Thanks to @D1rkMtr for the technique of using jne from amsi!AmsiOpenSession. I have used his AMSI patch code template and added other methods. This script skips entering amsi!AmsiOpenSession+0x4c via ret, by directly pasting c3 at the beginning of the amsi!AmsiOpenSession. As a result, we end up directly at amsi!AmsiCloseSession.
- The script checks whether
NtProtectVirtualMemoryandNtAllocateVirtualMemoryare hooked by any security vendor or not.
