Skip to content
A C/C++ implementation of Microsoft's Antimalware Scan Interface
Branch: master
Clone or download
Latest commit 31ff8e5 Mar 30, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Add an example of how to use the Antimalware Scan Interface Mar 30, 2018
README.md
amsi.h Add an example of how to use the Antimalware Scan Interface Mar 30, 2018
amsi.lib Add an example of how to use the Antimalware Scan Interface Mar 30, 2018
amsiscanner.cpp Add an example of how to use the Antimalware Scan Interface Mar 30, 2018
amsiscanner.exe Add amsiscanner.exe Mar 30, 2018

README.md

AMSI Scanner

A C/C++ implementation of Microsoft's Antimalware Scan Interface.

Requirements

Before you compile, there are a couple of things needed, such as the amsi.h header file, and amsi.lib. This repository includes all that, but in case you are curious where they can be found, go ahead and download the Windows 10 SDK:

https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk

And then you will be able to find the header file in this location:

C:\Program Files (x86)\Windows Kits\10\Include\10.0.16299.0\um\amsi.h

The amsi.lib file is shipped in two versions, x64 and x86:

  • C:\Program Files (x86)\Windows Kits\10\Lib\10.0.16299.0\um\x86\amsi.lib
  • C:\Program Files (x86)\Windows Kits\10\Lib\10.0.16299.0\um\x64\amsi.lib

Compile

To compile, download Visual Studio (I used VS 2013, because Metasploit uses this version to compile Meterpreter):

https://www.visualstudio.com/downloads/

Go ahead and open the Developer Command Prompt, and then do this to compile:

cl.exe /MT /EHa amsiscanner.cpp

And then you will have a amsiscanner.exe.

Usage

To use this tool, simply provide the file name you wish you scan like this:

amsiscanner.exe C:\Users\bob\Desktop\example.exe

If you don't provide a file name, then amsiscanner.exe will scan an EICAR string (a special string value that is used to test AV engines, but completely harmless).

Demonstration

C:\Users\sinn3r\Desktop>amsiscanner.exe C:\Users\sinn3r\Desktop\AMSI_Detectables\Win32.VBS.APT34Dropper
Sample size: 9141 bytes
Malware detected: C:\Users\sinn3r\Desktop\AMSI_Detectables\Win32.VBS.APT34Dropper
Risk level = 32768 (File is considered malware)
You can’t perform that action at this time.