AMSI Raccoon Lab
MostShittyAV - Usage Comparison
Two Ways to Use MostShittyAV
MostShittyAV offers two different components that can be used independently:
π AMSI Provider DLL (New - System Integration)
File: MostShittyAVWrapper.dll
What it does:
- Integrates with Windows AMSI (Anti-Malware Scan Interface)
- Automatically scans content in AMSI-aware applications
- Works system-wide once registered
Use Cases:
- β Automatic scanning in PowerShell
- β Integration with Windows Defender
- β System-wide malware detection
- β Real-time protection
Requirements:
- β οΈ Administrator privileges for registration
- β οΈ Must be registered via
regsvr32or scripts - β οΈ Affects system-wide behavior
Installation:
# As Administrator
.\scripts\build_and_register.ps1 -BuildAndRegister
Testing:
# Start a new PowerShell window - provider auto-loads
Write-Host "MALWARE" # Will be scanned by AMSI
Emergency Deregistration:
# If something goes wrong - run CMD.exe as Administrator
scripts\emergency_unregister.cmd
π¦ Standalone Scanner EXE (Original - No Installation)
File: nim_antimalware_sim.exe (release: MostShittyAVScanner.exe)
What it does:
- Command-line file scanner
- Scans files on-demand
- Works completely independently
Use Cases:
- β Quick file scanning
- β Batch file scanning
- β Testing/research
- β Portable scanning tool
Requirements:
- β No installation needed
- β No admin privileges required
- β Works immediately
Usage:
# Scan a single file
.\src\nim_antimalware_sim.exe suspicious.exe
# Scan multiple files
.\src\nim_antimalware_sim.exe file1.ps1 file2.bat file3.dll
# Scan test files
.\src\nim_antimalware_sim.exe tests\02_signature\malware.ps1 tests\02_signature\trojan_sample.txt
Feature Comparison
| Feature | AMSI Provider DLL | Standalone Scanner EXE |
|---|---|---|
| Installation Required | Yes (registration) | No |
| Admin Privileges | Required | Not required |
| System Integration | Yes (AMSI) | No |
| Automatic Scanning | Yes | No |
| On-Demand Scanning | No | Yes |
| Portable | No | Yes |
| Affects PowerShell | Yes | No |
| Works Without Restart | No (needs new process) | Yes (immediate) |
| Can Scan Multiple Files | N/A (automatic) | Yes |
| Learning/Testing | β See AMSI internals | β Simple scanner logic |
Which One Should You Use?
Use the AMSI Provider DLL if you want to:
- β Learn how AMSI providers work
- β Test system-wide integration
- β Automatically scan PowerShell commands
- β Integrate with Windows security
- β Study AMSI internals with Process Monitor
Best for: Security researchers, AMSI learning, system integration testing
Use the Standalone Scanner EXE if you want to:
- β Quickly scan files
- β Test the scanner logic without system changes
- β Avoid requiring admin privileges
- β Portable scanning tool
- β Batch process files
Best for: Quick file scanning, testing scanner logic, casual use
Can I Use Both?
Yes! They work completely independently:
- Standalone Scanner can be used anytime without affecting the system
- AMSI Provider runs automatically when registered, affecting AMSI-aware apps
- Both use the same scanner logic from
nim_antimalware_sim.nim
Examples
Example 1: Testing Scanner Logic (Use Standalone EXE)
# No installation needed
.\src\nim_antimalware_sim.exe tests\02_signature\malware.ps1
Output:
[2025-11-09 01:30:00] AMSI: Starting scan for file: tests\02_signature\malware.ps1
[2025-11-09 01:30:00] AMSI: Threat detected - Signature found
Result: MALICIOUS
Example 2: Testing AMSI Integration (Use DLL)
# Register (as Admin)
.\scripts\build_and_register.ps1 -BuildAndRegister
# Open NEW PowerShell window
# Type commands - they're automatically scanned
Write-Host "This is safe" # No detection
$malware = "MALWARE" # May trigger detection
Example 3: Scanning Multiple Files (Use Standalone EXE)
# Scan entire test directory
Get-ChildItem tests -Recurse -File | ForEach-Object {
.\src\nim_antimalware_sim.exe $_.FullName
}
Example 4: Research AMSI Provider Loading (Use DLL + Process Monitor)
# Register provider
.\scripts\build_and_register.ps1 -BuildAndRegister
# Start Process Monitor with filters
# Launch new PowerShell
# Watch DLL load events in Process Monitor
# See TEST_REGISTERED_PROVIDER.md for detailed steps
Technical Details
Both Components Share:
- Same scanner engine (
nim_antimalware_sim.nim) - Same signature detection
- Same heuristics
- Same threat analysis logic
Differences:
| Aspect | AMSI Provider DLL | Standalone Scanner |
|βββ|ββββββ-|ββββββ-|
| Entry Point | DllRegisterServer, DllGetClassObject | main() |
| Invocation | Called by AMSI automatically | Called by user manually |
| Context | Runs in host process (PowerShell, etc.) | Runs in own process |
| Input | AMSI scan requests | Command-line file paths |
| Output | HRESULT codes | Console logs + exit code |
Summary
TLDR:
- Want system integration? β Use
MostShittyAVWrapper.dll(AMSI Provider) - Want quick file scanning? β Use
nim_antimalware_sim.exe(Standalone) - Learning AMSI? β Use the DLL + Process Monitor
- Testing scanner logic? β Use the EXE (faster iteration)
- Not sure? β Start with the EXE (no installation)
- Something went wrong? β Run
scripts\emergency_unregister.cmdas Admin
Both are included in the release package - choose what fits your needs!