AMSI Basics

Basics of Antimalware Scan Interface (AMSI)


When a process instantiates amsi.dll gets loaded into the process and following are the series of events which occurs during the life of process

AMSI Life Cycle

  • amsi.dll invokes AmsiInitialize function which basically create amsiContext (AmsiContext will be used in all upcoming api calls)

  • When a user enters a command and press enter, AmsiOpenSession will be called which accept the amsicontext and a pointer called amsiSession

    • amsiSession will be used throughout the analysis of that particular command

  • After creating the amsiSession, AmsiScanBuffer will be called with the arguments



HRESULT AmsiScanBuffer(
  [in]           HAMSICONTEXT amsiContext,
  [in]           PVOID        buffer,
  [in]           ULONG        length,
  [in]           LPCWSTR      contentName,
  [in, optional] HAMSISESSION amsiSession,
  [out]          AMSI_RESULT  *result


  • amsiContext: this is the context which is returned from AmsiInitialize function at the time of process creation.

  • Buffer: The buffer from which to read the data to be scanned.

  • Length: The length, in bytes, of the data to be read from buffer.

  • contentName: The filename, URL, unique script ID, or similar of the content being scanned

  • amsiSession: The HAMSISESSION handle provided by amsiOpenSession function.

  • Result: The result of the scan.

    • 1 = means no malicious activity detected

    • 32768 = means command is malicious

Last updated