Bru*_*pes 8 c# windows-defender antimalware
当实现IAmsiStream以使用 Windows Defender 执行扫描时,对于大于 ~20MB 的文件,它会失败并显示Value does not fall within the expected range..
这个实现中缺少什么?
public class AmsiStream : IAmsiStream
{
private readonly Stream _input;
private readonly string _name;
private static readonly byte[] _nullPtr = new byte[Marshal.SizeOf(IntPtr.Zero)];
public AmsiStream(Stream input, string name)
{
_input = input ?? throw new ArgumentNullException(nameof(input));
_name = name ?? throw new ArgumentNullException(nameof(name));
}
public int GetAttribute(AMSI_ATTRIBUTE attribute, int dataSize, byte[] data, out int retData)
{
const int E_NOTIMPL = unchecked((int)0x80004001);
const int E_NOT_SUFFICIENT_BUFFER = unchecked((int)0x8007007A);
byte[] bytes = { };
int retValue = 0;
switch (attribute)
{
case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_APP_NAME:
bytes = Encoding.Unicode.GetBytes("TestAmsi" + "\0");
break;
case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_CONTENT_NAME:
bytes = Encoding.Unicode.GetBytes(_name + "\0");
break;
case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_CONTENT_SIZE:
bytes = BitConverter.GetBytes((ulong)_input.Length);
break;
case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_SESSION:
bytes = _nullPtr;
break;
case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_CONTENT_ADDRESS:
retValue = E_NOTIMPL;
break;
default:
retValue = E_NOTIMPL;
break;
}
retData = 0;
if (retValue == 0)
{
retData = bytes.Length;
if (dataSize < bytes.Length)
return E_NOT_SUFFICIENT_BUFFER;
Array.Copy(bytes, data, bytes.Length);
}
return retValue;
}
public int Read(long position, int size, byte[] buffer, out int readSize)
{
_input.Seek(position, SeekOrigin.Begin);
readSize = _input.Read(buffer, 0, size);
return 0;
}
}
一个测试用例是:
[Fact]
public void TestWithLargeFile()
{
const long k = 1024;
const long m = 1024 * k;
const long fileSize = 21 * m;
var c = new Random(42);
var fileBuffer = new byte[fileSize];
c.NextBytes(fileBuffer);
Equal(AMSI_RESULT.AMSI_RESULT_CLEAN, ScanInternal(new MemoryStream(fileBuffer), "test.file.txt"));
}
private AMSI_RESULT ScanInternal(Stream streamToCheck, string fileName)
{
var scanner = (IAntiMalware)new CAntiMalware();
var stream = new AmsiStream(streamToCheck, fileName);
var result = scanner.Scan(stream, out AMSI_RESULT scanResult, out IAntiMalwareProvider _);
if (result != (ulong)HResult.S_OK)
{
throw new InvalidOperationException($"Malware scan returned not OK: {result}");
}
return scanResult;
}
此测试的完整源代码位于此 github 存储库
Dan*_*ica -1
而是使用 MalwareScanner: https: //github.com/NewOrbit/MalwareScan.AMSI
var scanner = new MalwareScanner("MyApplications Viruscanner"); var result = scanner.HasVirus(stream, filename);
或者要逐字节扫描传入的大文件字节,请参阅:
WindowsCOMAntiMalware:https://github.com/bsmg/BeatSaber-IPA-Reloaded/blob/master/IPA.Loader/AntiMalware/_HideInNet3/WindowsCOMAntiMalware.cs
有 2 个 IAmsiStream 实现:
AmsiMemoryStream:https://github.com/bsmg/BeatSaber-IPA-Reloaded/blob/master/IPA.Loader/AntiMalware/_HideInNet3/ComAPI/AmsiMemoryStream.cs AmsiFileStream: https: //github.com/bsmg/BeatSaber-IPA -重新加载/blob/master/IPA.Loader/AntiMalware/_HideInNet3/ComAPI/AmsiFileStream.cs
PS:官方文档中找不到16mb的限制,我不认为这是IAmsiStream限制,IAmsiStream被传递给IAntimalwareProvider,这是一个供应商实现,也许问题就在那里;您应该尝试其他供应商,看看是否出现相同的错误:
| 归档时间: |
|
| 查看次数: |
940 次 |
| 最近记录: |