AMSI：按块对大文件执行恶意软件扫描

Question

AMSI具有扫描字节AmsiScanBuffer数组的功能。但在这种情况下，必须将整个内容读取到内存中，这对于大文件来说可能是不可能的。该函数具有旨在用于关联多个扫描请求的AmsiScanBuffer参数。amsiSession据我了解，它应该可以按块读取一个文件，并AmsiScanBuffer使用相同的会话和上下文调用这些块。但它没有：

public enum AMSI_RESULT
{
    AMSI_RESULT_CLEAN = 0,
    AMSI_RESULT_NOT_DETECTED = 1,
    AMSI_RESULT_DETECTED = 32768
}

public static class NativeMethods
{
    [DllImport("Amsi.dll", EntryPoint = "AmsiInitialize", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)]string appName, out IntPtr amsiContext);

    [DllImport("Amsi.dll", EntryPoint = "AmsiUninitialize", CallingConvention = CallingConvention.StdCall)]
    public static extern void AmsiUninitialize(IntPtr amsiContext);

    [DllImport("Amsi.dll", EntryPoint = "AmsiOpenSession", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiOpenSession(IntPtr amsiContext, out IntPtr session);

    [DllImport("Amsi.dll", EntryPoint = "AmsiCloseSession", CallingConvention = CallingConvention.StdCall)]
    public static extern void AmsiCloseSession(IntPtr amsiContext, IntPtr session);

    [DllImport("Amsi.dll", EntryPoint = "AmsiScanString", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiScanString(IntPtr amsiContext, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string @string, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string contentName, IntPtr session, out AMSI_RESULT result);
    [DllImport("Amsi.dll", EntryPoint = "AmsiScanBuffer", CallingConvention = CallingConvention.StdCall)]
    public static extern int AmsiScanBuffer(IntPtr amsiContext, [In] [MarshalAs(UnmanagedType.LPArray)] byte[] buffer, uint length, [In()] [MarshalAs(UnmanagedType.LPWStr)] string contentName, IntPtr session, out AMSI_RESULT result);
}

class Program
{
    static void Main(string[] args)
    {
        IntPtr amsiContext;
        IntPtr session;
        AMSI_RESULT result = 0;
        int returnValue;

        returnValue = NativeMethods.AmsiInitialize("Win10AMSIScanner", out amsiContext);
        returnValue = NativeMethods.AmsiOpenSession(amsiContext, out session);

        Scan(amsiContext, session, ref result);

        Console.WriteLine(result);

        NativeMethods.AmsiCloseSession(amsiContext, session);
        NativeMethods.AmsiUninitialize(amsiContext);

        Console.ReadLine();
    }

    private static void Scan(IntPtr amsiContext, IntPtr session, ref AMSI_RESULT result)
    {
        const int bufferLength = 10;
        using (var fs = new MemoryStream(Encoding.UTF8.GetBytes(@"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")))
        {
            long alreadyRead = 0;
            fs.Seek(0, SeekOrigin.Begin);

            long toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
            while (toReadCount > 0)
            {
                var content = new byte[toReadCount];
                fs.Read(content, 0, (int)toReadCount);

                NativeMethods.AmsiScanBuffer(amsiContext, content, (uint)toReadCount, "eicar-test-file", session, out result);

                alreadyRead += toReadCount;
                toReadCount = alreadyRead + bufferLength <= fs.Length ? bufferLength : fs.Length - alreadyRead;
            }
        }
    }
}

您对为什么它不起作用有什么想法或者对如何实现目标有什么建议吗？

Answer 1

因为您没有指定您遇到的错误或不起作用，所以我无能为力。

我可以告诉的是，我有一个在 C++ 中使用 AMSI 扫描文件的工作实现。所以，是的，它正在发挥作用。它甚至扫描 ZIP 文件（取决于病毒扫描程序）。

有很多事情可能会失败。例如：您需要在 Windows Defender 安全中心启用实时保护（如果您使用 Windows Defender）。否则，调用 AmsiScanBuffer 将返回错误代码 0x80070015，并显示“设备未就绪”。其他病毒扫描程序也可能有这种选项。

您的代码缺少对返回值的检查。从目前的信息来看，AmsiInitialize 可能会失败。