public static AMSI_RESULT scanBuffer(byte[] sample, IntPtr amsiContext)
{
AMSI_RESULT result = 0;
int returnValue;
IntPtr session = IntPtr.Zero;
// returnValue = AmsiOpenSession(amsiContext, out session);
returnValue = AmsiScanBuffer(amsiContext, sample, (uint)sample.Length, "Sample", IntPtr.Zero, out result);
// AmsiCloseSession(amsiContext, session);
return(result);
}
private static void CallAntimalwareScanInterface()
{
IntPtr amsiContext;
IntPtr session;
AMSI_RESULT result = 0;
int returnValue;
returnValue = AmsiInitialize("VirusScanAPI", out amsiContext); //appName is the name of the application consuming the Amsi.dll. Here my project name is VirusScanAPI.
returnValue = AmsiOpenSession(amsiContext, out session);
returnValue = AmsiScanString(amsiContext, @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*", "EICAR", session, out result); //I've used EICAR test string.
AmsiCloseSession(amsiContext, session);
AmsiUninitialize(amsiContext);
}
public AmsiMalwareScanningResult(AMSI_RESULT res)
{
if (res == AMSI_RESULT.AMSI_RESULT_NOT_DETECTED || res == AMSI_RESULT.AMSI_RESULT_CLEAN)
{
this.IsSafe = true;
}
if (res >= AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_START && res <= AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_END ||
res >= AMSI_RESULT.AMSI_RESULT_DETECTED)
{
this.IsSafe = false;
}
}
private static Boolean protectionEnabled(IntPtr amsiContext)
{
byte[] sample = Encoding.UTF8.GetBytes("AMSIScanBuffer");
AMSI_RESULT result = Triggers.scanBuffer(sample, amsiContext);
if (result == AMSI_RESULT.AMSI_RESULT_NOT_DETECTED)
{
Console.WriteLine("[+] Check Real Time protection is enabled");
return(false);
}
else
{
return(true);
}
}
private static AMSI_RESULT scanBuffer(byte[] sample, IntPtr amsiContext)
{
AMSI_RESULT result = 0;
int returnValue;
IntPtr session = IntPtr.Zero;
if (format == 4)
{
showText(sample, 0, sample.Length, false);
}
returnValue = AmsiScanBuffer(amsiContext, sample, (uint)sample.Length, "Sample", IntPtr.Zero, out result);
amsiCalls++;
return(result);
}
private static int CallAntimalwareScanInterface(string PluginName, string PluginContents)
{
IntPtr amsiContext;
IntPtr session;
AMSI_RESULT result = 0;
int returnValue;
//AMSI_RESULT_CLEAN = 0,
//AMSI_RESULT_NOT_DETECTED = 1,
//AMSI_RESULT_MALWARE_DETECTED = 32768
returnValue = AMSI.AmsiInitialize(PluginName, out amsiContext);
returnValue = AMSI.AmsiOpenSession(amsiContext, out session);
returnValue = AMSI.AmsiScanString(amsiContext, PluginContents, PluginName, session, out result);
AMSI.AmsiCloseSession(amsiContext, session);
AMSI.AmsiUninitialize(amsiContext);
return(returnValue);
}
static void Main(string[] args)
{
IntPtr amsiContext;
IntPtr session;
AMSI_RESULT result = 0;
int returnValue;
returnValue = NativeMethods.AmsiInitialize("Win10AMSIScanner", out amsiContext);
returnValue = NativeMethods.AmsiOpenSession(amsiContext, out session);
Scan(amsiContext, session, ref result);
Console.WriteLine(result);
NativeMethods.AmsiCloseSession(amsiContext, session);
NativeMethods.AmsiUninitialize(amsiContext);
Console.ReadLine();
}
private static void Scan(IntPtr amsiContext, IntPtr session, ref AMSI_RESULT result)
{
const int bufferLength = 10;
using (var fs = new MemoryStream(Encoding.UTF8.GetBytes(@"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")))
{
long alreadyRead = 0;
fs.Seek(0, SeekOrigin.Begin);
long toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
while (toReadCount > 0)
{
var content = new byte[toReadCount];
fs.Read(content, 0, (int)toReadCount);
NativeMethods.AmsiScanBuffer(amsiContext, content, (uint)toReadCount, "eicar-test-file", session, out result);
alreadyRead += toReadCount;
toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
}
}
}
private static extern int AmsiScanBuffer(IntPtr amsiContext, byte[] buffer, uint length, string contentName, IntPtr session, out AMSI_RESULT result);
public static extern bool AmsiResultIsMalware(AMSI_RESULT result);
public static bool AmsiResultIsMalware(AMSI_RESULT r) => r >= AMSI_RESULT.AMSI_RESULT_DETECTED;
internal static extern int AmsiScanString(
System.IntPtr amsiContext, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string @string,
[InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string contentName, System.IntPtr amsiSession, ref AMSI_RESULT result);
private static extern bool AmsiResultIsMalware(AMSI_RESULT result);
public static extern HRESULT AmsiScanString(HAMSICONTEXT amsiContext, [MarshalAs(UnmanagedType.LPWStr)] string str,
[Optional, MarshalAs(UnmanagedType.LPWStr)] string contentName, [In, Optional] HAMSISESSION amsiSession, out AMSI_RESULT result);
public static extern HRESULT AmsiScanBuffer([In] HAMSICONTEXT amsiContext, [In] IntPtr buffer, uint length,
[Optional, MarshalAs(UnmanagedType.LPWStr)] string contentName, [In, Optional] HAMSISESSION amsiSession, out AMSI_RESULT result);
private static ScanResult Convert(this AMSI_RESULT result) => result switch
{
public static extern int AmsiScanString(IntPtr amsiContext, [InAttribute()][MarshalAsAttribute(UnmanagedType.LPWStr)] string @string, [InAttribute()][MarshalAsAttribute(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);
public static extern int AmsiScanBuffer(IntPtr amsiContext, [In][MarshalAs(UnmanagedType.LPArray)] byte[] buffer, ulong length, [In()][MarshalAs(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);
public static extern HRESULT AmsiNotifyOperation([In] HAMSICONTEXT amsiContext, [In] IntPtr buffer, [In] uint length,
[Optional, MarshalAs(UnmanagedType.LPWStr)] string contentName, out AMSI_RESULT result);
