I’ve written a few posts which are all about AMSI and VBA recently and have hopefully shown that bypassing it is pretty trivial and can be done in a number of different ways. I just wanted to document one more combination of techniques that can be used to get the address of AMSIScanString and AmsiScanBuffer without the use of LoadLibrary and GetProcAddress.
We can use EnumProcessModules to retrieve a handle for each module in a specified process.
We can then use GetModuleBaseName to establish whether it’s amsi.dll, which is the one we’re on the hunt for.
Code is on my Git