AMSI Basics

Basics of Antimalware Scan Interface (AMSI)

Introduction

When a process instantiates amsi.dll gets loaded into the process and following are the series of events which occurs during the life of process
AMSI Life Cycle
  • amsi.dll invokes AmsiInitialize function which basically create amsiContext (AmsiContext will be used in all upcoming api calls)
  • When a user enters a command and press enter, AmsiOpenSession will be called which accept the amsicontext and a pointer called amsiSession
    • amsiSession will be used throughout the analysis of that particular command
  • After creating the amsiSession, AmsiScanBuffer will be called with the arguments
AmsiScanBuffer
[Syntax]
HRESULT AmsiScanBuffer(
[in] HAMSICONTEXT amsiContext,
[in] PVOID buffer,
[in] ULONG length,
[in] LPCWSTR contentName,
[in, optional] HAMSISESSION amsiSession,
[out] AMSI_RESULT *result
);
[Explanation]
  • amsiContext: this is the context which is returned from AmsiInitialize function at the time of process creation.
  • Buffer: The buffer from which to read the data to be scanned.
  • Length: The length, in bytes, of the data to be read from buffer.
  • contentName: The filename, URL, unique script ID, or similar of the content being scanned
  • amsiSession: The HAMSISESSION handle provided by amsiOpenSession function.
  • Result: The result of the scan.
    • 1 = means no malicious activity detected
    • 32768 = means command is malicious