Closed random-npc-glitch closed 2 days ago
Quis custodiet ipsos custodes?
Should you also expand variable values, wildcards and symbolic links?
Let me know when AMSI integration is optional like script signature validation, ssl certificate validation and passwords over clear text http.
The purpose of AMSI is to pass in the original buffer, if you need this you can use AST parsing...thanks!
This issue has been marked as by-design and has not had any activity for 1 day. It has been closed for housekeeping purposes.
📣 Hey @random-npc-glitch, how did we do? We would love to hear your feedback with the link below! 🗣️
🔗 https://aka.ms/PSRepoFeedback
Summary of the new feature / enhancement
I have noticed that AMSI scan buffers can contain escape characters and that aliases are not resolved to the base cmdlet name. Both of these are problematic for signature writers and seem best addressed from within the powershell code base itself.
Examples:
Then run Get-AmsiEvent on the AMSITrace.etl output file (https://gist.github.com/mgraeber-rc/1eb42d3ec9c2f677e70bb14c3b7b5c9c)
Vendor specific signature languages working on the content buffers can not know arbitrary aliases, implement full syntax parsers, or keep up with new language features.
Once a script is fully parsed and held as AST is there any framework to reconstruct the normalized source from that? Seems that could strip alias and escape char complexities.
Proposed technical implementation details (optional)
No response