8

在实施IAmsiStream以使用 Windows Defender 执行扫描时,对于大于 ~20MB 的文件,它会失败并显示Value does not fall within the expected range..

这个实现缺少什么?

    public class AmsiStream : IAmsiStream
    {
        private readonly Stream _input;
        private readonly string _name;
        private static readonly byte[] _nullPtr = new byte[Marshal.SizeOf(IntPtr.Zero)];

        public AmsiStream(Stream input, string name)
        {
            _input = input ?? throw new ArgumentNullException(nameof(input));
            _name = name ?? throw new ArgumentNullException(nameof(name));
        }

        public int GetAttribute(AMSI_ATTRIBUTE attribute, int dataSize, byte[] data, out int retData)
        {
            const int E_NOTIMPL = unchecked((int)0x80004001);
            const int E_NOT_SUFFICIENT_BUFFER = unchecked((int)0x8007007A);

            byte[] bytes = { };
            int retValue = 0;

            switch (attribute)
            {

                case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_APP_NAME:
                    bytes = Encoding.Unicode.GetBytes("TestAmsi" + "\0");
                    break;
                case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_CONTENT_NAME:
                    bytes = Encoding.Unicode.GetBytes(_name + "\0");
                    break;
                case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_CONTENT_SIZE:
                    bytes = BitConverter.GetBytes((ulong)_input.Length);
                    break;
                case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_SESSION:
                    bytes = _nullPtr;
                    break;
                case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_CONTENT_ADDRESS:
                    retValue = E_NOTIMPL;
                    break;
                default:
                    retValue = E_NOTIMPL;
                    break;
            }

            retData = 0;
            if (retValue == 0)
            {
                retData = bytes.Length;
                if (dataSize < bytes.Length)
                    return E_NOT_SUFFICIENT_BUFFER;

                Array.Copy(bytes, data, bytes.Length);
            }

            return retValue;

        }

        public int Read(long position, int size, byte[] buffer, out int readSize)
        {
            _input.Seek(position, SeekOrigin.Begin);
            readSize = _input.Read(buffer, 0, size);
            return 0;
        }
    }

一个测试用例是:

        [Fact]
        public void TestWithLargeFile()
        {
            const long k = 1024;
            const long m = 1024 * k;
            const long fileSize = 21 * m;
            var c = new Random(42);
            var fileBuffer = new byte[fileSize];

            c.NextBytes(fileBuffer);
            Equal(AMSI_RESULT.AMSI_RESULT_CLEAN, ScanInternal(new MemoryStream(fileBuffer), "test.file.txt"));
        }

        private AMSI_RESULT ScanInternal(Stream streamToCheck, string fileName)
        {
            var scanner = (IAntiMalware)new CAntiMalware();
            var stream = new AmsiStream(streamToCheck, fileName);
            var result = scanner.Scan(stream, out AMSI_RESULT scanResult, out IAntiMalwareProvider _);

            if (result != (ulong)HResult.S_OK)
            {
                throw new InvalidOperationException($"Malware scan returned not OK: {result}");
            }

            return scanResult;
        }

此 github 存储库中此测试的完整源代码

4

2 回答 2

0

我认为您不能将大文件流式传输到 Windows Defender 提供程序。根据这个github线程,平台似乎有一个限制,如果你不处理AMSI_ATTRIBUTE_CONTENT_ADDRESS,方法中GetAttribute传递的最大缓冲区大小Read为16MB。而且该Read方法的目的不是流式传输,而是

请求读取一个充满内容的缓冲区。

Microsoft 提供的示例代码 (C++)也无法处理大于此大小限制的文件。

Microsoft 开发人员文档声明:

AMSI 专为打击“无文件恶意软件”而设计

哪个

仅作为基于计算机内存的工件存在

根据维基百科

对我来说,如果文件大小大于 16MB,您可以将其加载到内存中并通过处理返回缓冲区地址AMSI_ATTRIBUTE_CONTENT_ADDRESS。对于大文件,您可以考虑使用内存映射文件

public unsafe int GetAttribute(AMSI_ATTRIBUTE attribute, int dataSize,
    [Out]byte[] data, [Out]out int retData)
{
    ...
    case AMSI_ATTRIBUTE_CONTENT_ADDRESS:

        retData = sizeof(IntPtr);

        if (dataSize < retData)
        {
            return E_NOT_SUFFICIENT_BUFFER;
        }

        // This is an example
        // Better to open in constructor and close in Dispose
        var mappedFile = MemoryMappedFile.CreateFromFile(_name, FileMode.Open);
        var mappedFileAccessor = mappedFile.CreateViewAccessor(0, fileSize);

        byte* fileContent = null;
        mappedFileAccessor.SafeMemoryMappedViewHandle.AcquirePointer(ref fileContent);

        fixed (byte* pData = data)
        {
            *(IntPtr*) pData = (IntPtr)fileContent;
        }

        return 0;
    ...
}
于 2021-11-11T04:01:52.180 回答
-1

而是使用来自以下网址的 MalwareScanner:https ://github.com/NewOrbit/MalwareScan.AMSI

var scanner = new MalwareScanner("MyApplications Viruscanner"); var result = scanner.HasVirus(stream, filename);

或逐字节扫描传入的大文件字节,请参见:

WindowsCOMAntiMalware:https ://github.com/bsmg/BeatSaber-IPA-Reloaded/blob/master/IPA.Loader/AntiMalware/_HideInNet3/WindowsCOMAntiMalware.cs

有 2 个 IAmsiStream 实现:

AmsiMemoryStream:https ://github.com/bsmg/BeatSaber-IPA-Reloaded/blob/master/IPA.Loader/AntiMalware/_HideInNet3/ComAPI/AmsiMemoryStream.cs AmsiFileStream : https ://github.com/bsmg/BeatSaber-IPA -重新加载/blob/master/IPA.Loader/AntiMalware/_HideInNet3/ComAPI/AmsiFileStream.cs

PS:官方文档中找不到 16mb 的限制,我不认为是 IAmsiStream 限制,IAmsiStream 被传递给 IAntimalwareProvider 这是一个供应商实现,也许问题就在那里;您应该尝试其他供应商以查看是否遇到相同的错误:

于 2021-11-05T20:57:41.660 回答