Rust-for-Malware-Development

AMSI Bypass Tool

Overview

The AMSI Bypass Tool is a Rust program designed to demonstrate bypassing the Windows Antimalware Scan Interface (AMSI) by using hardware breakpoints to intercept and manipulate the AmsiScanBuffer function. This tool is intended for educational and research purposes only, to understand AMSI’s behavior and potential vulnerabilities in a controlled environment.

How It Works

Purpose

AMSI is a Windows interface that allows applications (e.g., PowerShell, Windows Defender) to scan content for malicious code. The tool bypasses AMSI’s scanning by intercepting calls to the AmsiScanBuffer function and forcing it to return a “clean” result (AMSI_RESULT_CLEAN), effectively preventing detection of malicious content.

Key Components

1. AMSI API Bindings:
   • The program defines external bindings to AMSI functions (AmsiInitialize, AmsiScanBuffer, etc.) to interact with the AMSI library (amsi.dll).
   • These functions are used to initialize AMSI, open a session, and scan buffers.
2. NT API Bindings:
   • Uses NtGetContextThread and NtSetContextThread to manipulate thread context for setting hardware breakpoints.
3. AmsiContext Struct:
   • A Rust struct that encapsulates AMSI context and session management.
   • Provides methods to initialize AMSI, scan buffers, and clean up resources when dropped.
4. Hardware Breakpoints:
   • The bypass uses hardware breakpoints to trap execution when AmsiScanBuffer is called.
   • Breakpoints are set on the address of AmsiScanBuffer using debug registers (Dr0-Dr3, Dr7).
   • When triggered, the exception handler manipulates the execution context to skip the scan and return a clean result.
5. Exception Handler:
   • A vectored exception handler catches single-step exceptions (EXCEPTION_SINGLE_STEP) triggered by the hardware breakpoint.
   • It checks if the exception occurred at the AmsiScanBuffer address, then:
     • Sets the scan result to AMSI_RESULT_CLEAN.
     • Adjusts the instruction pointer (Rip) to the return address, skipping the scan.
     • Modifies the stack and registers to simulate a successful function call.
     • Clears the breakpoint to prevent further triggers.
6. Bypass Setup:
   • The setup_amsi_bypass function:
     • Loads amsi.dll and retrieves the address of AmsiScanBuffer.
     • Registers the exception handler.
     • Sets a hardware breakpoint on AmsiScanBuffer using the current thread’s context.
7. Test Function:
   • The test_amsi_bypass function tests the bypass by scanning a known malicious string (EICAR test string) before and after setting up the bypass.
   • It prints whether AMSI detects the string as malicious and confirms if the bypass worked.
8. Error Handling:
   • Uses the thiserror crate to define a custom AmsiError enum for robust error handling.
   • Covers errors like failed library loading, invalid string conversions, and AMSI initialization failures.

Workflow

1. Initialization:
   • The program initializes an AMSI context with a test application name (TestApp).
   • It opens an AMSI session for scanning.
2. Pre-Bypass Test:
   • Scans the EICAR test string to verify that AMSI detects it as malicious.
3. Bypass Setup:
   • Loads amsi.dll, retrieves the AmsiScanBuffer address, and sets a hardware breakpoint.
   • Registers an exception handler to intercept AmsiScanBuffer calls.
4. Post-Bypass Test:
   • Scans the same EICAR string again.
   • The exception handler intercepts the AmsiScanBuffer call, sets the result to AMSI_RESULT_CLEAN, and skips the scan.
   • The program confirms whether the bypass was successful.
5. Pause for Debugging:
   • Includes a pause function to allow inspection of the process (e.g., using PE-SIEVE) for hooks or anomalies.

Usage

1. Prerequisites:
   • Rust compiler (cargo).
   • Install dependencies: winapi, widestring, thiserror.
2. Build:

   cargo build --release
   

3. Run:

   cargo run --release
   

   • The program will:
     • Test AMSI scanning before and after the bypass.
     • Print results to confirm whether the bypass worked.
     • Pause for manual inspection (press Enter to continue).

Limitations

• Detection: Some antivirus solutions may detect the use of hardware breakpoints or exception handlers.
• Scope: Only bypasses AmsiScanBuffer calls within the process.
• Stability: Manipulating thread contexts and debug registers can cause instability if not handled correctly.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Credits / Reference

• https://www.cyberark.com/resources/threat-research-blog/amsi-bypass-redux
• https://www.trendmicro.com/en_in/research/22/l/detecting-windows-amsi-bypass-techniques.html

Author

@5mukx

This site is open source. Improve this page.