Ghosting-AMSI: AMSI Bypass via RPC Hijack (NdrClientCall3)
This repository profile is provided by osrepos.com, an open source repository discovery platform.
Summary
Ghosting-AMSI presents an advanced technique to bypass AMSI detection by exploiting COM-level mechanics. It achieves this by hijacking the NdrClientCall3 function within the RPC runtime, intercepting AMSI scan requests before they reach the antivirus engine. This method provides a stealthy bypass without modifying AMSI.dll, making it highly effective against various detection mechanisms.
Repository Information
Topics
Click on any tag to explore related repositories
Use at your own risk
OSRepos shares public repositories for knowledge and discovery only. Any installation, execution, configuration, or use of code from these repositories is the user's own responsibility. Always review the repository, source code, dependencies, licenses, and security implications before running or installing anything. OSRepos is not responsible for issues, damages, or losses resulting from third-party repositories.
Introduction
Ghosting-AMSI is a sophisticated tool designed to bypass AMSI (Antimalware Scan Interface) detection by leveraging an innovative RPC Hijack technique, specifically targeting the NdrClientCall3 function. This method operates at a deeper layer than traditional bypasses, exploiting the COM-level mechanics AMSI uses to delegate scan requests to antivirus providers through RPC.
By hooking into NdrClientCall3, a low-level function within the RPC runtime responsible for marshaling parameters, Ghosting-AMSI intercepts AMSI scan requests before they are serialized and sent to the AV engine. This allows for manipulation of payloads, tricking AMSI into believing clean data is being scanned, thereby bypassing detection without modifying AMSI.dll itself.
Installation
To get started with Ghosting-AMSI, you typically need to clone the repository and navigate to its directory. As it's a PowerShell-based solution, you can then import and execute the script.
git clone https://github.com/andreisss/Ghosting-AMSI.git
cd Ghosting-AMSI
Examples
While specific usage examples might vary based on the implementation within the script, the general approach involves executing the PowerShell script to enable the AMSI bypass. You would then run your desired payload, which should now evade AMSI detection.
# Example of importing and potentially executing the bypass script
# (Specific function calls may vary based on the script's design)
Import-Module .\Ghosting-AMSI.ps1
# ... then execute your malicious payload ...
Why Use It
Ghosting-AMSI offers significant advantages over conventional AMSI bypass techniques:
- Deeper Layer Bypass: It operates at the RPC runtime level, one layer deeper than methods that patch
AmsiScanBufferor set internal flags, making it more resilient. - No AMSI.dll Modification: The technique does not touch
AMSI.dll, which helps evade both signature-based and behavior-based detection engines that look for modifications to the AMSI library. - Stealthy Operation: By intercepting arguments and manipulating payloads before they reach the AV, it ensures that AMSI perceives clean data, leading to a stealthier bypass.
- Leverages RPC Mechanics: It exploits the fundamental communication mechanism between AMSI and AV providers, making it a robust and difficult-to-detect method.
Links
For more detailed information, source code, and updates, please visit the official GitHub repository:
- GitHub Repository: https://github.com/andreisss/Ghosting-AMSI
Related repositories
Similar repositories that may be relevant next.
Source repository
Open the original repository on GitHub.