Documenting the Undocumented: The Rise and Fall of AMSI

Presented at Black Hat Asia 2018, March 23, 2018, 11:45 a.m. (60 minutes)

AMSI is a new mechanism introduced by Microsoft in order to combat the increasing number of malware written in powershell or other scripting languages. AMSI allows any app (such as powershell.exe) to send scan requests to AMSI. Any antimalware product can register its own provider to receive scan requests. This allows the antimalware to, for example, examine powershell code right before it executes, after all deobfuscation has already taken place.

There is no documentation online on how third party creators of antimalware products can register their own AMSI provider to receive scan requests from apps. We took the liberty of understanding how the new AMSI mechanism in Windows 10 works. After having understood how the mechanism is designed, I took a deeper look at how AMSI initializes itself, loads the registered providers, and dispatches scan requests from apps.

In this talk, we will present the internals of AMSI, and publicly disclose, for the first time, how to implement and register a provider. I will also present a number of ways to bypass AMSI, one of which is brand new, and is possible because of the design of the AMSI scan dispatcher.


  • Tal Liberman - Security Research Team Leader, enSilo
    Tal Liberman has a strong interest in cyber-security, mainly focusing around OS-internals, reverse-engineering and low-level development. As a cyber security research team lead at enSilo, Tal's team is responsible for integrating OS research and malware analyses findings into enSilo's core platform. In particular, Tal is keen on "documenting the undocumented" in the Windows OS including CFG and other mitigation technologies, Windows service mechanisms and code injection techniques. Tal holds a BSc. in Computer Sciences from University of Haifa, Israel.


Similar Presentations: