Antivirus Evasion: Tearing AMSI Down With 3 Bytes Only
This post aims on showcasing one of the many possible techniques for bypassing antivirus solutions through in-memory patching of AMSI instructions.
https://github.com/jfmaes/AmsiHooker
simple eicar test sample but you know what to do with it lmao. first hooks amsi, pushes eicar through, then disables hook and does it again.
https://github.com/ZeroMemoryEx/Amsi-Killer
https://github.com/D1rkMtr/AmsiScanBuffer
Digging deeper into AmsiScanBuffer internals, and identifying 7 possibles AMSI patching by forcing a conditional jump to a branch that sets the return value of AmsiScanBuffer to E_INVALIDARG and makes the AmsiScanBuffer fails