#nullable enable
|
|
using IPA.Logging;
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.Linq;
|
|
using System.Runtime.InteropServices;
|
|
using System.Text;
|
|
using System.Threading.Tasks;
|
|
|
|
namespace IPA.AntiMalware
|
|
{
|
|
internal class WindowsWin32AntiMalware : IAntiMalware, IDisposable
|
|
{
|
|
internal static WindowsWin32AntiMalware? TryInitialize()
|
|
{
|
|
try
|
|
{
|
|
return new();
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
Logger.AntiMalware.Warn("Could not initialize Win32-based antimalware engine:");
|
|
Logger.AntiMalware.Warn(e);
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private readonly IntPtr handle;
|
|
private bool disposedValue;
|
|
|
|
private WindowsWin32AntiMalware()
|
|
{
|
|
AmsiInitialize(AmsiConstants.AppName, out handle);
|
|
}
|
|
|
|
private static ScanResult ScanResultFromAmsiResult(AmsiResult result)
|
|
=> result switch
|
|
{
|
|
AmsiResult.Clean => ScanResult.KnownSafe,
|
|
AmsiResult.NotDetected => ScanResult.NotDetected,
|
|
AmsiResult.Detected => ScanResult.Detected,
|
|
_ => ScanResult.MaybeMalware
|
|
};
|
|
|
|
public ScanResult ScanFile(FileInfo file)
|
|
{
|
|
var data = File.ReadAllBytes(file.FullName);
|
|
return ScanData(data, file.FullName);
|
|
}
|
|
|
|
public ScanResult ScanData(byte[] data, string? contentName = null)
|
|
{
|
|
contentName ??= $"unknown_data_{Guid.NewGuid()}";
|
|
|
|
AmsiScanBuffer(handle, data, (uint)data.Length, contentName, IntPtr.Zero, out var result);
|
|
|
|
Logger.AntiMalware.Trace($"Scanned data named '{contentName}' and got '{result}'");
|
|
return ScanResultFromAmsiResult(result);
|
|
}
|
|
|
|
protected virtual void Dispose(bool disposing)
|
|
{
|
|
if (!disposedValue)
|
|
{
|
|
if (disposing)
|
|
{
|
|
// we have no disposable managed state
|
|
}
|
|
|
|
AmsiUninitialize(handle);
|
|
disposedValue = true;
|
|
}
|
|
}
|
|
|
|
~WindowsWin32AntiMalware()
|
|
{
|
|
// Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
|
|
Dispose(disposing: false);
|
|
}
|
|
|
|
public void Dispose()
|
|
{
|
|
// Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
|
|
Dispose(disposing: true);
|
|
GC.SuppressFinalize(this);
|
|
}
|
|
|
|
[DllImport("amsi", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, ExactSpelling = true)]
|
|
#if !NET35
|
|
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
|
|
#endif
|
|
private static extern void AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)] string appName, [Out] out IntPtr handle);
|
|
|
|
[DllImport("amsi", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, ExactSpelling = true)]
|
|
#if !NET35
|
|
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
|
|
#endif
|
|
private static extern void AmsiUninitialize(IntPtr handle);
|
|
|
|
[DllImport("amsi", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, ExactSpelling = true)]
|
|
#if !NET35
|
|
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
|
|
#endif
|
|
private static extern void AmsiScanBuffer(IntPtr context,
|
|
[MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 2)] byte[] buffer, uint length,
|
|
[MarshalAs(UnmanagedType.LPWStr)] string contentName,
|
|
IntPtr session,
|
|
[Out] out AmsiResult result);
|
|
}
|
|
}
|