AMSI_VEH
PowerShell AMSI workaround using Vectored Exception Handler (VEH). This method does not involve correcting assembly instructions, enabling functions, or modifying the import address table (IAT).
For this method to work, you must first inject the VEH DLL into the PowerShell process. This can be done either by injecting the DLL or by hijacking the DLL.
This method works by setting a hardware breakpoint for the A main Scan Buffer function in all threads of the PowerShell process, and then setting VEH to handle running that breakpoint.
When a thread calls the msi scan buffer, VEH causes the thread to exit the function without doing anything and sets the function result to AMSI_RESULT_CLEAN. All this is done inside VEH, without changing the processor code, without any modifications to the PE.
We See What Others Cannot