Very good to everyone! Today we are going to immerse ourselves in the world of AMSI. You've probably heard of them, but do you really know how they work? Okay, do not worry! We are here to explain everything you need to know in a simple and friendly way.
Imagine that you are writing code and you want it to run on your computer. Interpreted languages, instead of compiling code into machine code before running it, these languages use a special translator called an interpreter. This interpreter is responsible for translating and executing the instructions, line by line, as it finds them.
With interpreted languages, you can not only have your instructions in a file on your hard drive, but you can also you have the option of passing the instructions directly to the interpreter. This means that the content does not need to touch the hard drive at any time.
Now, let's talk about something important: the difference between malware on disk and in RAM. For antivirus, scanning the hard drive is relatively simple. Many antiviruses read the disk as the user navigates through folders, allowing them to perform efficient scanning. If they detect a signature associated with malware, a notification will appear and the malicious file will be quarantined. However, detecting malware that is already injected into RAM is much more complex for two reasons:
- RAM memory is very changeable, which becomes something very complex to analyze.
- Once a process is already in RAM, Those instructions are being executed, and if it is malware, it could have already carried out the malicious actions, migrated to another process and deleted the main trace, etc.
Now that we have that out of the way, let me introduce you to our protagonist today: the AMSI (Antimalware Scan Interface). The AMSI was born in response to the difficult task of analyzing RAM memory and the need to examine executions before they occur. Microsoft developed it in the form of an API, so that security solutions can call the implemented functions.
What does this mean in simpler terms? Basically, it provides a way to capture commands at runtime, such as those from PowerShell, JScript, VB/VBA, and .NET. Once captured, it will send them to the antivirus, so that it can analyze them before executing them. If the antivirus determines that the command is malicious, the AMSI will notify the application and prevent its execution.
Although not all AV/EDR use AMSI as a protection measure, more and more do They include it, so it is essential to understand how it works. Once we know why AMSI exists and what its purpose is, it is time to understand exactly what the normal flow of its operation is like.
The difference between a program and a process is that the program is instructions for a specific task, and a process They are the same instructions that the program has, but adding areas of memory reserved for variables and other needs.
In Windows, DLLs (Dynamic Link Libraries) are used to extend the functionality of a program. When a program is loaded into RAM in the form of a process, and loads a DLL, the functionalities are integrated directly into the virtual zone of the process. For example, when PowerShell is executed, DLLs such as ntdll, kernel32, and AMSI are part of the process memory.
Let's give an example. We have a PowerShell process, from which we will try to launch commands, and Windows Defender is installed and activated on the computer. Let's explain the communication flow as far as AMSI is concerned.
We know that AMSI is a dynamic library that is loaded in processes like PowerShell, which is designed to act as intermediary between the process itself and the AV/EDR.
When a command is entered, PowerShell, through the use of AMSI API functions, will communicate with the Windows Defender process to send the content of the command. Windows Defender will analyze it and send in the form of a response whether what is being executed is malicious or not.
Communication between the process that uses AMSI and Windows Defender is done using RPC. RPC is a way for Windows to communicate between various processes (which could be processes that are on different computers). Basically, it is a standard implementation that allows network communication between processes with the client-server architecture.
In short, AMSI as such is not a security measure (because it is not the one who analyzes if there is malware or no), it is a standard by which processes such as PowerShell send data to the AV/EDR (via RPC), so that it can be determined if executing a command would be harmful to the computer. Based on what the security measure in question returns, PowerShell will execute it or not.
And for today, that's enough! We will continue with AMSI in future installments, leaving the RPCs between your neurons so that they do not suffer floods.
Juan Gabriel Ruiz, Senior Security Analyst at Zerolynx and Justo Martín, Security Analyst at Zerolynx.
