AMSI is a new mechanism introduced by Microsoft in order to combat the increasing number of malware written in powershell or other scripting languages. AMSI allows any app (such as powershell.exe) to send scan requests to AMSI. Any antimalware product can register its own provider to receive scan requests. This allows the antimalware to, for example, examine powershell code right before it executes, after all deobfuscation has already taken place.
There is no documentation online on how third party creators of antimalware products can register their own AMSI provider to receive scan requests from apps. We took the liberty of understanding how the new AMSI mechanism in Windows 10 works. After having understood how the mechanism is designed, I took a deeper look at how AMSI initializes itself, loads the registered providers, and dispatches scan requests from apps.
In this talk, we will present the internals of AMSI, and publicly disclose, for the first time, how to implement and register a provider. I will also present a number of ways to bypass AMSI, one of which is brand new, and is possible because of the design of the AMSI scan dispatcher.