public bool HasMalware(byte[] bytearray, string contentName)
{
if (bytearray == null)
{
throw new ArgumentException($"Argument '{nameof(bytearray)}' may not be null.");
}
if (string.IsNullOrWhiteSpace(contentName))
{
throw new ArgumentException($"Argument '{nameof(contentName)}' may not be empty.");
}
if (bytearray.Length == 0)
{
return(false);
}
var session = IntPtr.Zero;
try
{
session = OpenSession();
var scanResult = Scan(bytearray, contentName, session);
return(HasVirus(scanResult));
}
finally
{
if (session != IntPtr.Zero)
{
AmsiNativeMethods.AmsiCloseSession(_context, session);
}
}
}
public AmsiContext(string applicationName = null)
{
var nativeCallResult = AmsiNativeMethods.AmsiInitialize(
string.IsNullOrWhiteSpace(applicationName) ? Guid.NewGuid().ToString() : applicationName, out _context);
if (nativeCallResult != 0)
{
throw new ApplicationException(
$"Failed to open an AMSI Session. Result return was {nativeCallResult}.");
}
}
private void ReleaseUnmanagedResources()
{
try
{
if (_context != IntPtr.Zero)
{
AmsiNativeMethods.AmsiUninitialize(_context);
}
}
catch
{
// ignore
}
}
public bool IsAvailable()
{
int nativeCallResult;
int scanResult;
try
{
nativeCallResult =
AmsiNativeMethods.AmsiScanString(_context, EicarTestString, "EICAR", OpenSession(), out scanResult);
}
catch
{
return(false);
}
return(nativeCallResult == 0 && HasVirus(scanResult));
}
private IntPtr OpenSession()
{
IntPtr session;
int nativeCallResult;
try
{
nativeCallResult = AmsiNativeMethods.AmsiOpenSession(_context, out session);
}
catch (Exception ex)
{
throw new ApplicationException(
$"Failed to open an AMSI Session: {ex.Message}. See the inner exception for details.", ex);
}
if (nativeCallResult != 0)
{
throw new ApplicationException(
$"Failed to open an AMSI Session. The OpenSession call returned {nativeCallResult}.");
}
return(session);
}
private int Scan(byte[] bytearray, string contentName, IntPtr session)
{
int nativeCallResult;
var length = Convert.ToUInt32(bytearray.Length);
int scanResult;
try
{
nativeCallResult = AmsiNativeMethods.AmsiScanBuffer(_context, bytearray, length, contentName, session, out scanResult);
}
catch (Exception ex)
{
throw new ApplicationException(
$"An unexpected error occurred calling AmsiScanBuffer: {ex.Message}. See the inner exception for more details.", ex);
}
if (nativeCallResult != 0)
{
throw new ApplicationException(
$"Failed to scan {contentName}. The call to AmsiScanBuffer returned {nativeCallResult}.");
}
return(scanResult);
}
