Expose Windows AMSI interface through common interface to BSIPA plugins

IPA.Loader/AntiMalware/AntiMalwareEngine.cs

@@ -0,0 +1,25 @@
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace IPA.AntiMalware
+{
+    public static class AntiMalwareEngine
+    {
+        public static IAntiMalware Engine { get; } = InitializeEngine();
+
+        private static IAntiMalware InitializeEngine()
+        {
+            IAntiMalware? engine = null;
+#if !NET35
+            engine = WindowsAntiMalware.TryInitialize();
+#endif
+            engine ??= new NoopAntiMalware();
+
+            return engine;
+        }
+    }
+}

IPA.Loader/AntiMalware/IAntiMalware.cs

@@ -0,0 +1,11 @@
+#nullable enable
+using System.IO;
+
+namespace IPA.AntiMalware
+{
+    public interface IAntiMalware
+    {
+        ScanResult ScanFile(FileInfo file);
+        ScanResult ScanData(byte[] data, string? contentName = null);
+    }
+}

IPA.Loader/AntiMalware/NoopAntiMalware.cs

@@ -0,0 +1,15 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace IPA.AntiMalware
+{
+    internal class NoopAntiMalware : IAntiMalware
+    {
+        public ScanResult ScanData(byte[] data, string contentName = null) => ScanResult.NotDetected;
+        public ScanResult ScanFile(FileInfo file) => ScanResult.NotDetected;
+    }
+}

IPA.Loader/AntiMalware/ScanResult.cs

@@ -0,0 +1,11 @@
+
+namespace IPA.AntiMalware
+{
+    public enum ScanResult
+    {
+        KnownSafe,
+        NotDetected,
+        Detected,
+        BlockedByPolicy
+    }
+}

IPA.Loader/AntiMalware/WinAPI/Constants.cs → IPA.Loader/AntiMalware/_HideInNet3/WinAPI/Constants.cs

@@ -9,6 +9,7 @@ namespace IPA.AntiMalware.WinAPI
 {
     internal static class AmsiConstants
     {
-        public static const string AppName = "BSIPA/" + Config.SelfConfig.IPAVersion;
+        public const string AppName = "BSIPA/" + Config.SelfConfig.IPAVersion;
+        public static readonly Guid CAntimalwareGuid = new("fdb00e52-a214-4aa1-8fba-4357bb0072ec");
     }
 }

IPA.Loader/AntiMalware/_HideInNet3/WindowsAntiMalware.cs

@@ -0,0 +1,64 @@
+#nullable enable
+using IPA.AntiMalware.WinAPI;
+using IPA.Logging;
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace IPA.AntiMalware
+{
+    internal class WindowsAntiMalware : IAntiMalware
+    {
+        internal static WindowsAntiMalware? TryInitialize()
+        {
+            try
+            {
+                return new();
+            }
+            catch (Exception e)
+            {
+                Logger.AntiMalware.Warn("Could not initialize antimalware engine:");
+                Logger.AntiMalware.Warn(e);
+                return null;
+            }
+        }
+
+        private readonly IAntimalware amInterface;
+
+        private WindowsAntiMalware()
+        {
+            var amType = Type.GetTypeFromCLSID(AmsiConstants.CAntimalwareGuid, true);
+            amInterface = (IAntimalware)Activator.CreateInstance(amType);
+        }
+
+        private static ScanResult ScanResultFromAmsiResult(AmsiResult result)
+            => result switch
+            {
+                AmsiResult.Clean => ScanResult.KnownSafe,
+                AmsiResult.NotDetected => ScanResult.NotDetected,
+                AmsiResult.Detected => ScanResult.Detected,
+                var a when a is >= AmsiResult.BlockedByAdminStart and <= AmsiResult.BlockedByAdminEnd => ScanResult.BlockedByPolicy,
+                _ => ScanResult.NotDetected,
+            };
+
+        public ScanResult ScanFile(FileInfo file)
+        {
+            using var stream = new AmsiFileStream(file, IntPtr.Zero);
+            amInterface.Scan(stream, out var result, out var provider);
+            Logger.AntiMalware.Debug($"Scanned file '{file}' with {provider.DisplayName()}, and got '{result}'");
+            return ScanResultFromAmsiResult(result);
+        }
+
+        public ScanResult ScanData(byte[] data, string? contentName = null)
+        {
+            contentName ??= $"unknown_data_{Guid.NewGuid()}";
+            using var stream = new AmsiMemoryStream(contentName, data, IntPtr.Zero);
+            amInterface.Scan(stream, out var result, out var provider);
+            Logger.AntiMalware.Debug($"Scanned data named '{contentName}' with {provider.DisplayName()}, and got '{result}'");
+            return ScanResultFromAmsiResult(result);
+        }
+    }
+}

IPA.Loader/IPA.Loader.csproj

@@ -70,8 +70,8 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'net35'">
-    <Compile Remove="AntiMalware\**" />
-    <None Include="AntiMalware\**" />
+    <Compile Remove="AntiMalware\_HideInNet3\**" />
+    <None Include="AntiMalware\_HideInNet3\**" />
   </ItemGroup>
 
   <Import Project="..\Common.targets" />

IPA.Loader/Logging/Logger.cs

@@ -33,6 +33,7 @@ namespace IPA.Logging
             }
         }
 
+        internal static Logger AntiMalware => log.GetChildLogger("AntiMalware");
         internal static Logger updater => log.GetChildLogger("Updater");
         internal static Logger libLoader => log.GetChildLogger("LibraryLoader");
         internal static Logger injector => log.GetChildLogger("Injector");