EByte-AMSI-ProxyInjector: A New Tool Exposes a Critical Bypass Technique

by ddos · August 26, 2025

EByte-AMSI-ProxyInjector

A lightweight tool that injects a custom assembly proxy into a target process to silently bypass AMSI scanning by redirecting AmsiScanBuffer calls. It suspends the target’s threads, patches the function to always return AMSI_RESULT_CLEAN without altering original bytes directly, ensuring stealthy AMSI bypass.

Features

Thread-safe implementation with proper thread suspension/resumption
Verbose debugging mode for detailed operation analysis
Minimal dependencies – uses only core Windows APIs

How It works

The tool employs a function redirection approach instead of direct byte patching:

Targeting: Accepts a process ID (PID) as input to target a specific process
Thread Management:
- Suspends all threads in the target process to prevent race conditions
- Uses NtSuspendThread and NtResumeThread for atomic operations
AMSI Detection:
- Locates amsi.dll in the target process
- Calculates the offset of AmsiScanBuffer from the module base
- Maps this offset to find the function in the target process
Redirection Implementation:
- Allocates memory in the target process for a proxy function
- Writes a minimal assembly function that preserves register state but always returns 0 (clean)
- Creates a jump instruction at the start of the original AmsiScanBuffer function
- Redirects execution to the clean proxy function
Cleanup:
- Resumes all previously suspended threads
- Properly closes all handles to prevent resource leaks