Ghosting-AMSI: AMSI Bypass via RPC Hijack (NdrClientCall3)

Ghosting-AMSI: AMSI Bypass via RPC Hijack (NdrClientCall3)

Summary

Ghosting-AMSI presents an advanced technique to bypass AMSI detection by exploiting COM-level mechanics. It achieves this by hijacking the NdrClientCall3 function within the RPC runtime, intercepting AMSI scan requests before they reach the antivirus engine. This method provides a stealthy bypass without modifying AMSI.dll, making it highly effective against various detection mechanisms.

Repository Info

Updated on December 5, 2025
View on GitHub

Tags

PowerShellSecurityAMSI BypassRed TeamingRPC HijackWindows SecurityAntivirus Evasion

Click on any tag to explore related repositories

Introduction

Ghosting-AMSI is a sophisticated tool designed to bypass AMSI (Antimalware Scan Interface) detection by leveraging an innovative RPC Hijack technique, specifically targeting the NdrClientCall3 function. This method operates at a deeper layer than traditional bypasses, exploiting the COM-level mechanics AMSI uses to delegate scan requests to antivirus providers through RPC.

By hooking into NdrClientCall3, a low-level function within the RPC runtime responsible for marshaling parameters, Ghosting-AMSI intercepts AMSI scan requests before they are serialized and sent to the AV engine. This allows for manipulation of payloads, tricking AMSI into believing clean data is being scanned, thereby bypassing detection without modifying AMSI.dll itself.

Installation

To get started with Ghosting-AMSI, you typically need to clone the repository and navigate to its directory. As it's a PowerShell-based solution, you can then import and execute the script.

git clone https://github.com/andreisss/Ghosting-AMSI.git
cd Ghosting-AMSI

Examples

While specific usage examples might vary based on the implementation within the script, the general approach involves executing the PowerShell script to enable the AMSI bypass. You would then run your desired payload, which should now evade AMSI detection.

# Example of importing and potentially executing the bypass script
# (Specific function calls may vary based on the script's design)
Import-Module .\Ghosting-AMSI.ps1
# ... then execute your malicious payload ...

Why Use It

Ghosting-AMSI offers significant advantages over conventional AMSI bypass techniques:

  • Deeper Layer Bypass: It operates at the RPC runtime level, one layer deeper than methods that patch AmsiScanBuffer or set internal flags, making it more resilient.
  • No AMSI.dll Modification: The technique does not touch AMSI.dll, which helps evade both signature-based and behavior-based detection engines that look for modifications to the AMSI library.
  • Stealthy Operation: By intercepting arguments and manipulating payloads before they reach the AV, it ensures that AMSI perceives clean data, leading to a stealthier bypass.
  • Leverages RPC Mechanics: It exploits the fundamental communication mechanism between AMSI and AV providers, making it a robust and difficult-to-detect method.

Links

For more detailed information, source code, and updates, please visit the official GitHub repository: