Question

AMSI具有用于扫描字节数组的功能AmsiScanBuffer。但是在那种情况下，必须将整个内容读到内存中，这对于大文件而言可能是不可能的。 AmsiScanBuffer函数具有参数amsiSession，该参数旨在用于多个扫描请求的关联。据我了解，它应该按块读取一个文件，并为具有相同会话和上下文的那些块调用AmsiScanBuffer。但事实并非如此：

public enum AMSI_RESULT
{
    AMSI_RESULT_CLEAN = 0,
    AMSI_RESULT_NOT_DETECTED = 1,
    AMSI_RESULT_DETECTED = 32768
}

public static class NativeMethods
{
    [DllImport("Amsi.dll", EntryPoint = "AmsiInitialize", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)]string appName, out IntPtr amsiContext);

    [DllImport("Amsi.dll", EntryPoint = "AmsiUninitialize", CallingConvention = CallingConvention.StdCall)]
    public static extern void AmsiUninitialize(IntPtr amsiContext);

    [DllImport("Amsi.dll", EntryPoint = "AmsiOpenSession", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiOpenSession(IntPtr amsiContext, out IntPtr session);

    [DllImport("Amsi.dll", EntryPoint = "AmsiCloseSession", CallingConvention = CallingConvention.StdCall)]
    public static extern void AmsiCloseSession(IntPtr amsiContext, IntPtr session);

    [DllImport("Amsi.dll", EntryPoint = "AmsiScanString", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiScanString(IntPtr amsiContext, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string @string, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string contentName, IntPtr session, out AMSI_RESULT result);
    [DllImport("Amsi.dll", EntryPoint = "AmsiScanBuffer", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiScanBuffer(IntPtr amsiContext, [In] [MarshalAs(UnmanagedType.LPArray)] byte[] buffer, uint length, [In()] [MarshalAs(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);
}

class Program
{
    static void Main(string[] args)
    {
        IntPtr amsiContext;
        IntPtr session;
        AMSI_RESULT result = 0;
        int returnValue;

        returnValue = NativeMethods.AmsiInitialize("Win10AMSIScanner", out amsiContext);
        returnValue = NativeMethods.AmsiOpenSession(amsiContext, out session);

        Scan(amsiContext, session, ref result);

        Console.WriteLine(result);

        NativeMethods.AmsiCloseSession(amsiContext, session);
        NativeMethods.AmsiUninitialize(amsiContext);

        Console.ReadLine();
    }

    private static void Scan(IntPtr amsiContext, IntPtr session, ref AMSI_RESULT result)
    {
        const int bufferLength = 10;
        using (var fs = new MemoryStream(Encoding.UTF8.GetBytes(@"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")))
        {
            long alreadyRead = 0;
            fs.Seek(0, SeekOrigin.Begin);

            long toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
            while (toReadCount > 0)
            {
                var content = new byte[toReadCount];
                fs.Read(content, 0, (int)toReadCount);

                NativeMethods.AmsiScanBuffer(amsiContext, content, (uint)toReadCount, "eicar-test-file", session, out result);

                alreadyRead += toReadCount;
                toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
            }
        }
    }
}

您对为什么它不起作用有任何想法，或者对如何实现目标有任何建议吗？

Answer 1

因为您没有指定遇到的错误或不起作用的原因，所以我无济于事。

我可以说的是，我已经可以在C ++中使用AMSI扫描文件。因此，是的，它正在工作。它甚至可以扫描成ZIP文件（取决于病毒扫描程序）。

很多事情可能会失败。例如：您需要在Windows Defender安全中心中启用实时保护（如果使用Windows Defender）。否则，调用AmsiScanBuffer将返回错误代码0x80070015，其中显示“设备未就绪”。其他病毒扫描程序也可能具有这种选项。

您的代码缺少对返回值的检查。根据目前的信息，AmsiInitialize可能会失败。

AMSI：按块对大型文件执行恶意软件扫描

1 个答案: