文章介绍了一种通过RPC Hijack绕过AMSI的安全技术,利用NdrClientCall3函数拦截并修改AV扫描请求以避免恶意代码被检测。 2025-4-26 09:51:2 Author: www.reddit.com(查看原文) 阅读量:22 收藏
Focused on the ongoing discussion and documentation of vulnerabilities and exploitation techniques. Please read the rules before posting here.
🛡 AMSI Bypass via RPC Hijack (NdrClientCall3) This technique exploits the COM-level mechanics AMSI uses when delegating scan requests to antivirus (AV) providers through RPC. By hooking into the NdrClientCall3 function—used internally by the RPC runtime to marshal and dispatch function calls—we intercept AMSI scan requests before they're serialized and sent to the AV engine.
如有侵权请联系:admin#unsafe.sh