public ScanResult ScanBuffer(byte[] buffer, uint length, string contentName) { using (var resultBuilder = new ResultBuilder( new ScanContext( client , sessionHandle , contentName , ContentType.ByteArray , FileType.Unknown , buffer.LongLength , client.Configuration.SkipContentHashing ? null : buffer.GetMD5Hash()))) { var result = AMSIMethods.AmsiScanBuffer( client.ContextHandle , buffer , length , contentName , sessionHandle , out var resultNumber); ScanResult scanResult = null; result.CheckResult( success: _ => scanResult = resultBuilder.ToResult(resultNumber) , failure: _ => scanResult = resultBuilder.ToResult(new Win32Exception(result))); return(scanResult); } }
public ScanResult ScanString(string content, string contentName) { using (var resultBuilder = new ResultBuilder( new ScanContext( client , sessionHandle , contentName , ContentType.String , FileType.Unknown , content.Length * 4 , client.Configuration.SkipContentHashing ? null : content.GetMD5Hash()))) { var result = AMSIMethods.AmsiScanString( client.ContextHandle , content , contentName , sessionHandle , out var resultNumber); ScanResult scanResult = null; result.CheckResult( success: _ => scanResult = resultBuilder.ToResult(resultNumber) , failure: _ => scanResult = resultBuilder.ToResult(new Win32Exception(result))); return(scanResult); } }
internal AMSISession(AMSIClient client) { this.client = client; var result = AMSIMethods.AmsiOpenSession(client.ContextHandle, out sessionHandle); result.CheckResult(nameof(AMSIMethods.AmsiOpenSession)); sessionHandle.Context = client.ContextHandle; sessionHandle.CheckHandle(); }
AMSIClient(AMSIClientConfiguration configuration) { Configuration = configuration; DetectionEngine = configuration.DetectionEngine; using (var process = Process.GetCurrentProcess()) { var result = AMSIMethods.AmsiInitialize( Name = $"{AppDomain.CurrentDomain.FriendlyName} ({ProcessID = process.Id})", out ContextHandle); result.CheckResult(nameof(AMSIMethods.AmsiInitialize)); ContextHandle.CheckHandle(); } }
public static bool IsAvailable() => AMSIMethods.IsDllImportPossible();