«Forbidden» words
AMSI detects possibly malicious code by search for text it does not like, so there are some forbidden words. If one of these words are entered in the command line (
cmd.exe
,
PowerShell etc.), AMSI kicks in with the error/warning message
This script contains malicious content and has been blocked by your antivirus software.
One such forbidden word is
amsiutils:
Another verboten string is for example
AmsiScanBuffer, becuase this is the function in
amsi.dll
that is actually scanning for forbidden words, and a malware auther might have the idea to use
GetProcAddress
with
"AmsiScanBuffer"
and then replace the first three bytes of this function with
0x31
,
0xff
and
0x90
so that AmsiScanBuffer does nothing anymore.
If strings are concatenated, AMSI cannot detect them as «malicious»:
PS> 'amsiutils'
…
This script contains malicious content and has been blocked by your antivirus software.
PS> 'ams' + 'iutils'
amsiutils