AMSI in the HEAP x32
This write up is based upon the work of Matt Graeber @Mattifestation https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9 Tools Used IDAhttps://www.hex-rays.com/products/ida/support/download_freeware/ Windbghttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools If we load up amsi.dll in IDA or equivalent tool and start looking at AmsiScanBuffer we can see that there is a check to see if the value which is pointed to via rbx equals 49534D41h (AMSI). IfContinue reading AMSI in the HEAP x32