├── jscript.csv ├── vba_com.csv ├── README.md └── vba_win32.csv /jscript.csv: -------------------------------------------------------------------------------- 1 | Checksum,DispID,Name 2 | 0990B883,_01000001 3 | 95A147AA,_60020007,DynamicInvoke 4 | 5 | Checksum,Name 6 | A106A319,Exec 7 | 4B510922,ExecMethod 8 | 31A2C1AB,ExecMethodAsync 9 | F8754B66,Execute 10 | 571B1ED8,Run 11 | 11EB8C32, 12 | AD8E8027, 13 | FEAB3DB5, 14 | -------------------------------------------------------------------------------- /vba_com.csv: -------------------------------------------------------------------------------- 1 | Checksum,Name 2 | 76EDA244,change 3 | 586846AE,copyfile 4 | 71D1F73B,create 5 | 9A2F5EE4,createshortcut 6 | 5870C14F,exec 7 | 499C82D1,execmethod 8 | 17B828BC,execmethodasync 9 | 05245003,execquery 10 | 351133BE,execute 11 | AA457483,movefile 12 | AD52403E,put 13 | C905475B,regwrite 14 | 50B71BEE,run 15 | 8CD32F79,terminate 16 | 0990B883, 17 | 22590A90, 18 | 3AE61276, 19 | 4F20C01F, 20 | 75792F23, 21 | 79F96CD0, 22 | 9514510C, 23 | B40B0DF6, 24 | C62F6218, 25 | CE4738BB, 26 | F015CC68, 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AMSI-Bypass 2 | 3 | Lists of AMSI triggers (VBA, JScript / VBScript) 4 | 5 | __Reference__ : [MISC 104 - AMSI: Fonctionnement et Contournements](https://boutique.ed-diamond.com/en-kiosque/1399-misc-104.html) 6 | 7 | In VBA, JScript and VBScript, AMSI uses a circular buffer to log instructions and a list of believed suspicious functions. The use of one of those blacklisted functions triggers a scan of the circular buffer by registered AMSI providers. 8 | 9 | This repository contains the lists of triggers as CRC32 checksums, defined in VBE7.DLL, jscript.dll and vbscript.dll. Lists are in CSV format, with the checksums and the retrieved function names. 10 | 11 | __Note__: The logging format (case and encoding) may differ between VBA, JScript and VBScript and with the type of trigger (Win32 API, COM method, native method), affecting CRC32 checksums. 12 | 13 | ## VBA: 14 | 15 | | Type | Details | File | 16 | | ---- | ------- | ---- | 17 | | Win32 API | `UTF-8` and case preserved | [vba_win32.csv](vba_win32.csv) 18 | | COM methods | `UTF-16LE` and lowercase | [vba_com.csv](vba_com.csv) 19 | 20 | ## JScript / VBScript 21 | 22 | Both use the same blacklist. 23 | Checksums are computed on either DispID or regular COM function names. 24 | 25 | | Type | Details | 26 | | ---- | ------- | 27 | | DispID | `UTF-16LE` prefixed with `_` | 28 | | Names | `UTF-16LE` and case preserved | 29 | 30 | List in [jscript.csv](jscript.csv) 31 | 32 | -------------------------------------------------------------------------------- /vba_win32.csv: -------------------------------------------------------------------------------- 1 | Checksum,Name 2 | 869D4E2C,CallWindowProcA 3 | 7249FB7D,CallWindowProcW 4 | 0199DC99,CopyFileA 5 | F54D69C8,CopyFileW 6 | 553B5C78,CreateFileA 7 | B41B926C,CreateFileMappingA 8 | 40CF273D,CreateFileMappingW 9 | A1EFE929,CreateFileW 10 | A851D916,CreateProcessA 11 | 12736A0D,CreateProcessAsUserA 12 | E6A7DF5C,CreateProcessAsUserW 13 | 81E21333,CreateProcessInternalA 14 | 7536A662,CreateProcessInternalW 15 | 5C856C47,CreateProcessW 16 | 92AC8308,CreateProcessWithLogonW 17 | FF808C10,CreateRemoteThread 18 | 3CC5726B,CreateRemoteThreadEx 19 | 906A06B0,CreateThread 20 | 4471EE50,CreateTimerQueueTimer 21 | 0AC8FB92,DeviceIoControl 22 | 0AF4965C,DialogBoxIndirectParamA 23 | FE20230D,DialogBoxIndirectParamW 24 | E45313B0,DispCallFunc 25 | 235D9A6D,EnumCalendarInfoA 26 | D7892F3C,EnumCalendarInfoW 27 | 1B449DD0,EnumDateFormatsA 28 | EF902881,EnumDateFormatsW 29 | 5F30F19F,EnumDesktopsA 30 | ABE444CE,EnumDesktopsW 31 | 1A54E213,EnumDesktopWindows 32 | 8BBDCC80,EnumerateLoadedModules 33 | 3B58CDDC,EnumerateLoadedModulesEx 34 | A853EDE8,EnumerateLoadedModulesExW 35 | 05D378E3,EnumLanguageGroupLocalesA 36 | F107CDB2,EnumLanguageGroupLocalesW 37 | ABBC3EBB,EnumPropsExA 38 | 5F688BEA,EnumPropsExW 39 | ACD0F7A3,EnumPwrSchemes 40 | 5F0B249B,EnumResourceTypesA 41 | 0E5BD0D0,EnumResourceTypesExA 42 | FA8F6581,EnumResourceTypesExW 43 | ABDF91CA,EnumResourceTypesW 44 | CA5263FE,EnumSystemCodePagesA 45 | 3E86D6AF,EnumSystemCodePagesW 46 | 305DBEF4,EnumSystemLanguageGroupsA 47 | C4890BA5,EnumSystemLanguageGroupsW 48 | E2BFB9CE,EnumSystemLocalesA 49 | 166B0C9F,EnumSystemLocalesW 50 | AF5AA374,EnumThreadWindows 51 | 76243B4B,EnumTimeFormatsA 52 | 82F08E1A,EnumTimeFormatsW 53 | 6F68BDB7,EnumUILanguagesA 54 | 9BBC08E6,EnumUILanguagesW 55 | 435A600B,EnumWindows 56 | A6C6DCED,EnumWindowStationsA 57 | 521269BC,EnumWindowStationsW 58 | C97C1FFF,GetProcAddress 59 | B0D32AEE,GrayStringA 60 | 44079FBF,GrayStringW 61 | 3FC1BD8D,LoadLibraryA 62 | 9B102E2D,LoadLibraryExA 63 | 6FC49B7C,LoadLibraryExW 64 | CB1508DC,LoadLibraryW 65 | A89B382F,MapViewOfFile 66 | A81778D9,MapViewOfFileEx 67 | DE9FF0D1,MoveFileA 68 | 2A4B4580,MoveFileW 69 | BC7CA6BD,NotifyIpInterfaceChange 70 | F96D24A1,NotifyTeredoPortChange 71 | F435466C,NotifyUnicastIpAddressChange 72 | 0E064A10,QueueUserAPC 73 | 8DE030C1,RegCreateKeyA 74 | 54D56398,RegCreateKeyExA 75 | A001D6C9,RegCreateKeyExW 76 | 79348590,RegCreateKeyW 77 | E6D4E36C,RegSetKeyValueA 78 | 1200563D,RegSetKeyValueW 79 | 36C0B928,RegSetValueA 80 | 4F0DAB99,RegSetValueExA 81 | BBD91EC8,RegSetValueExW 82 | C2140C79,RegSetValueW 83 | 3872BEB9,ResumeThread 84 | 1C0CD35C,RtlMoveMemory 85 | 8171B112,SendMessageCallbackA 86 | 75A50443,SendMessageCallbackW 87 | 5688CBD8,SetThreadContext 88 | FE876E09,SetWindowLongA 89 | 0A53DB58,SetWindowLongW 90 | 8A0AEEE7,SetWindowsHookExA 91 | 7EDE5BB6,SetWindowsHookExW 92 | AA66F348,SetWinEventHook 93 | 86E01598,SHCreateThread 94 | A312EE96,SHCreateThreadWithHandle 95 | EB7C1488,ShellExecuteA 96 | 1FA8A1D9,ShellExecuteW 97 | 48FEA11E,WinExec 98 | 4F58972E,WriteProcessMemory 99 | 05ED08A5, 100 | 437A4F2D, 101 | 66783659, 102 | B7AEFA7C, 103 | --------------------------------------------------------------------------------