AMSITrigger: The Hunt for Malicious Strings
![AMSITrigger](https://b3442631.smushcdn.com/3442631/wp-content/uploads/2021/01/Screenshot-2021-01-24-165229-1320x500.jpg?lossy=1&strip=1&webp=1)
AMSITrigger
AMSITrigger will identify all of the malicious strings in a powershell file, by repeatedly making calls to AMSI using AMSIScanBuffer, line by line. On receiving an AMSI_RESULT_DETECTED response code, the line will then be scrutinised to identify the individual triggers.
In order to speed up the scanning process, AMSITrigger breaks a file up into smaller chunks. Being able to ignore whole chunks, reduces calls to AMSIScanBuffer but presents a few problems that can result in false-negatives ie. A clean result where you expected a trigger.
The first problem is where the signature length exceeds the chunk size. To cater for this I’ve included a ChunkSize parameter, which should be increased if you’re getting an unexpected result.
The second problem is where a signature spans 2 consecutive chunks, which is more likely when you use smaller chunk sizes. To cater for this, I’ve added a maxSignatureLength parameter. This will assume that the final maxSignatureLength bytes in a chunk could be the start of a truncated signature, and will prepend the next chunk with those bytes.
Use![AMSITrigger](https://b3442631.smushcdn.com/3442631/wp-content/uploads/2021/01/Screenshot-2021-01-24-165229.jpg?lossy=1&strip=1&webp=1)
Download
Copyright (C) 2020 RythmStick