No recursive lookup - Githubissues

cobbr / PSAmsi

PSAmsi is a tool for auditing and defeating AMSI signatures.

GNU General Public License v3.0

386 stars 70 forks source link

No recursive lookup #7

Closed S3cur3Th1sSh1t closed 5 years ago

S3cur3Th1sSh1t commented 5 years ago

Hi,

i think this is more a feature request than an issue. I tried to find the relevant amsi signature for my own script https://github.com/SecureThisShit/WinPwn, which gets flaged by amsi because of loaded scripts and not by the script content itself.

By starting a scan with the script on a server and PSAMSIClient the script is not flagged.

Start-PSAmsiServer -Port 80 -ScriptPath /root/WinPwn/WinPwn.ps1                          
ScriptName ScriptIsFlagged
---------- ---------------
WinPwn.ps1           False

It woult be nice if all scripts loaded by the scanned script itself are also checked for signatures.

cobbr commented 5 years ago

@SecureThisShit I don't have any plans to implement something like that in the near future. For now, it's a requirement to check scripts one at a time. I believe you can do something like this: Start-PSAmsiServer -Port 80 -ScriptPath (gci /root/WinPwn/*.ps1)

S3cur3Th1sSh1t commented 5 years ago

@cobbr Okay scanning many scripts in a folder would be a good option as well. But i keep getting errors that the ScriptPath parameter cant handle the gci output:

`Start-PSAmsiServer -Port 80 -ScriptPath (gci /test/*.ps1) Start-PSAmsiServer : Cannot process argument transformation on parameter 'ScriptPath'. Cannot convert value to type System.String. At line:1 char:41

... SAmsiServer -Port 80 -ScriptPath (gci /test/obfuscatedps/*.ps1) `

But the $gci /path/to/scripts -Recurse -Include *.ps1 | Start-PSAmsiServer -Port 80 (without dollar) of your wiki works well. That allready helps me thank you :-)