Debugging AMSI with Frida

Overview

Frida is a dynamic instrumentation toolkit that enables developers, security researchers, and hackers to perform various types of debugging, reverse engineering, and analysis of software and mobile applications.

Frida provides a simple yet powerful scripting interface for hooking into the runtime of an application and manipulating its behavior, as well as monitoring and modifying its data on the fly. It can be used for a variety of purposes, such as dynamic analysis of malware, debugging and testing of mobile applications, and debugging of native code.

Debugging AMSI with Frida

First creating our script to hook into AMSI functions

Interceptor.attach(Module.findExportByName("amsi.dll", "AmsiScanBuffer"), {
    onEnter: function(args) {
        this.buffer = args[1];
        this.size = args[2].toInt32();
        this.ascii = Memory.readUtf16String(this.buffer, this.size);
        this.amsiSession = args[4];
        this.result = args[5];
        console.log("[*] AmsiScanBuffer()" + "\n | [AMSI] Buffer size: " + this.size + "\n | ASCII: " + this.ascii + "\n | [AMSI] Session: " + this.amsiSession);
    },
    onLeave: function(retval) {
        console.log("[*] AmsiScanBuffer() Exit\n | [AMSI] Result: " + Memory.readUShort(this.result) + "\n\n");
    }
});

This script will intercept and hook into the AmsiScanBuffer function of amsi.dll

Executing frida

To run frida and hook into amsi.dll:

frida -p {process id of powershell} -l C:\Users\User\Downloads\frida_amsi.js