Bypassing AMSI via COM Server Hijacking

itman · Aug 3, 2017

Microsoft’s Antimalware Scan Interface (AMSI) was introduced in Windows 10 as a standard interface that provides the ability for AV engines to apply signatures to buffers both in memory and on disk. This gives AV products the ability to “hook” right before script interpretation, meaning that any obfuscation or encryption has gone through their respective deobfuscation and decryption routines. If desired, you can read more on AMSI here and here. This post will highlight a way to bypass AMSI by hijacking the AMSI COM server, analyze how Microsoft fixed it in build #16232 and then how to bypass that fix.
Click to expand...

https://posts.specterops.io/bypassing-amsi-via-com-server-hijacking-b8a3354d1aff

guest · Aug 3, 2017

hehe; the eternal race between blackhats/pentesters and security developers

gorblimey · Aug 3, 2017

guest said: ↑

the eternal race between
Click to expand...

Ummmm... No. I forget the origin of the quote, too lazy to look it up: "Against stupidity the gods themselves contend in vain."

My coding is late last century. But even I know that strengthening one routine requires much more than just local variables. If the patched dll lives in the same global context as the original, it is just as weak as the original. M$ simply put a cover over the hole, and even forgot to paint it!

The only race I see here is to the bottom.

Log in or Sign up

Bypassing AMSI via COM Server Hijacking

itman Registered Member

guest Guest

gorblimey Registered Member

Log in or Sign up

Bypassing AMSI via COM Server Hijacking

itman Registered Member

guest Guest

gorblimey Registered Member

Useful Searches