Basics of Antimalware Scan Interface (AMSI)
When a process instantiates amsi.dll gets loaded into the process and following are the series of events which occurs during the life of process
AMSI Life Cycle
- amsi.dll invokes AmsiInitialize function which basically create amsiContext (AmsiContext will be used in all upcoming api calls)
- When a user enters a command and press enter, AmsiOpenSession will be called which accept the amsicontext and a pointer called amsiSession
- amsiSession will be used throughout the analysis of that particular command
- After creating the amsiSession, AmsiScanBuffer will be called with the arguments
[in] HAMSICONTEXT amsiContext,
[in] PVOID buffer,
[in] ULONG length,
[in] LPCWSTR contentName,
[in, optional] HAMSISESSION amsiSession,
[out] AMSI_RESULT *result
- amsiContext: this is the context which is returned from AmsiInitialize function at the time of process creation.
- Buffer: The buffer from which to read the data to be scanned.
- Length: The length, in bytes, of the data to be read from buffer.
- contentName: The filename, URL, unique script ID, or similar of the content being scanned
- amsiSession: The HAMSISESSION handle provided by amsiOpenSession function.
- Result: The result of the scan.
- 1 = means no malicious activity detected
- 32768 = means command is malicious