gpt4 book ai didi

c# - 使用 .Net 中的 IAmsiStream 会导致 AccessViolationException

转载 作者:行者123 更新时间:2023-12-02 09:58:20 27 4
gpt4 key购买 nike

我正在尝试使用 Antimalware Scan Interface (AMSI)通过 C#。我知道那里有使用 AmsiScanBuffer 的实现。方法,但我想扫描更大的文件。所以我想使用 IAntimalware在 amsi.h 中定义的 COM 接口(interface)。
到目前为止,我已经想出了这个代码:

using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Text;

namespace AmsiTest
{
[Guid("82d29c2e-f062-44e6-b5c9-3d9a2f24a2df"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown), ComImport]
public interface IAntiMalware {
uint Scan([MarshalAs(UnmanagedType.Interface)] IAmsiStream stream, out AMSI_RESULT result, [MarshalAs(UnmanagedType.Interface)] out IAntimalwareProvider provider);
void CloseSession(ulong session);
}

[Guid("b2cabfe3-fe04-42b1-a5df-08d483d4d125"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IAntimalwareProvider
{
uint Scan([In, MarshalAs(UnmanagedType.Interface)] IAmsiStream stream, [Out] out AMSI_RESULT result);
void CloseSession(ulong session);
uint DisplayName(ref IntPtr displayName);
}

[ComImport]
[Guid("fdb00e52-a214-4aa1-8fba-4357bb0072ec")]
[ComSourceInterfaces(typeof(IAntiMalware))]
public class CAntimalware
{
}

public enum AMSI_ATTRIBUTE
{
AMSI_ATTRIBUTE_APP_NAME = 0,
AMSI_ATTRIBUTE_CONTENT_NAME = 1,
AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
AMSI_ATTRIBUTE_SESSION = 4,
AMSI_ATTRIBUTE_REDIRECT_CHAIN_SIZE = 5,
AMSI_ATTRIBUTE_REDIRECT_CHAIN_ADDRESS = 6,
AMSI_ATTRIBUTE_ALL_SIZE = 7,
AMSI_ATTRIBUTE_ALL_ADDRESS = 8,
AMSI_ATTRIBUTE_QUIET = 9
}


[Guid("3e47f2e5-81d4-4d3b-897f-545096770373"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IAmsiStream
{
uint GetAttribute(AMSI_ATTRIBUTE attribute, uint dataSize, [MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1)] byte[] data, out int retData);

int Read(
/* [in] */
long position,
/* [range][in] */
int size,
/* [length_is][size_is][out] */
[MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1)]
byte[] buffer,
/* [out] */
[Out] out int readSize);
}

public class AmsiStream : IAmsiStream
{
private readonly Stream _Input;

public uint GetAttribute(AMSI_ATTRIBUTE attribute, uint dataSize, byte[] data, out int retData)
{
const uint E_INSUFFICIENT_BUFFER = 0x8007007A;
retData = 100;
return E_INSUFFICIENT_BUFFER;
}

public int Read(long position, int size, byte[] buffer, out int readSize)
{
_Input.Seek(position, SeekOrigin.Begin);
readSize = _Input.Read(buffer, 0, size);
return 0;
}

public AmsiStream(Stream input)
{
_Input = input ?? throw new ArgumentNullException(nameof(input));
}

}

public enum AMSI_RESULT
{
AMSI_RESULT_CLEAN,
AMSI_RESULT_NOT_DETECTED,
AMSI_RESULT_BLOCKED_BY_ADMIN_START,
AMSI_RESULT_BLOCKED_BY_ADMIN_END,
AMSI_RESULT_DETECTED
}


class Program
{
static void Main(string[] args)
{
var scanner = new CAntimalware() as IAntiMalware;
var scanResult = AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_END;
IAntimalwareProvider provider = null;
IAmsiStream stream = new AmsiStream(new MemoryStream(Encoding.ASCII.GetBytes("TestString")));
var result = scanner.Scan(stream, out scanResult, out provider);
}
}
}
当我运行这个程序时,我看到 GetAttribute方法被调用一次( attribute 设置为 AMSI_ATTRIBUTE_APP_NAMEdataSize 设置为 1data 设置为 byte[1]'. The Read` 方法永远不会被调用。但无论我返回什么,它总是结束带有 AccessViolationException(作为 64 处理器执行时):
mscorlib.dll!System.StubHelpers.StubHelpers.GetCOMHRExceptionObject(int hr, System.IntPtr pCPCMD, object pThis)
[Native to Managed Transition]
ntdll.dll!RtlpFreeHeapInternal()
ntdll.dll!RtlFreeHeap()
mscorlib.ni.dll!00007ff8cad6a76e()
[Managed to Native Transition]
ConsoleApp6.exe!AmsiTest.Program.Main(string[] args) Line 109
at c:\temp\ConsoleApp6\Program.cs(109)
[Native to Managed Transition]
mscoreei.dll!00007ff8cfb78c01()
mscoree.dll!00007ff8d684ac42()
kernel32.dll!00007ff8e4416fd4()
ntdll.dll!RtlUserThreadStart()
如果我将它作为 32 位程序运行,我会得到:
System.ArgumentException: 'Value does not fall within the expected range.'
ConsoleApp6.exe!AmsiTest.Program.Main(string[] args) Line 109
at c:\temp\ConsoleApp6\Program.cs(109)
[Native to Managed Transition]
mscoreei.dll!__CorExeMain@0()
mscoree.dll!_ShellShim__CorExeMain@0()
mscoree.dll!__CorExeMain_Exported@0()
ntdll.dll!773974b4()
由此我认为我的 COM 声明有些错误,但我无法弄清楚。我还尝试替换 byte[] data带有 IntPtr 的声明,但无济于事。
有什么想法我在这里做错了吗?
这些是 amsi.idl 文件中的声明:
[
local,
object,
pointer_default(unique),
uuid(3e47f2e5-81d4-4d3b-897f-545096770373)
]
interface IAmsiStream : IUnknown
{
HRESULT GetAttribute(
[in] AMSI_ATTRIBUTE attribute,
[in, range(0, 1024*1024)] ULONG dataSize,
[out, size_is(dataSize), length_is(*retData)] unsigned char* data,
[out] ULONG* retData);

HRESULT Read(
[in] ULONGLONG position,
[in, range(0, 1024*1024)] ULONG size,
[out, size_is(size), length_is(*readSize)] unsigned char* buffer,
[out] ULONG* readSize);
}


[
local,
object,
pointer_default(unique),
uuid(b2cabfe3-fe04-42b1-a5df-08d483d4d125)
]
interface IAntimalwareProvider : IUnknown
{
HRESULT Scan(
[in] IAmsiStream* stream,
[out] AMSI_RESULT* result);

void CloseSession([in] ULONGLONG session);

HRESULT DisplayName([out, string, annotation("_Out_")] LPWSTR* displayName);
}

[
local,
object,
pointer_default(unique),
uuid(82d29c2e-f062-44e6-b5c9-3d9a2f24a2df)
]
interface IAntimalware : IUnknown
{
HRESULT Scan(
[in] IAmsiStream* stream,
[out] AMSI_RESULT* result,
[out] IAntimalwareProvider** provider);

void CloseSession([in] ULONGLONG session);
}

typedef [v1_enum] enum AMSI_ATTRIBUTE
{
AMSI_ATTRIBUTE_APP_NAME = 0,
AMSI_ATTRIBUTE_CONTENT_NAME = 1,
AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
AMSI_ATTRIBUTE_SESSION = 4,
AMSI_ATTRIBUTE_REDIRECT_CHAIN_SIZE = 5,
AMSI_ATTRIBUTE_REDIRECT_CHAIN_ADDRESS = 6,
AMSI_ATTRIBUTE_ALL_SIZE = 7,
AMSI_ATTRIBUTE_ALL_ADDRESS = 8,
AMSI_ATTRIBUTE_QUIET = 9,
} AMSI_ATTRIBUTE;

typedef [v1_enum] enum AMSI_RESULT
{
AMSI_RESULT_CLEAN = 0,
AMSI_RESULT_NOT_DETECTED = 1,
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 0x4000,
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 0x4fff,
AMSI_RESULT_DETECTED = 32768,
} AMSI_RESULT;

最佳答案

您需要告诉 .NET 数组是 Out IAnsiStream 中的参数,如下所示:

[Guid("3e47f2e5-81d4-4d3b-897f-545096770373"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IAmsiStream
{
[PreserveSig]
int GetAttribute(AMSI_ATTRIBUTE attribute, int dataSize, [Out, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1)] byte[] data, out int retData);

[PreserveSig]
int Read(long position, int size, [Out, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1)] byte[] buffer, out int readSize);
}
另请注意,我使用 PreserveSig明确地将方法返回值定义为 HRESULT。
下面是 GetAttribute 方法的示例实现:
public int GetAttribute(AMSI_ATTRIBUTE attribute, int dataSize, byte[] data, out int retData)
{
const int E_NOT_SUFFICIENT_BUFFER = unchecked((int)0x8007007A);
switch (attribute)
{
case AMSI_ATTRIBUTE.AMSI_ATTRIBUTE_APP_NAME:
const string appName = "My App Name";
var bytes = Encoding.Unicode.GetBytes(appName + "\0"); // force terminating zero
retData = bytes.Length;
if (dataSize < bytes.Length)
return E_NOT_SUFFICIENT_BUFFER;

Array.Copy(bytes, data, bytes.Length);
return 0;

// TODO: implement what's needed

default:
retData = 0;
const int E_NOTIMPL = unchecked((int)0x80004001);
return E_NOTIMPL;
}
}

关于c# - 使用 .Net 中的 IAmsiStream 会导致 AccessViolationException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64086028/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com