/// <summary>
/// Load certificate by specified arguments.
/// </summary>
/// <param name="arguments"></param>
/// <returns></returns>
public static X509Certificate2 LoadCertificate(CertificateArguments arguments)
{
X509Certificate2 returnX509 = null;
try
{
if (arguments.Validate())
{
if (!String.IsNullOrEmpty(arguments.CertificateStoreSubject))
{
returnX509 = FindCertificateInX509Store(arguments);
}
else if (!String.IsNullOrEmpty(arguments.CertificateFilePath))
{
returnX509 = FindCertificateInFilePath(arguments);
}
}
if (returnX509 == null)
{
throw new Exception(String.Format("Failed to load certificate with arguments {0} ", arguments.ToString()));
}
}
catch (Exception ex)
{
Tracing.ErrorSecurity("Failed to load certificate. {0}", ex.ToString());
throw;
}
return(returnX509);
}
/// <summary>
/// Load X509Certificate2 certificate from file path.
/// </summary>
/// <param name="arguments"></param>
/// <returns></returns>
private static X509Certificate2 FindCertificateInFilePath(CertificateArguments arguments)
{
X509Certificate2 returnX509 = null;
try
{
returnX509 = new X509Certificate2(arguments.CertificateFilePath,
arguments.CertificatePassword,
X509KeyStorageFlags.Exportable);
}
catch (Exception ex)
{
Tracing.ErrorSecurity(String.Format("Failed to obtain certificate. {0}", ex));
}
return(returnX509);
}
/// <summary>
/// This is available only on Windows 10 / Windows Server 2016 and up.
/// It does not scan and returns a "no malware found" indication on earlier systems.
/// </summary>
public static bool IsMalware(string ConsumerAppName, byte[] input, string contentName)
{
IntPtr amsiContext;
IntPtr session;
var result = AMSI_RESULT.AMSI_RESULT_NOT_DETECTED;
int returnValue;
try
{
returnValue = AmsiInitialize(ConsumerAppName, out amsiContext);
returnValue = AmsiOpenSession(amsiContext, out session);
returnValue = AmsiScanBuffer(amsiContext, input, (ulong)input.LongLength, contentName, session, out result);
AmsiCloseSession(amsiContext, session);
AmsiUninitialize(amsiContext);
}
catch (DllNotFoundException dex)
{
Tracing.ErrorCore("AMSI malware detection: {0}", dex.ToString());
/* for PEN test, when we do not have a real AMSI detector,
* then we just detect the eicar file by hand
* KEEP THIS SEPARATED so TFS and local developer computers don't choke on this very file!! */
if (input != null && input.Length > 0)
{
var part = new byte[Math.Min(input.Length, 255)];
for (var i = 0; i < part.Length; ++i)
{
part[i] = input[i];
}
if (System.Text.ASCIIEncoding.ASCII.GetString(part).Contains(@"X5O!P%@AP[4\PZX54(P^)7CC)7}$EI" + @"CAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"))
{
return(true);
}
}
}
catch (Exception ex)
{
/* [dlatikay 20190316] MEA-2019-00154 for diagnostics */
Tracing.ErrorSecurity("{0}: scanning \"{1}\" for malware: {2}", ConsumerAppName, contentName, ex.ToString());
}
return(result.HasFlag(AMSI_RESULT.AMSI_RESULT_DETECTED));
}
