🔍 Bypasses AMSI by remotely patching AmsiScanBuffer function in target processes.
AMSI-PeParse-Patch.exe powershell.exe # By name
AMSI-PeParse-Patch.exe 1234 # By PID (you can use in powershell $pid)
-
🎯 Target Process
- Opens handle to remote process with
PROCESS_ALL_ACCESS
- Opens handle to remote process with
-
🔎 Find amsi.dll
- Lists loaded modules with
EnumProcessModules - Locates amsi.dll in target process
- Lists loaded modules with
-
🧠 Memory Analysis
- Explicit individual
ReadProcessMemory()calls:- Reads DOS header from module base address
- Reads NT headers from base + e_lfanew offset
- Stores RVAs of import/export directories
- Creates Pe structure with pointers to remote memory structures
- Explicit individual
-
🔍 Locate Function
- Reads export tables remotely
- Searches for "AmsiScanBuffer" string
- Translates to actual memory address
-
💉 Patch Memory
- Changes protection with
VirtualProtectEx - Writes patch
B8 00 00 00 00 C3(mov eax, 0; ret) - AmsiScanBuffer now returns "clean" for ANY content
- Changes protection with
- 🧩 Works on x86 and x64 processes
- 🪄 No process restart needed
- 🏭 Common target: powershell.exe.
Copyright © 2025 EvilBytecode. All rights reserved.