Information Security News

EByte-AMSI-ProxyInjector: A New Tool Exposes a Critical Bypass Technique

by ·

EByte-AMSI-ProxyInjector

A lightweight tool that injects a custom assembly proxy into a target process to silently bypass AMSI scanning by redirecting AmsiScanBuffer calls. It suspends the target’s threads, patches the function to always return AMSI_RESULT_CLEAN without altering original bytes directly, ensuring stealthy AMSI bypass.

AMSI bypass

Features

  • Thread-safe implementation with proper thread suspension/resumption
  • Verbose debugging mode for detailed operation analysis
  • Minimal dependencies – uses only core Windows APIs

How It works

The tool employs a function redirection approach instead of direct byte patching:

  1. Targeting: Accepts a process ID (PID) as input to target a specific process

  2. Thread Management:

    • Suspends all threads in the target process to prevent race conditions
    • Uses NtSuspendThread and NtResumeThread for atomic operations

  3. AMSI Detection:

    • Locates amsi.dll in the target process
    • Calculates the offset of AmsiScanBuffer from the module base
    • Maps this offset to find the function in the target process

  4. Redirection Implementation:

    • Allocates memory in the target process for a proxy function
    • Writes a minimal assembly function that preserves register state but always returns 0 (clean)
    • Creates a jump instruction at the start of the original AmsiScanBuffer function
    • Redirects execution to the clean proxy function

  5. Cleanup:

    • Resumes all previously suspended threads
    • Properly closes all handles to prevent resource leaks

Technical Details

Memory Manipulation

The tool uses the following NT API calls for memory operations:

  • NtAllocateVirtualMemory: Allocates memory for the proxy function
  • NtProtectVirtualMemory: Changes memory protection to allow writing/execution
  • NtWriteVirtualMemory: Writes the proxy function and jump instruction

Proxy Function Implementation

The proxy function is a small assembly routine that:

  1. Preserves register state by saving registers to the stack
  2. Sets EAX to 0 (representing AMSI_RESULT_CLEAN)
  3. Restores register state
  4. Returns to the caller

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: