AMSI具有用于扫描字节数组的功能AmsiScanBuffer。但在这种情况下,必须将整体内容读入内存,这对于大文件来说可能是不可能的。AmsiScanBuffer函数具有参数amsiSession,旨在用于关联多个扫描请求。据我了解,按块读取一个文件并为具有相同会话和上下文的这些块调用AmsiScanBuffer应该有效。但它没有:
public enum AMSI_RESULT
{
AMSI_RESULT_CLEAN = 0,
AMSI_RESULT_NOT_DETECTED = 1,
AMSI_RESULT_DETECTED = 32768
}
public static class NativeMethods
{
[DllImport("Amsi.dll", EntryPoint = "AmsiInitialize", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)]string appName, out IntPtr amsiContext);
[DllImport("Amsi.dll", EntryPoint = "AmsiUninitialize", CallingConvention = CallingConvention.StdCall)]
public static extern void AmsiUninitialize(IntPtr amsiContext);
[DllImport("Amsi.dll", EntryPoint = "AmsiOpenSession", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiOpenSession(IntPtr amsiContext, out IntPtr session);
[DllImport("Amsi.dll", EntryPoint = "AmsiCloseSession", CallingConvention = CallingConvention.StdCall)]
public static extern void AmsiCloseSession(IntPtr amsiContext, IntPtr session);
[DllImport("Amsi.dll", EntryPoint = "AmsiScanString", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiScanString(IntPtr amsiContext, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string @string, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string contentName, IntPtr session, out AMSI_RESULT result);
[DllImport("Amsi.dll", EntryPoint = "AmsiScanBuffer", CallingConvention = CallingConvention.StdCall)]
public static extern int AmsiScanBuffer(IntPtr amsiContext, [In] [MarshalAs(UnmanagedType.LPArray)] byte[] buffer, uint length, [In()] [MarshalAs(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);
}
class Program
{
static void Main(string[] args)
{
IntPtr amsiContext;
IntPtr session;
AMSI_RESULT result = 0;
int returnValue;
returnValue = NativeMethods.AmsiInitialize("Win10AMSIScanner", out amsiContext);
returnValue = NativeMethods.AmsiOpenSession(amsiContext, out session);
Scan(amsiContext, session, ref result);
Console.WriteLine(result);
NativeMethods.AmsiCloseSession(amsiContext, session);
NativeMethods.AmsiUninitialize(amsiContext);
Console.ReadLine();
}
private static void Scan(IntPtr amsiContext, IntPtr session, ref AMSI_RESULT result)
{
const int bufferLength = 10;
using (var fs = new MemoryStream(Encoding.UTF8.GetBytes(@"X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")))
{
long alreadyRead = 0;
fs.Seek(0, SeekOrigin.Begin);
long toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
while (toReadCount > 0)
{
var content = new byte[toReadCount];
fs.Read(content, 0, (int)toReadCount);
NativeMethods.AmsiScanBuffer(amsiContext, content, (uint)toReadCount, "eicar-test-file", session, out result);
alreadyRead += toReadCount;
toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
}
}
}
}
您是否有任何想法为什么它不起作用或有关如何实现目标的任何建议?
因为您没有指定您遇到的错误或不起作用的错误,所以我帮不上什么忙。
我可以说的是,我有一个在 C++ 中使用 AMSI 扫描文件的工作实现。所以,是的,它正在工作。它甚至可以扫描成ZIP文件(取决于病毒扫描程序(。
有很多事情可能会失败。例如:您需要在 Windows Defender 安全中心启用实时保护(如果您使用 Windows Defender(。否则,调用 AmsiScanBuffer 将返回错误代码0x80070015"设备未就绪"。 其他病毒扫描程序也可能具有这种选项。
代码缺少对返回值的检查。从目前的信息来看,AmsiInitialize 可能会失败。