Skip to content
/ amsi-rs Public

Custom AMSI (Antimalware Scan Interface) provider implemented in Rust. It enables advanced monitoring and logging of script execution and content scanning on Windows systems.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

radkum/amsi-rs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.cargo
.cargo
 
 
macros
macros
 
 
ramsi-cli
ramsi-cli
 
 
ramsi-com
ramsi-com
 
 
shared
shared
 
 
xtask
xtask
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE_MIT
LICENSE_MIT
 
 
Readme.md
Readme.md
 
 
rustfmt.toml
rustfmt.toml
 
 

Repository files navigation

Ramsi (Rust AMSI Provider)

Ramsi is a custom AMSI (Antimalware Scan Interface) provider implemented in Rust. It enables advanced monitoring and logging of script execution and content scanning on Windows systems.

Commercial Use & Contact

This project is a demo version. For commercial licensing, partnership opportunities, or access to the full version (including pattern matching, PowerShell deobfuscation, and script blocking features), please contact: [email protected]

Features

  • AMSI provider DLL written in Rust (ramsi-com)
  • CLI tool for registration, unregistration, and tracing events (ramsi-cli)
  • Inter-process communication via named pipes
  • Dumps scanned content and metadata to C:\ramsi
  • Debug logging via OutputDebugString (viewable with DbgView)
  • Easy build and distribution via xtask

Requirements

  • Rust 1.88 or newer (nightly recommended)
  • Windows OS

Build Instructions

To build the project and prepare distributable binaries:

cargo xtask dist

This will produce ramsi_com.dll and ramsi-cli.exe in the dist directory.

Installation

Run ramsi-cli.exe to register ramsi_com.dll and intercept events:

ramsi-cli.exe -r ramsi_com.dll

Use built-in windows tool:

regsvr32 ramsi_com.dll

Usage

> ramsi-cli.exe -h
Usage: ramsi-cli [OPTION]
Options:
  -r, --register       Register the COM component
  -u, --unregister     Unregister the COM component
  -a, --all            Register the COM component and trace AMSI events
  -t, --trace          Trace AMSI events

Example:

>ramsi-cli.exe -a ramsi_com.dll
[2025-10-21T14:23:29Z TRACE ramsi_cli] Main start
Pid: 13924, AppName: PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1, ContentName: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadline.psd1
...

Output

Ramsi logs events and dumps content to C:\ramsi:

  • {pid}_{session}_{requestNumber}_{contentName}.dmp — raw scanned content
  • AmsiMessage by \\.\pipe\ramsi
  • Debug messages via OutputDebugString

Uninstallation

Unregister the AMSI provider with ramsi-cli.exe:

ramsi-cli.exe -u ramsi_com.dll

With regsvr32

regsvr32 /u dist\ramsi_com.dll

Note: If PowerShell or another process is using the DLL, you may need to close those processes before replacing or deleting the DLL.

Project Structure

  • ramsi-com/ — AMSI provider DLL
  • ramsi-cli/ — CLI tool for provider management and tracing
  • shared/ — Shared types and constants
  • macros/ — Logging and error macros
  • xtask/ — Custom build and distribution tasks

License

Licensed under MIT. See LICENSE-MIT for details.

About

Custom AMSI (Antimalware Scan Interface) provider implemented in Rust. It enables advanced monitoring and logging of script execution and content scanning on Windows systems.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages