@cod3nym : Stumbled over this new AMSI bypass. It works by manipulating the COM RPC communication used by AMSI to talk to AV engines. By hooking NdrClientCall3 which handles the RPC calls we can intercept AMSI scan requests before they reach the AV engine. I wrote a simplified version that • TwiCopy

Jonathan Peters

@cod3nym

+ Follow

Threat Researcher | Detection Engineer @nextronsystems

#Yara enthusiast | C# Developer

ID: 1695738489973735424

linkhttps://github.com/cod3nym calendar_today27-08-2023 10:02:36

298 Tweet

621 Takipçi

85 Takip Edilen

Jonathan Peters

@cod3nym

4 months ago

Stumbled over this new AMSI bypass. It works by manipulating the COM RPC communication used by AMSI to talk to AV engines. By hooking NdrClientCall3 which handles the RPC calls we can intercept AMSI scan requests before they reach the AV engine. I wrote a simplified version that

thumb_up_off_alt143

chat_bubble_outline1

repeat61

shareShare