Didier Stevens

Thursday 13 June 2019

New Tool: amsiscan.py

Filed under: Malware,My Software — Didier Stevens @ 0:00

amsiscan.py is a Python script that uses Windows 10’s AmsiScanBuffer function to scan input for malware.

It reads one or more files or stdin.

The AmsiScanBuffer function returns 5 possible values when it is called for a scan:

AMSI_RESULT_CLEAN
AMSI_RESULT_NOT_DETECTED
AMSI_RESULT_BLOCKED_BY_ADMIN_START
AMSI_RESULT_BLOCKED_BY_ADMIN_END
AMSI_RESULT_DETECTED

Example:

amsiscan_V0_0_1.zip (https)
MD5: 47E50599E0CFAF1D27416E68394289A0
SHA256: 044E41D7F31D8333CB5295FD6E430933CA67F9AC37CD400D38189C96AE48544D

2 Comments »

  1. hi, amsiscanbuffer covers all the component detection? vba, powershell script, vbsscript, etc? thxx!!

    Comment by malwargsecurity — Wednesday 19 June 2019 @ 18:43

  2. Depends on your AV.

    Comment by Didier Stevens — Saturday 22 June 2019 @ 8:56


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.