Skip to content

netbiosX/AMSI-Provider

Repository files navigation

AMSI-Provider

A fake AMSI Provider which can be used to gain persistence on a host when a specific text is triggered. By default calc.exe will open.

Usage

The AMSI Provider can be registered with the system by executing the following command from an elevated command prompt:

regsvr32 AmsiProvider.dll

Executing the following from a PowerShell console will open calc.exe:

"pentestlab"

image

Credits

Originally this technique was discovered by b4rtik and more details can be found in the article on his blog. The code sample of the AMSI provider is courtesy of Microsoft and the modifications of the code to b4artik. Since the original code shared was missing some required headers and some functions were not defined I decided to put all of them in a single repository for easy usage.

About

A fake AMSI Provider which can be used for persistence.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published