This simple AMSI provider will attempt to log all strings passed into it to 'scan'. This can be used to see what systems do and don't pass into AMSI.
Basic bones of the project cloned from Microsoft AMSI Provider tutorial, I added thed ETW parts
Project requires at least Windows 8.1
, testing only done on Windows 10
- Load the Visual Studio solution.
- Build the Project.
- From an elevated command prompt, go to the output directory and type
regsvr32 AmsiProvider.dll
- From an elevated command prompt, go to the output directory and type
regsvr32 /u AmsiProvider.dll
This provider will produce ETW events to the log 00604c86-2d25-46d6-b814-cd149bfdf0b3
.
These events will contain any ASCII-printable data passed into the provider to scan
There are a number of ways to read these logs:
The simplest way is to use my other project ETWTracer
. Once built run the following from
an elevated command prompt:
etwTracer.exe "00604c86-2d25-46d6-b814-cd149bfdf0b3"
Any data passed to the provider will be output the screen.
Events logged by the sample provider can be captured using ETW tools such as xperf. The log files are generated in ETL format so they can be viewed and processed by the Windows Performance Toolkit (WPT), as well as utilities such as tracerpt.exe or xperf.exe.
- From an elevated command prompt, type
xperf.exe -start mySession -f myFile.etl -on 00604c86-2d25-46d6-b814-cd149bfdf0b3
to begin capturing events from the provider used by the sample.
Once finished, run the following:
xperf.exe -stop mySession
to stop capturing events. Then, view the myFile.etl
trace graphically in WPA, or generate a text version by typing tracerpt myFile.etl
.
To test, simply install the provider using regsvr32
, start the ETW logging,
then just load up powershell
and type some commands.
Sometimes Windows Defender or other products that are ahead of us in the 'queue' will mark commands a known good
, which will then
stop our provider from recieving scripts. To deal with this:
- delete/rename any key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers
that isn't00604c86-2d25-46d6-b814-cd149bfdf0b3
.- WARNING this means you're essentially disabling any real AMSI scanning, so only do on a test machine!
- Find a way to put out provider ahead of any other. TBD how to do, but should be possible pretty easily.