EByte-AMSI-ProxyInjector: A New Tool Exposes a Critical Bypass Technique

EByte-AMSI-ProxyInjector

A lightweight tool that injects a custom assembly proxy into a target process to silently bypass AMSI scanning by redirecting AmsiScanBuffer calls. It suspends the target’s threads, patches the function to always return AMSI_RESULT_CLEAN without altering original bytes directly, ensuring stealthy AMSI bypass.

Features

• Thread-safe implementation with proper thread suspension/resumption
• Verbose debugging mode for detailed operation analysis
• Minimal dependencies – uses only core Windows APIs

How It works

The tool employs a function redirection approach instead of direct byte patching:

1. Targeting: Accepts a process ID (PID) as input to target a specific process

2. Thread Management:

   • Suspends all threads in the target process to prevent race conditions
   • Uses NtSuspendThread and NtResumeThread for atomic operations

3. AMSI Detection:

   • Locates amsi.dll in the target process
   • Calculates the offset of AmsiScanBuffer from the module base
   • Maps this offset to find the function in the target process

4. Redirection Implementation:

   • Allocates memory in the target process for a proxy function
   • Writes a minimal assembly function that preserves register state but always returns 0 (clean)
   • Creates a jump instruction at the start of the original AmsiScanBuffer function
   • Redirects execution to the clean proxy function

5. Cleanup:

   • Resumes all previously suspended threads
   • Properly closes all handles to prevent resource leaks

Technical Details

• NtAllocateVirtualMemory: Allocates memory for the proxy function
• NtProtectVirtualMemory: Changes memory protection to allow writing/execution
• NtWriteVirtualMemory: Writes the proxy function and jump instruction

1. Preserves register state by saving registers to the stack
2. Sets EAX to 0 (representing AMSI_RESULT_CLEAN)
3. Restores register state
4. Returns to the caller

Download & Use