https://github.com/netbiosX/AMSI-Provider

A fake AMSI Provider which can be used for persistence.
https://github.com/netbiosX/AMSI-Provider

Last synced: 5 months ago
JSON representation

A fake AMSI Provider which can be used for persistence.

• Host: GitHub
• URL: https://github.com/netbiosX/AMSI-Provider
• Owner: netbiosX
• License: other
• Created: 2021-05-15T16:18:47.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2021-05-16T16:56:15.000Z (over 4 years ago)
• Last Synced: 2024-11-05T10:16:04.613Z (about 1 year ago)
• Language: C++
• Homepage:
• Size: 8.14 MB
• Stars: 139
• Watchers: 5
• Forks: 15
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - netbiosX/AMSI-Provider - A fake AMSI Provider which can be used for persistence. (C++)

README

          
# AMSI-Provider

A fake AMSI Provider which can be used to gain persistence on a host when a specific text is triggered. By default calc.exe will open. 

# Usage

The AMSI Provider can be registered with the system by executing the following command from an elevated command prompt:

`regsvr32 AmsiProvider.dll`

Executing the following from a PowerShell console will open calc.exe:

`"pentestlab"`

![image](https://github.com/netbiosX/AMSI-Provider/blob/main/Calc.PNG)

# Credits

Originally this technique was discovered by [b4rtik](https://twitter.com/b4rtik) and more details can be found in the [article](https://b4rtik.github.io/posts/antimalware-scan-interface-provider-for-persistence/) on his blog. The code sample of the AMSI provider is courtesy of [Microsoft](https://docs.microsoft.com/en-us/samples/microsoft/windows-classic-samples/iantimalwareprovider-sample/) and the modifications of the code to [b4artik](https://twitter.com/b4rtik). Since the original code shared was missing some required headers and some functions were not defined I decided to put all of them in a single repository for easy usage.