Fixed AMSI count bug and updated readme.

pracsec · Nov 16, 2022 · 86b1847 · 86b1847
1 parent ebb2796
commit 86b1847
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 17 deletions.
diff --git a/src/AmsiScanner.Common/AmsiScanner.Common.csproj b/src/AmsiScanner.Common/AmsiScanner.Common.csproj
@@ -5,16 +5,16 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <GeneratePackageOnBuild>True</GeneratePackageOnBuild>
-    <Version>2.3.0</Version>
-    <Authors>FusionCarcass</Authors>
+    <Version>2.3.1</Version>
+    <Authors>pracsec</Authors>
     <Company>Practical Security Analytics</Company>
     <Description>A library for interacting with the Anti-Malware Scan Interface for security and penetration testing purposes.</Description>
-    <Copyright>(c) Michael Lester</Copyright>
-    <PackageProjectUrl>https://github.com/FusionCarcass/amsiscanner</PackageProjectUrl>
+    <Copyright>(c) Practical Security Analytics</Copyright>
+    <PackageProjectUrl>https://practicalsecurityanalytics.com/home/tools/amsiscanner/</PackageProjectUrl>
     <PackageLicenseFile>LICENSE.md</PackageLicenseFile>
     <NeutralLanguage>en</NeutralLanguage>
     <PackageReadmeFile>README.md</PackageReadmeFile>
-    <RepositoryUrl>https://github.com/FusionCarcass/amsiscanner</RepositoryUrl>
+    <RepositoryUrl>https://github.com/pracsec/AmsiScanner</RepositoryUrl>
     <RepositoryType>git</RepositoryType>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>

diff --git a/src/AmsiScanner.Common/AmsiSession.cs b/src/AmsiScanner.Common/AmsiSession.cs
@@ -36,6 +36,11 @@ public class AmsiSession : IDisposable {
                 }
             }
 
+            //We get different results from Windows Defender when the AmsiScanBuffer call comes from
+            //the AmsiUtil class within System.Management.Automation.dll
+            Type type = typeof(PSObject).Assembly.GetType("System.Management.Automation.AmsiUtils");
+            this._scanContent = type.GetMethod("ScanContent", BindingFlags.NonPublic | BindingFlags.Static);
+
             this._cachedResults = new ConcurrentDictionary<string, AmsiResult>();
         }
 
@@ -94,10 +99,11 @@ public class AmsiSession : IDisposable {
 
             //We get different results from Windows Defender when the AmsiScanBuffer call comes from
             //the AmsiUtil class within System.Management.Automation.dll
-            Type type = typeof(PSObject).Assembly.GetType("System.Management.Automation.AmsiUtils");
+            //Type type = typeof(PSObject).Assembly.GetType("System.Management.Automation.AmsiUtils");
 
             //Reset the AmsiSession field to prevent correlation between seperate scans
             if (!this._correlated) {
+                Type type = typeof(PSObject).Assembly.GetType("System.Management.Automation.AmsiUtils");
                 FieldInfo[] fields = type.GetFields(BindingFlags.NonPublic | BindingFlags.Static);
                 FieldInfo contextField = type.GetField("s_amsiContext", BindingFlags.NonPublic | BindingFlags.Static);
                 IntPtr context = (IntPtr)contextField.GetValue(null);
@@ -109,8 +115,9 @@ public class AmsiSession : IDisposable {
                 }
             }
 
-            MethodInfo method = type.GetMethod("ScanContent", BindingFlags.NonPublic | BindingFlags.Static);
-            int result = (int)method.Invoke(null, new object[] { text, string.Empty });
+            //MethodInfo method = type.GetMethod("ScanContent", BindingFlags.NonPublic | BindingFlags.Static);
+            Interlocked.Increment(ref this._amsiCalls);
+            int result = (int)this._scanContent.Invoke(null, new object[] { text, string.Empty });
 
             amsiResult = AmsiSession.IntToAmsiResult(result);
 
@@ -136,7 +143,7 @@ public class AmsiSession : IDisposable {
                 IntPtr buffer = new IntPtr((void*)chPtr);
                 resultCode = NativeMethods.AmsiScanBuffer(this._context, buffer, (uint)(text.Length * 2), meta, this._session, out amsiResult);
             }
-            //int resultCode = NativeMethods.AmsiScanString(this._context, text, meta, this._session, out amsiResult);
+
             if (resultCode != 0) {
                 throw new Exception(string.Format("Call to AmsiScanString failed with return code {0}.", resultCode));
             }
@@ -190,6 +197,7 @@ public class AmsiSession : IDisposable {
         private readonly bool _cache;
         private readonly bool _correlated;
         private long _amsiCalls = 0;
+        private MethodInfo _scanContent;
 
         private const string ESCAPE_STUB = "if($escape) { return; }\r\n";
         private const string MALICIOUS_CONTENT = "script contains malicious content";

diff --git a/src/AmsiScanner.Common/README.md b/src/AmsiScanner.Common/README.md
@@ -14,6 +14,12 @@ Scan files with the Anti-Malware Scan Interface (AMSI) and minimize malicious te
 - Windows 10+
 - .NET 6.0
 
+# Project Url
+
+Please see the site below for more examples and documentation.
+
+https://practicalsecurityanalytics.com/home/tools/amsiscanner/
+
 # AmsiScanner.Common Usage
 
 ## Scan a File

diff --git a/src/AmsiScanner/AmsiScanner.csproj b/src/AmsiScanner/AmsiScanner.csproj
@@ -5,15 +5,15 @@
     <TargetFramework>net6.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
-    <Version>2.3.0</Version>
+    <Version>2.3.1</Version>
     <PackageReadmeFile>README.md</PackageReadmeFile>
-    <RepositoryUrl>https://github.com/FusionCarcass/amsiscanner</RepositoryUrl>
-    <AssemblyVersion>2.3.0</AssemblyVersion>
-    <FileVersion>2.3.0</FileVersion>
+    <RepositoryUrl>https://github.com/pracsec/AmsiScanner</RepositoryUrl>
+    <AssemblyVersion>2.3.1</AssemblyVersion>
+    <FileVersion>2.3.1</FileVersion>
     <PackageLicenseFile></PackageLicenseFile>
-    <Copyright>(c) Michael Lester</Copyright>
+    <Copyright>(c) Practical Security Analytics</Copyright>
     <Description>A tool for finding AV signatures.</Description>
-    <PackageProjectUrl>https://github.com/FusionCarcass/amsiscanner</PackageProjectUrl>
+    <PackageProjectUrl>https://practicalsecurityanalytics.com/home/tools/amsiscanner/</PackageProjectUrl>
     <Company>Practical Security Analytics</Company>
     <GeneratePackageOnBuild>False</GeneratePackageOnBuild>
   </PropertyGroup>

diff --git a/src/AmsiScanner/Program.cs b/src/AmsiScanner/Program.cs
@@ -1,11 +1,9 @@
 using AmsiScanner.Common;
 using AmsiScanner.Common.Indexing;
 using AmsiScanner.Common.Threading;
-using System;
 using System.CommandLine;
 using System.CommandLine.NamingConventionBinder;
 using System.Diagnostics;
-using System.IO;
 
 namespace AmsiScanner {
     public class Program {