A command-line tool that generates obfuscated AMSI (Antimalware Scan Interface) bypass payloads for authorized security testing and research.
___ __ _________ ____
/ _ | / |/ / __(_) _ )__ _____ ___ ____ ___ ___
/ __ | / /|_/ /\ \/ / _ / // / _ \/ _ `(_-<(_-<
/_/ |_|/_/ /_/___/_/____/\_, / .__/\_,_/___/___/
/___/_/
Educational and research purposes only. Misuse may violate laws and regulations.
- 🎲 Randomized Payload Generation - Each execution produces unique, heavily obfuscated payloads
- 🔄 Multiple Bypass Techniques - Implements 6 different AMSI bypass methods with random selection
- 🛡️ Advanced Obfuscation - Multi-layer obfuscation pipeline including:
- Variable name randomization
- Sensitive string encoding
- Integer obfuscation
- Junk code insertion
- Case randomization
- Expression wrapping
- 🧪 Automated Testing - Test payloads until a working bypass is found
- 💉 PowerShell Injection - Automatically inject successful bypasses into new PowerShell sessions
- 📁 File Output - Save generated payloads to files
- .NET 6.0 SDK or later (Download)
** Build (with verification):**
build.batchmod +x build.sh
./build.shThe executable will be located in:
bin/Release/net6.0/<platform>/publish/AMSIBypass.exe
Generate and display a single payload:
AMSIBypass.exeSave payload to file:
AMSIBypass.exe -f bypass.ps1
AMSIBypass.exe --file output.txtTest payloads until bypass found:
AMSIBypass.exe -b
AMSIBypass.exe --bypass 10 # Max 10 attemptsTest and inject into PowerShell:
AMSIBypass.exe -b -i
AMSIBypass.exe --bypass 20 --injectShow help:
AMSIBypass.exe -h
AMSIBypass.exe --help| Option | Alias | Description |
|---|---|---|
| (none) | Generate a single obfuscated AMSI bypass payload | |
-f <path> |
--file |
Save payload to specified file |
-b [n] |
--bypass |
Test payloads until bypass found (max n attempts, default 5) |
-i |
--inject |
Use with -b to inject bypassed payload into new PowerShell window |
-h |
--help |
Show help message |
# Generate one payload and copy manually
AMSIBypass.exe
# Save to file for later use
AMSIBypass.exe -f amsi_bypass.ps1
# Find working bypass (display only)
AMSIBypass.exe -b
# Find working bypass and inject into PowerShell
AMSIBypass.exe -b -i
# Test up to 50 times until bypass found
AMSIBypass.exe -b 50
# Run saved payload
powershell.exe -ExecutionPolicy Bypass -File amsi_bypass.ps1This tool implements multiple AMSI bypass techniques, randomly selecting one per payload generation:
- ForceError - Corrupts
amsiContextandamsiSessionto force errors - MattGRefl - Sets
amsiInitFailedreflection flag to disable AMSI - MattGReflLog - Delegate-based reflection to bypass WMF5 logging
- MattGRef02 - Overwrites
amsiContextusingMarshal.WriteInt32 - RastaBuf - Memory patches
AmsiScanBufferfunction - BlankAmsiProviders - Nullifies
amsiContextandamsiSessionpointers
Each payload undergoes a comprehensive obfuscation pipeline:
- Variable Renaming - Randomizes all variable names (4-14 characters)
- Sensitive String Obfuscation - Encodes strings like "AmsiUtils", "amsiInitFailed", "AmsiScanBuffer"
- Integer Obfuscation - Replaces integers with arithmetic expressions
- Junk Insertion - Adds benign statements and comments
- Case Randomization - Randomly varies PowerShell keyword casing
- Expression Wrapping - Wraps code in script blocks or
Invoke-Expression
This multi-layer approach ensures every payload is unique and evades signature-based detection.
- Language: C# (.NET 6.0)
- Build Type: Self-contained single-file executable
- Target Platforms: Windows x64, Linux x64, macOS x64/ARM64
- Compression: Enabled (single-file compression)
- Trimming: Disabled (preserves all reflection capabilities)
This tool builds upon groundbreaking research by security researchers who discovered and documented AMSI bypass techniques. Massive credit to:
| Technique | Description | Author(s) |
|---|---|---|
| ForceError | amsiContext/amsiSession corruption | S3cur3Th1sSh1t |
| MattGRefl | amsiInitFailed reflection | Matt Graeber |
| MattGReflLog | Delegate-based reflection (WMF5 logging bypass) | Matt Graeber |
| MattGRef02 | amsiContext WriteInt32 overwrite | Matt Graeber |
| RastaBuf | AmsiScanBuffer memory patch | Rasta Mouse |
| FieldOffset | amsiContext Marshal::Copy | Matt Graeber |
| ScanBufferPatchAlt | AmsiScanBuffer patch (no csc.exe) | Rasta Mouse + MDSec |
| ReflectionFromAssembly | AppDomain assembly enumeration | MDSec (@am0nsec) |
| BlankAmsiProviders | Null amsiContext + amsiSession | Context corruption variant |
| HardwareBreakpoint | VEH + debug registers | @CCob, adapted by Rasta Mouse |
- AMSI.fail Website - The original web-based AMSI bypass generator
- Matt Graeber's Research - Foundational AMSI bypass research
- Rasta Mouse's Blog - Red team techniques and AMSI research
- MDSec Research - Advanced security research
This tool is intended for:
- ✅ Authorized penetration testing
- ✅ Security research in controlled environments
- ✅ Educational purposes
- ✅ Red team exercises with proper authorization
You are responsible for:
- Obtaining proper authorization before testing
- Complying with all applicable laws and regulations
- Using this tool ethically and legally
Unauthorized use of this tool may violate computer fraud and abuse laws. The authors and contributors are not responsible for misuse or damage caused by this tool.
Contributions are welcome! If you've discovered new AMSI bypass techniques or improvements to the obfuscation pipeline, please open an issue or pull request.
This project is provided for educational and research purposes. Use responsibly and ethically.
Special thanks to the information security community for continuous research into Windows security mechanisms and for sharing knowledge that helps improve defensive capabilities.
Stay ethical. Stay legal. Happy hacking! 🔒