1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
//
// File: amsi.cpp
//
#include "common.h"
#include "amsi.h"
namespace
{
// https://docs.microsoft.com/en-us/windows/desktop/api/amsi/
DECLARE_HANDLE(HAMSICONTEXT);
DECLARE_HANDLE(HAMSISESSION);
enum AMSI_RESULT
{
AMSI_RESULT_CLEAN = 0,
AMSI_RESULT_NOT_DETECTED = 1,
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 0x4000,
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 0x4fff,
AMSI_RESULT_DETECTED = 0x8000
} AMSI_RESULT;
bool AmsiResultIsMalware(DWORD result)
{
return result >= AMSI_RESULT_DETECTED;
}
bool AmsiResultIsBlockedByAdmin(DWORD result)
{
return result >= AMSI_RESULT_BLOCKED_BY_ADMIN_START
&& result <= AMSI_RESULT_BLOCKED_BY_ADMIN_END;
}
using PAMSI_AMSISCANBUFFER_API = HRESULT(WINAPI *)(
_In_ HAMSICONTEXT amsiContext,
_In_ PVOID buffer,
_In_ ULONG length,
_In_ LPCWSTR contentName,
_In_opt_ HAMSISESSION session,
_Out_ DWORD *result);
using PAMSI_AMSIINITIALIZE_API = HRESULT(WINAPI *)(
_In_ LPCWSTR appName,
_Out_ HAMSICONTEXT *amsiContext);
PAMSI_AMSISCANBUFFER_API AmsiScanBuffer;
HAMSICONTEXT s_amsiContext;
CRITSEC_COOKIE s_csAmsi;
bool InitializeLock()
{
if (s_csAmsi != nullptr)
return true;
CRITSEC_COOKIE lock = ClrCreateCriticalSection(CrstLeafLock, CRST_REENTRANCY);
if (lock == nullptr)
return false;
if (InterlockedCompareExchangeT<CRITSEC_COOKIE>(&s_csAmsi, lock, nullptr) != nullptr)
ClrDeleteCriticalSection(lock);
return true;
}
}
// Here we will invoke into AmsiScanBuffer, a centralized area for non-OS
// programs to report into Defender (and potentially other anti-malware tools).
// This should only run on in memory loads, Assembly.Load(byte[]) for example.
// Loads from disk are already instrumented by Defender, so calling AmsiScanBuffer
// wouldn't do anything.
bool Amsi::IsBlockedByAmsiScan(PVOID flatImageBytes, COUNT_T size)
{
STANDARD_VM_CONTRACT;
if (!InitializeLock())
return false;
// Lazily initialize AMSI because it is very expensive
{
CRITSEC_Holder csh(s_csAmsi);
// Cache that we failed if this didn't work so we don't keep trying to reinitialize
static bool amsiInitializationAttempted = false;
if (s_amsiContext == nullptr && !amsiInitializationAttempted)
{
HMODULE amsi = CLRLoadLibraryEx(W("amsi.dll"), nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32);
if (amsi != nullptr)
{
PAMSI_AMSIINITIALIZE_API AmsiInitialize = (PAMSI_AMSIINITIALIZE_API)GetProcAddress(amsi, "AmsiInitialize");
if (AmsiInitialize != nullptr)
{
HAMSICONTEXT amsiContext = nullptr;
if (AmsiInitialize(W("coreclr"), &amsiContext) == S_OK)
{
AmsiScanBuffer = (PAMSI_AMSISCANBUFFER_API)GetProcAddress(amsi, "AmsiScanBuffer");
if (AmsiScanBuffer != nullptr)
{
s_amsiContext = amsiContext;
}
}
}
}
amsiInitializationAttempted = true;
}
}
if (s_amsiContext == nullptr || AmsiScanBuffer == nullptr)
return false;
DWORD result;
HRESULT hr = AmsiScanBuffer(s_amsiContext, flatImageBytes, size, nullptr, nullptr, &result);
if (hr == S_OK && (AmsiResultIsMalware(result) || AmsiResultIsBlockedByAdmin(result)))
return true;
return false;
}
|