#nullable enable using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Runtime.InteropServices; using System.Text; using System.Threading.Tasks; namespace IPA.AntiMalware.WinAPI { internal class AmsiMemoryStream : IAmsiStream, IDisposable { private readonly string contentName; private readonly byte[] data; private readonly GCHandle dataHandle; private readonly IntPtr session; private bool disposedValue; public AmsiMemoryStream(string contentName, byte[] data, IntPtr session) { this.data = data; dataHandle = GCHandle.Alloc(data, GCHandleType.Pinned); this.session = session; this.contentName = contentName; } public unsafe void GetAttribute([In] AmsiAttribute attribute, [In] uint dataSize, [Out] byte* buffer, out uint writtenData) { switch (attribute) { case AmsiAttribute.AppName: writtenData = WriteWString(AmsiConstants.AppName, dataSize, buffer); return; case AmsiAttribute.Session: *(IntPtr*)buffer = session; writtenData = (uint)sizeof(IntPtr); return; case AmsiAttribute.ContentName: writtenData = WriteWString(contentName, dataSize, buffer); return; case AmsiAttribute.ContentSize: *(ulong*)buffer = (ulong)data.Length; writtenData = sizeof(ulong); return; case AmsiAttribute.ContentAddress: // because our data is pinned, it can't move while this object exists so we can pass out the fixed address fixed (byte* dataAddr = data) { *(byte**)buffer = dataAddr; } writtenData = (uint)sizeof(IntPtr); return; default: throw new NotImplementedException(); // return e_notimpl } static unsafe uint WriteWString(string str, uint dataSize, byte* buffer) { fixed (char* name = str) { return (uint)Encoding.Unicode.GetBytes(name, str.Length, buffer, (int)dataSize); } } } public unsafe void Read([In] ulong position, [In] uint dataSize, [Out] byte* buffer, out uint readSize) { if (position >= (ulong)data.Length) { throw new EndOfStreamException(); } fixed (byte* dataPtr = data) { var toRead = Math.Min((ulong)data.Length - position, dataSize); Buffer.MemoryCopy(dataPtr + position, buffer, dataSize, toRead); readSize = (uint)toRead; } } protected virtual void Dispose(bool disposing) { if (!disposedValue) { if (disposing) { // no managed stae to dispose } dataHandle.Free(); disposedValue = true; } } ~AmsiMemoryStream() { // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method Dispose(disposing: false); } public void Dispose() { // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method Dispose(disposing: true); GC.SuppressFinalize(this); } } }