A PART OF ANTI-VIRUS 2 - Learn Windows Antimalware Scan Interface (AMSI) with Public Sample Code - (Web Edition)

This page has been machine-translated from the original page.-

In this article, I am publishing the content of A PART OF ANTI-VIRUS 2 - AMSI Edition -, which was distributed for free at Tech Book Fest 19.

The PDF version is still available for download from the Tech Book Fest online market page at the link above.

All content in this book is based on information from official documentation and other websites, or from publicly available books and source code. When discussing technical details, I include references in footnotes whenever possible. Also, all opinions in this book are my own and do not represent any company or organization I belong to.

Table of Contents

• Foreword
• Chapter 1: About AMSI (Windows Antimalware Scan Interface)
• Chapter 2: AMSI Client Interface
• Chapter 3: AMSI Provider
• Chapter 4: Customizing the Sample Programs
• Chapter 5: AMSI Integrated into PowerShell

About This Book

Thank you very much for picking up this book. I am Kashiwaba (@kash1064).

I am mainly interested in reverse engineering and forensics, and these days I spend most of my time reading source code and technical books for various applications while raising children.

In my day job, I am a technical support engineer at a security product vendor, and I have performed troubleshooting and debugging for anti-malware products for Windows and Linux at two security product vendors so far.

In this book, following my previous publication “A part of Anti-Virus - Learn Windows AntiVirus and Minifilter Drivers with Sample Code”¹, I explain the overview and mechanism of AMSI (Windows Antimalware Scan Interface) based on the AmsiStream and AmsiProvider sample code published in the official Windows classic samples repository².

As described in detail in Chapter 1, AMSI is a mechanism introduced in Windows 10 to address dynamic script-based malware that cannot be detected by traditional disk file scanning.

AMSI is integrated with many Windows components such as PowerShell and Office VBA, and works together with anti-malware products installed on the system to protect users and systems.³

In this way, AMSI is used as a very important protection feature for detecting specific threats. However, perhaps because its mechanism is hard to understand, it seems to be unfamiliar to most users and administrators.

In practice, many security features provided by operating systems and anti-malware products, including AMSI, are offered as a trade-off with user usability. So it is true that operational issues can occur due to limitations or false positives.

However, when a problem occurs, if a system administrator does not sufficiently understand the importance of each security feature, a feature may be disabled without adequate risk assessment. This can allow compromise by threats that could have been prevented. For that reason, I believe it is important for a wide range of users to understand why major security features are necessary.

Therefore, this book introduces the overview and advantages of AMSI, and explains its mechanism through publicly available sample code, with the goal of helping more users understand AMSI.

About the Contents of This Book

To deepen readers’ understanding of AMSI functions and benefits, this book explains the following in each chapter.

• Chapter 1: Explains an overview of AMSI and its benefits.
• Chapter 2: Uses the AmsiStream sample code to explain the client interface for requesting AMSI scans from an application.
• Chapter 3: Uses the AmsiProvider sample code to explain how an AMSI provider processes scan requests received from applications.
• Chapter 4: Customizes the AmsiProvider sample code to create an AMSI provider that blocks execution of specific content.
• Chapter 5: Explains how real applications use AMSI based on publicly available PowerShell source code.

This book does not cover attack methods known as AMSI Bypass, which execute malicious code by evading AMSI protection.

Acknowledgments

I received tremendous support from members of the CTF team 0nePadding while writing this book.

I would like to express my deep gratitude to Mr. Itsuo Hirokawa and @salty_byte, members of 0nePadding, for helping with proofreading.