DebugAmsi is another way to bypass AMSI through the Windows process debugger mechanism.

How It Works

One day I’ve discovered an interesting function DebugActiveProcess which allows us to become a debugger for a process. Full-fledged debugging will be available if our process has the SeDebug privilege or the ability to call OpenProcess() with the PROCESS_ALL_ACCESS mask.

Once our process becomes a debugger, it can handle the LOAD_DLL_DEBUG_EVENT event, which is generated by the Windows system when any DLL is loaded into the process address space.

Thus, we can start powershell.exe, then become a debugger for it and intercept an attempt to load amsi.dll . And then patch it at the moment of loading.