search

PowerShell / PowerShell

PowerShell for every system!
https://microsoft.com/PowerShell
MIT License
44.58k stars 7.21k forks source link

AMSI buffer normalization #24164

Closed random-npc-glitch closed 2 days ago

random-npc-glitch commented 4 weeks ago

Summary of the new feature / enhancement

I have noticed that AMSI scan buffers can contain escape characters and that aliases are not resolved to the base cmdlet name. Both of these are problematic for signature writers and seem best addressed from within the powershell code base itself.

Examples:

   logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
   powershell -c get-pro`cess
   powershell -c get-pro''cess
   powershell -c g`et-pro""cess
   powershell -c p`s
   powershell -c gp`s
   powershell -c "(('67 65 74 2D 70 72 6F 60 63 65 73' -split ' ' |ForEach-Object {[char][byte]\"0x$_\"}) -join '')+[char]0x73  | iex"
   logman stop AMSITrace -ets

Then run Get-AmsiEvent on the AMSITrace.etl output file (https://gist.github.com/mgraeber-rc/1eb42d3ec9c2f677e70bb14c3b7b5c9c)

Content         : get-pro`cess
Content         : gp`s

(same for pwsh.exe)
pwsh -c gp`s
AppName         : PowerShell_C:\Program Files\PowerShell\7\pwsh.exe_7.4.4
Content         : gp`s

Vendor specific signature languages working on the content buffers can not know arbitrary aliases, implement full syntax parsers, or keep up with new language features.

Once a script is fully parsed and held as AST is there any framework to reconstruct the normalized source from that? Seems that could strip alias and escape char complexities.

Proposed technical implementation details (optional)

No response

rhubarb-geek-nz commented 4 weeks ago

Quis custodiet ipsos custodes?

Should you also expand variable values, wildcards and symbolic links?

Let me know when AMSI integration is optional like script signature validation, ssl certificate validation and passwords over clear text http.

SydneyhSmith commented 3 days ago

The purpose of AMSI is to pass in the original buffer, if you need this you can use AST parsing...thanks!

microsoft-github-policy-service[bot] commented 2 days ago

This issue has been marked as by-design and has not had any activity for 1 day. It has been closed for housekeeping purposes.

microsoft-github-policy-service[bot] commented 2 days ago

📣 Hey @random-npc-glitch, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms