This is really just a variation on a theme, however I thought I’d write a quick post none the less. As previously stated the traditional way to get to AMSI function addresses was through LoadLibrary and then GetProcAddress.

Microsoft blacklisted some function names to make using GetProcAddress unavailable which is why my my colleague and I wrote a bypass to dynamically calculate the addresses of the functions we want using neighbouring functions.

My previous post was doing a full on PEB walk to calculate these addresses which means that we didn’t have to rely on either of the above functions.

To cut the size of our code down, we can also do a hybrid of both of these methods which uses LoadLibrary to get the base address of amsi.dll in memory and then continues with the PEB walk.

I’ve put a module which contains the code in Git under hybrid.bas

https://github.com/rmdavy/AmsiPEBWalkVBAx64

Leave a Reply

Your email address will not be published. Required fields are marked *