public static AMSI_RESULT scanBuffer(byte[] sample, IntPtr amsiContext) { AMSI_RESULT result = 0; int returnValue; IntPtr session = IntPtr.Zero; // returnValue = AmsiOpenSession(amsiContext, out session); returnValue = AmsiScanBuffer(amsiContext, sample, (uint)sample.Length, "Sample", IntPtr.Zero, out result); // AmsiCloseSession(amsiContext, session); return(result); }
private static void CallAntimalwareScanInterface() { IntPtr amsiContext; IntPtr session; AMSI_RESULT result = 0; int returnValue; returnValue = AmsiInitialize("VirusScanAPI", out amsiContext); //appName is the name of the application consuming the Amsi.dll. Here my project name is VirusScanAPI. returnValue = AmsiOpenSession(amsiContext, out session); returnValue = AmsiScanString(amsiContext, @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*", "EICAR", session, out result); //I've used EICAR test string. AmsiCloseSession(amsiContext, session); AmsiUninitialize(amsiContext); }
public AmsiMalwareScanningResult(AMSI_RESULT res) { if (res == AMSI_RESULT.AMSI_RESULT_NOT_DETECTED || res == AMSI_RESULT.AMSI_RESULT_CLEAN) { this.IsSafe = true; } if (res >= AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_START && res <= AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_END || res >= AMSI_RESULT.AMSI_RESULT_DETECTED) { this.IsSafe = false; } }
private static Boolean protectionEnabled(IntPtr amsiContext) { byte[] sample = Encoding.UTF8.GetBytes("AMSIScanBuffer"); AMSI_RESULT result = Triggers.scanBuffer(sample, amsiContext); if (result == AMSI_RESULT.AMSI_RESULT_NOT_DETECTED) { Console.WriteLine("[+] Check Real Time protection is enabled"); return(false); } else { return(true); } }
private static AMSI_RESULT scanBuffer(byte[] sample, IntPtr amsiContext) { AMSI_RESULT result = 0; int returnValue; IntPtr session = IntPtr.Zero; if (format == 4) { showText(sample, 0, sample.Length, false); } returnValue = AmsiScanBuffer(amsiContext, sample, (uint)sample.Length, "Sample", IntPtr.Zero, out result); amsiCalls++; return(result); }
private static int CallAntimalwareScanInterface(string PluginName, string PluginContents) { IntPtr amsiContext; IntPtr session; AMSI_RESULT result = 0; int returnValue; //AMSI_RESULT_CLEAN = 0, //AMSI_RESULT_NOT_DETECTED = 1, //AMSI_RESULT_MALWARE_DETECTED = 32768 returnValue = AMSI.AmsiInitialize(PluginName, out amsiContext); returnValue = AMSI.AmsiOpenSession(amsiContext, out session); returnValue = AMSI.AmsiScanString(amsiContext, PluginContents, PluginName, session, out result); AMSI.AmsiCloseSession(amsiContext, session); AMSI.AmsiUninitialize(amsiContext); return(returnValue); }
static void Main(string[] args) { IntPtr amsiContext; IntPtr session; AMSI_RESULT result = 0; int returnValue; returnValue = NativeMethods.AmsiInitialize("Win10AMSIScanner", out amsiContext); returnValue = NativeMethods.AmsiOpenSession(amsiContext, out session); Scan(amsiContext, session, ref result); Console.WriteLine(result); NativeMethods.AmsiCloseSession(amsiContext, session); NativeMethods.AmsiUninitialize(amsiContext); Console.ReadLine(); }
private static void Scan(IntPtr amsiContext, IntPtr session, ref AMSI_RESULT result) { const int bufferLength = 10; using (var fs = new MemoryStream(Encoding.UTF8.GetBytes(@"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"))) { long alreadyRead = 0; fs.Seek(0, SeekOrigin.Begin); long toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead; while (toReadCount > 0) { var content = new byte[toReadCount]; fs.Read(content, 0, (int)toReadCount); NativeMethods.AmsiScanBuffer(amsiContext, content, (uint)toReadCount, "eicar-test-file", session, out result); alreadyRead += toReadCount; toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead; } } }
private static extern int AmsiScanBuffer(IntPtr amsiContext, byte[] buffer, uint length, string contentName, IntPtr session, out AMSI_RESULT result);
public static extern bool AmsiResultIsMalware(AMSI_RESULT result);
public static bool AmsiResultIsMalware(AMSI_RESULT r) => r >= AMSI_RESULT.AMSI_RESULT_DETECTED;
internal static extern int AmsiScanString( System.IntPtr amsiContext, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string @string, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string contentName, System.IntPtr amsiSession, ref AMSI_RESULT result);
private static extern bool AmsiResultIsMalware(AMSI_RESULT result);
public static extern HRESULT AmsiScanString(HAMSICONTEXT amsiContext, [MarshalAs(UnmanagedType.LPWStr)] string str, [Optional, MarshalAs(UnmanagedType.LPWStr)] string contentName, [In, Optional] HAMSISESSION amsiSession, out AMSI_RESULT result);
public static extern HRESULT AmsiScanBuffer([In] HAMSICONTEXT amsiContext, [In] IntPtr buffer, uint length, [Optional, MarshalAs(UnmanagedType.LPWStr)] string contentName, [In, Optional] HAMSISESSION amsiSession, out AMSI_RESULT result);
private static ScanResult Convert(this AMSI_RESULT result) => result switch {
public static extern int AmsiScanString(IntPtr amsiContext, [InAttribute()][MarshalAsAttribute(UnmanagedType.LPWStr)] string @string, [InAttribute()][MarshalAsAttribute(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);
public static extern int AmsiScanBuffer(IntPtr amsiContext, [In][MarshalAs(UnmanagedType.LPArray)] byte[] buffer, ulong length, [In()][MarshalAs(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);
public static extern HRESULT AmsiNotifyOperation([In] HAMSICONTEXT amsiContext, [In] IntPtr buffer, [In] uint length, [Optional, MarshalAs(UnmanagedType.LPWStr)] string contentName, out AMSI_RESULT result);