AMSI Raccoon Lab

All Solutions

Complete solutions with working code, explanations, and verification steps for all 43 challenges.

Signature Detection Bypass Solutions

# Challenge Difficulty Technique
01 String Splitting Easy Runtime concatenation
02 XOR Encoding Easy Bitwise XOR transformation
03 Charcode Construction Easy ASCII integer arrays
04 String Reversal Easy Reversed string flip
05 Environment Variable Abuse Medium OS env var fragments
06 ROT13 / Caesar Cipher Easy Substitution cipher
07 Hex Encoding Easy Hex string decode
08 Format String Replace Easy Delimiter insertion/removal
09 Type Conversion Medium StringBuilder + int array
10 UTF-16LE Null Interleaving Medium Unicode null byte encoding
11 Null Byte Insertion Medium Manual null bytes
12 Unicode Homoglyph Hard Cyrillic lookalikes
13 Zero-Width Characters Hard Invisible Unicode
14 Download Cradle Easy Design flaw exploit

Non-Printable Ratio Bypass Solutions

# Challenge Difficulty Technique
15 Base64 Encoding Easy 100% printable output
16 Ratio Padding Easy Printable byte dilution
17 Sub-64 Size Gate Medium Minimum size exploit
18 Encrypted Payload Medium AES + Base64 combo
19 Archive Container Easy No-unpack bypass

Small Executable Bypass Solutions

# Challenge Difficulty Technique
20 Size Padding Easy Comment padding
21 Extension Avoidance Easy Non-suspicious ext

Extension Heuristic Bypass Solutions

# Challenge Difficulty Technique
22 Uncommon Extensions Easy Unlisted exec extensions
23 No Extension Easy Extensionless files
24 Double Extension Easy Hidden ext trick
25 RTLO Unicode Hard Visual filename spoofing
26 Fullwidth Dot Hard Unicode dot bypass
27 Trailing Dots/Spaces Medium NTFS normalization
28 NTFS ADS Hard Alternate Data Streams
29 PE Stub Hard No PE analysis
30 Polyglot File Hard Multi-format files

AMSI Bypass Solutions

# Challenge Difficulty Technique
31 AMSI Init Failed Medium .NET Reflection flag
32 Memory Patch Hard AmsiScanBuffer overwrite
33 PowerShell Downgrade Easy PSv2 (pre-AMSI)
34 Base64 Encoded Command Easy -EncodedCommand param
35 COM Server Hijacking Hard HKCU COM override
36 Obfuscated Reflection Hard Dynamic string construction
37 CLM Escape Hard MSBuild/InstallUtil escape
38 Context Corruption Medium Null amsiContext
39 Chunked Execution Medium Buffer fragmentation
40 Fileless Assembly Hard In-memory .NET load
41 DLL Path Hijacking Hard Fake amsi.dll
42 WMI Event Subscription Hard Cross-process execution
43 ETW Patching Hard Telemetry blinding