Getting Rastamouse’s AmsiScanBufferBypass to Work Again

When I need to bypass AMSI, I tend to use RastaMouse‘s AmsiScanBufferBypass. Rastamouse has a few blog posts that cover how it works. The basics of it is this: Load amsi.dll, then patch the AmsiScanBuffer() function so that it always returns AMSI_RESULT_CLEAN. This allows for your nasty payloads to execute without AMSI ruining your day.…