A fake AMSI Provider which can be used to gain persistence on a host when a specific text is triggered. By default calc.exe will open.

The AMSI Provider can be registered with the system by executing the following command from an elevated command prompt:

regsvr32 AmsiProvider.dll

Executing the following from a PowerShell console will open calc.exe:

"pentestlab"

Originally this technique was discovered by b4rtik and more details can be found in the article on his blog. The code sample of the AMSI provider is courtesy of Microsoft and the modifications of the code to b4artik. Since the original code shared was missing some required headers and some functions were not defined I decided to put all of them in a single repository for easy usage.