I this section I will try to understand internally how AMSI works also Will try to Implement my own AMSI

What Is The Purpose Of The AMSI?

1. Helps applications and services to integrate with antimalware programs (AVs/EDRs)
2. Scan The Files, Memory, Stream Scanning

Windows Components That Integrate With AMSI

How AMSI Works?

1. User run an application
2. amsi.dll is injected to the process memory area
3. AmsiScanBuffer and AmsiScanString functions in amsi.dll are triggered
4. If malicious signature is detected the execution is terminated

AMSI Enumerators

AMSI_ATTRIBUTE

we have the AMSI_ATTRIBUTE which handle the attributes requested by the IAmsiStream::GetAttribute

//"RemoAmsi.h"
typedef enum AMSI_ATTRIBUTE {
	AMSI_ATTRIBUTE_APP_NAME = 0,
	AMSI_ATTRIBUTE_CONTENT_NAME = 1,
	AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
	AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
	AMSI_ATTRIBUTE_SESSION = 4,
	AMSI_ATTRIBUTE_REDIRECT_CHAIN_SIZE = 5,
	AMSI_ATTRIBUTE_REDIRECT_CHAIN_ADDRESS = 6,
	AMSI_ATTRIBUTE_ALL_SIZE = 7,
	AMSI_ATTRIBUTE_ALL_ADDRESS = 8,
	AMSI_ATTRIBUTE_QUIET = 9
};

1. AMSI_ATTRIBUTE_APP_NAME: return the name, version, GUID String of the calling application and it’s data type is LPWSTR