Ghosting AMSI: Cutting RPC to disarm AV
AMSI通过自动生成的存根与杀毒软件通信,利用NdrClientCall3进行RPC调用。劫持这些存根可完全控制AMSI扫描内容。 2025-4-26 09:48:1 Author: www.reddit.com(查看原文) 阅读量:9 收藏
AMSI通过自动生成的存根与杀毒软件通信,利用NdrClientCall3进行RPC调用。劫持这些存根可完全控制AMSI扫描内容。 2025-4-26 09:48:1 Author: www.reddit.com(查看原文) 阅读量:9 收藏
AMSI’s backend communication with AV providers is likely implemented via auto-generated stubs (from IDL), which call into NdrClientCall3 to perform the actual RPC.
By hijacking this stub, we gain full control over what AMSI thinks it’s scanning.
文章来源: https://www.reddit.com/r/ReverseEngineering/comments/1k89b01/ghosting_amsi_cutting_rpc_to_disarm_av/
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh