# Bypassing AMSI

#### AMSI Bypass

As discussed earlier, AmsiScanBuffer is the function which gets called as soon as a user enters the command in the powersehll.

**AmsiOpenSession**

\[Structure]

```csharp
HRESULT AmsiOpenSession(
  [in]  HAMSICONTEXT amsiContext,
  [out] HAMSISESSION *amsiSession
);
```

\[explanation]

* amsiContext: this is the context which is returned from AmsiInitialize function at the time of process creation.
* amsiSession: This is a session which is created for each command as everytime a new command is issued in powershell, the AmsiOpenSession function gets called.

**Bypass Theory**

`Stage 0` The Key to bypass the AMSI is to somehow crash the amsiSession function, in order to do so we need to look upon the undocumented amsiContext Structure using frida we can easily get the memory address of this structure.

<figure><img src="/files/EQj8LgA01rfVzMibDfdp" alt=""><figcaption><p>Content of amsiOpenContext </p></figcaption></figure>

Upon navigating to the memory address using Windows Debugger, it was revealed that first 4 bytes of the Context contains ASCII string `AMSI` which is same throughout different processes.

`Stage 1`

Now we know that AmsiContext structure has AMSI in the first four bytes, using this information we will navigate through the `AmsiOpenSession` function in windows debugger.

<figure><img src="/files/npql1zeoV0L8YBTSzhKQ" alt=""><figcaption><p>Disassembled AmsiOpenSession</p></figcaption></figure>

It can be seen that RCX register is being compared to the `49534D41` which is nothing else but `AMSI` in ASCII and next instruction is `jump if fail` which will return the function with error.

`Stage 2`

In order to crash the function, we simply need to remove the content of RCX register just before it is compared.

We will place a breakpoint at the amsiOpenSession function and enter any command to trigger the breakpoint

<figure><img src="/files/wsnU17qL4lKExmN5eV51" alt=""><figcaption><p>Breakpoint reached</p></figcaption></figure>

Now zeroing out the value of RCX register in order fail the If condition.

<figure><img src="/files/Tz2OBe5cZaCKkYN4k6nN" alt=""><figcaption><p>Removing the content of RCX</p></figcaption></figure>

This will effectively kill the AMSI in powershell process which can be seen below\..&#x20;

<figure><img src="/files/eULcX8tcyHk8hFqe4zFr" alt=""><figcaption><p>AMSI Bypassed</p></figcaption></figure>

That was the approach to bypass AMSI using Windows Debugger.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteam.fail/osep-notes/amsi/bypassing-amsi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.