process address space.
Thus, we can start powershell.exe, then become a debugger for it and intercept an attempt to load amsi.dll . And then patch it at the moment of loading.
What do you think?
It is nice to know your opinion. Leave a comment.