Skip to content

AMSI buffer normalization #24164

@random-npc-glitch

Description

@random-npc-glitch

Summary of the new feature / enhancement

I have noticed that AMSI scan buffers can contain escape characters and that aliases are not resolved to the base cmdlet name. Both of these are problematic for signature writers and seem best addressed from within the powershell code base itself.

Examples:

   logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
   powershell -c get-pro`cess
   powershell -c get-pro''cess
   powershell -c g`et-pro""cess
   powershell -c p`s
   powershell -c gp`s
   powershell -c "(('67 65 74 2D 70 72 6F 60 63 65 73' -split ' ' |ForEach-Object {[char][byte]\"0x$_\"}) -join '')+[char]0x73  | iex"
   logman stop AMSITrace -ets

Then run Get-AmsiEvent on the AMSITrace.etl output file
(https://gist.github.com/mgraeber-rc/1eb42d3ec9c2f677e70bb14c3b7b5c9c)

Content         : get-pro`cess
Content         : gp`s
 
(same for pwsh.exe)
pwsh -c gp`s
AppName         : PowerShell_C:\Program Files\PowerShell\7\pwsh.exe_7.4.4
Content         : gp`s

Vendor specific signature languages working on the content buffers can not know arbitrary aliases, implement full syntax parsers, or keep up with new language features.

Once a script is fully parsed and held as AST is there any framework to reconstruct the normalized source from that? Seems that could strip alias and escape char complexities.

Proposed technical implementation details (optional)

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue-Enhancementthe issue is more of a feature request than a bugNeeds-TriageThe issue is new and needs to be triaged by a work group.Resolution-By DesignThe reported behavior is by design.WG-ReviewedA Working Group has reviewed this and made a recommendationWG-Securitysecurity related areas such as JEA

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions