Q&A Using Reflection for AMSI Bypass

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,280
Converting an already available AMSI Bypass to FULL in memory AMSI Bypass
Using Reflection for AMSI Bypass - Intruder (redteam.cafe)

Already Existing Bypass and the Issue​

I was reading for the AMSI Bypasses and found the Bypass documented by Contextis at AMSI Bypass | Context Information Security. Now everything as good here with the bypass except one problem. The problem is that the bypass is using Add-Type . Whenever you use Add-Type, the code gets written to a temporary file and then csc.exe is used to compile a binary which stays on disk. This creates a problem when you want to stay stealthy and don't want to write any artifact on disk.

assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MPTRV43VIm5UiLQWa0z%2F-MPTWsg-lOVXzyU-MySZ%2Fimage.png

PowerShell writing to disk
Once Powershell Writes the script on disk, CSC then compiles it

assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MPTRV43VIm5UiLQWa0z%2F-MPTX_G31yuK0VNBYXQV%2Fimage.png

CSC.exe compiling the script

Solution: Reflection​

Matt Graeber in his post on exploit-monday.com go into great detail on how to use reflection for accessing Win32 API . Please refer to blog post to understand how Reflection works.

Modified Script​

After using Reflection here is the Modified Script to Bypass AMSI.

The script can also be downloaded from this gist AMSI BYPASS REFECTION

The advantage of using reflection is that there is no Temporary file and no calls to csc which allows the script to stay fully in memory.

assets%2F-MDtkWzdvgRTZWDjfsGa%2F-MPTRV43VIm5UiLQWa0z%2F-MPTaZjYi-6DxZ3rWCwl%2Fimage.png

No Temporary files by powershell and no CSC.exe compilation .
This means the bypass is full in memory which is the end result. :)

Credits​

Matt: https://twitter.com/mattifestation Paul: https://twitter.com/am0nsec

Edit: i remove the code from quote as this trigger some AVs:
 
Last edited by a moderator:
Top