{"name":"Ghosting-AMSI: AMSI Bypass via RPC Hijack (NdrClientCall3)","description":"Ghosting-AMSI presents an advanced technique to bypass AMSI detection by exploiting COM-level mechanics. It achieves this by hijacking the NdrClientCall3 function within the RPC runtime, intercepting AMSI scan requests before they reach the antivirus engine. This method provides a stealthy bypass without modifying AMSI.dll, making it highly effective against various detection mechanisms.","github":"https://github.com/andreisss/Ghosting-AMSI","url":"https://osrepos.com/repo/andreisss-ghosting-amsi","source":"osrepos.com","sourceDescription":"This repository profile is provided by osrepos.com, an open source repository discovery platform.","repositoryProfile":"https://osrepos.com/repo/andreisss-ghosting-amsi","generatedFor":"open source discovery and AI-assisted research","markdown":"https://osrepos.com/repo/andreisss-ghosting-amsi.md","json":"https://osrepos.com/repo/andreisss-ghosting-amsi.json","topics":["PowerShell","Security","AMSI Bypass","Red Teaming","RPC Hijack","Windows Security","Antivirus Evasion"],"keywords":["PowerShell","Security","AMSI Bypass","Red Teaming","RPC Hijack","Windows Security","Antivirus Evasion"],"stars":null,"summary":"Ghosting-AMSI presents an advanced technique to bypass AMSI detection by exploiting COM-level mechanics. It achieves this by hijacking the NdrClientCall3 function within the RPC runtime, intercepting AMSI scan requests before they reach the antivirus engine. This method provides a stealthy bypass without modifying AMSI.dll, making it highly effective against various detection mechanisms.","content":"## Introduction\n\nGhosting-AMSI is a sophisticated tool designed to bypass AMSI (Antimalware Scan Interface) detection by leveraging an innovative RPC Hijack technique, specifically targeting the `NdrClientCall3` function. This method operates at a deeper layer than traditional bypasses, exploiting the COM-level mechanics AMSI uses to delegate scan requests to antivirus providers through RPC.\n\nBy hooking into `NdrClientCall3`, a low-level function within the RPC runtime responsible for marshaling parameters, Ghosting-AMSI intercepts AMSI scan requests before they are serialized and sent to the AV engine. This allows for manipulation of payloads, tricking AMSI into believing clean data is being scanned, thereby bypassing detection without modifying `AMSI.dll` itself.\n\n## Installation\n\nTo get started with Ghosting-AMSI, you typically need to clone the repository and navigate to its directory. As it's a PowerShell-based solution, you can then import and execute the script.\n\npowershell\ngit clone https://github.com/andreisss/Ghosting-AMSI.git\ncd Ghosting-AMSI\n\n\n## Examples\n\nWhile specific usage examples might vary based on the implementation within the script, the general approach involves executing the PowerShell script to enable the AMSI bypass. You would then run your desired payload, which should now evade AMSI detection.\n\npowershell\n# Example of importing and potentially executing the bypass script\n# (Specific function calls may vary based on the script's design)\nImport-Module .\\Ghosting-AMSI.ps1\n# ... then execute your malicious payload ...\n\n\n## Why Use It\n\nGhosting-AMSI offers significant advantages over conventional AMSI bypass techniques:\n\n*   **Deeper Layer Bypass**: It operates at the RPC runtime level, one layer deeper than methods that patch `AmsiScanBuffer` or set internal flags, making it more resilient.\n*   **No AMSI.dll Modification**: The technique does not touch `AMSI.dll`, which helps evade both signature-based and behavior-based detection engines that look for modifications to the AMSI library.\n*   **Stealthy Operation**: By intercepting arguments and manipulating payloads before they reach the AV, it ensures that AMSI perceives clean data, leading to a stealthier bypass.\n*   **Leverages RPC Mechanics**: It exploits the fundamental communication mechanism between AMSI and AV providers, making it a robust and difficult-to-detect method.\n\n## Links\n\nFor more detailed information, source code, and updates, please visit the official GitHub repository:\n\n*   **GitHub Repository**: [https://github.com/andreisss/Ghosting-AMSI](https://github.com/andreisss/Ghosting-AMSI){:target=\"_blank\"}","metrics":{"detailViews":0,"githubClicks":4},"dates":{"published":null,"modified":"2025-12-05T08:00:36.000Z"}}