Getting Started

Set up your environment and tackle your first challenge.

Prerequisites

• Windows 10/11 (for AMSI challenges)
• Nim 2.0.4+ (for building the scanner)
• PowerShell 5.1+ (pre-installed on Windows 10+)

# Install Nim via winget
winget install nim-lang.Nim

Installation

# Clone the repository
git clone https://github.com/yourusername/MostShittyAV.git
cd MostShittyAV

# Allow script execution (if needed)
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

# Generate test files
powershell -ExecutionPolicy Bypass -File tests\scripts\create_test_files.ps1
powershell -ExecutionPolicy Bypass -File tests\scripts\create_bypass_files.ps1

Build the Scanner

You have multiple options:

# Option 1: Build and run standalone scanner
nim c -r src\nim_antimalware_sim.nim tests\01_clean\clean.txt

# Option 2: Use the quick build script
.\scripts\quick_build.ps1

# Option 3: Use the Makefile
make build

Two Modes of Operation

Standalone Scanner (Recommended for Beginners)

No installation needed. Scan files directly from the command line:

.\src\nim_antimalware_sim.exe suspicious.exe

AMSI Provider DLL (Advanced - System Integration)

Registers as a Windows AMSI provider and automatically scans content in PowerShell:

# As Administrator
.\scripts\build_and_register.ps1 -BuildAndRegister

# Open NEW PowerShell window - provider auto-loads
Write-Host "MALWARE"  # Will be scanned by AMSI

Warning: The AMSI Provider affects system-wide behavior. Use scripts\emergency_unregister.cmd if anything goes wrong.

Your First Challenge

Start with Challenge #01: String Splitting - the easiest bypass:

1. Try scanning a file containing the word “malware”:

   nim c -r src\nim_antimalware_sim.nim tests\02_signature\malware.ps1
   

   Result: MALICIOUS (blocked)

2. Now try the bypass version:

   nim c -r src\nim_antimalware_sim.nim tests\02_signature\malware_bypass.ps1
   

   Result: BENIGN (passed!)

3. Read Challenge #01 and try writing your own bypass.

Scanning Examples

# Scan single file
.\src\nim_antimalware_sim.exe suspicious.exe

# Scan multiple files
.\src\nim_antimalware_sim.exe tests\02_signature\*.ps1

# Scan all test categories
make test_all

Example Output

[2025-11-08 21:33:26] AMSI: Starting scan for file: infected.txt
[2025-11-08 21:33:26] AMSI: Reading file content...
[2025-11-08 21:33:26] AMSI: File successfully read (41 bytes)
[2025-11-08 21:33:26] AMSI: Checking for known malware signatures...
[2025-11-08 21:33:26] AMSI: Threat detected - Signature found in infected.txt
--------------------------------------------
Result for infected.txt: MALICIOUS

Recommended Challenge Order

If you’re new to AV evasion, follow this progression:

Week 1: Fundamentals

1. #01 String Splitting - Learn basic string fragmentation
2. #04 String Reversal - Understand directionality
3. #07 Hex Encoding - Data representation
4. #14 Download Cradle - Design flaw exploitation

Week 2: Encoding & Structure

1. #15 Base64 Encoding - Beat ratio analysis
2. #20 Size Padding - Size threshold abuse
3. #22 Uncommon Extensions - Extension limits
4. #23 No Extension - Parser tricks

Week 3: Advanced Evasion

1. #02 XOR Encoding - Crypto fundamentals
2. #12 Unicode Homoglyph - Unicode attacks
3. #28 NTFS ADS - Filesystem tricks
4. #30 Polyglot File - Multi-format abuse

Week 4: AMSI & Runtime

1. #31 AMSI Init Failed - .NET internals
2. #32 Memory Patch - Low-level patching
3. #43 ETW Patching - Full stealth

Emergency Recovery

If the AMSI provider causes issues:

REM Run CMD.exe as Administrator
scripts\emergency_unregister.cmd

Manual cleanup:

reg delete "HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2E5D8A62-77F9-4F7B-A90B-1C8F6E9D4C3A}" /f
reg delete "HKLM\SOFTWARE\Classes\CLSID\{2E5D8A62-77F9-4F7B-A90B-1C8F6E9D4C3A}" /f

Next Steps

• Browse all Challenges
• Understand the Scanner Architecture
• Check Solutions if you get stuck