This is a C# console tool that searches for running PowerShell instances and patches the AMSI (Anti-Malware Scan Interface) in memory to bypass script scanning.
This tool is for educational purposes only. Unauthorized use of code like this to bypass security controls may violate laws or organizational policies. Use responsibly and only in environments you own or have permission to test.
- Scans all running processes for
powershell.exeandpwsh.exe - Locates and patches the
AmsiOpenSessionfunction in memory - Loops every 500ms to reapply patch to new instances
- Logs actions to the console for debugging
- .NET Framework 4.8
- Windows OS
- Enumerates all system processes.
- Identifies processes with the name
powershell.exeorpwsh.exe. - Reads memory near
AmsiOpenSessionfromamsi.dllin the target process. - Searches for a specific byte pattern.
- Overwrites the memory to redirect execution and disable AMSI.
- Compile with Visual Studio targeting
.NET Framework 4.8 - Run the tool as Administrator
- Keep the tool running to patch new PowerShell sessions automatically
AMSI patched successfully in PID 1234
Sleeping 500 ms...This code is provided without any warranty or guarantee. Use at your own risk. Only deploy or test this tool in environments where you have explicit permission.
- Microsoft AMSI Documentation
- Research from security blogs and public malware analysis