Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
amsi-scan.cpp
Go to the documentation of this file.
1#include "PanoptesAMSI.h"
2#include <Shlwapi.h>
3#include <amsi.h>
4
10HRESULT AmsiScanner::AmsiScanFile(std::string file_path, std::string copy_path, int* amsi_result)
11{
12 LPWSTR message{};
13 HAMSICONTEXT amsiContext = nullptr;
14 HAMSISESSION amsiSession = nullptr;
15 std::string copy_path_destination;
16
17 if (copy_path != "") {
18 LPCSTR baseName = PathFindFileNameA(file_path.c_str());
19 copy_path_destination = copy_path + baseName;
20 CopyFileA(file_path.c_str(), copy_path_destination.c_str(), false);
21 }
22 else {
23 copy_path_destination = file_path;
24 }
25
26 HRESULT hr = AmsiInitialize(L"Panoptes Scanner", &amsiContext);
27 if (FAILED(hr))
28 {
29 return HRESULT_FROM_WIN32(GetLastError());
30 }
31
32 hr = AmsiOpenSession(amsiContext, &amsiSession);
33 if (FAILED(hr))
34 {
35 AmsiUninitialize(amsiContext);
36 return HRESULT_FROM_WIN32(GetLastError());
37 }
38
39 // Check if file exist
40 DWORD dwFileAttributes = GetFileAttributesA(copy_path_destination.c_str());
41 if (dwFileAttributes == INVALID_FILE_ATTRIBUTES) {
42 return HRESULT_FROM_WIN32(GetLastError());
43 }
44
45 HANDLE fileHandle = CreateFileA(copy_path_destination.c_str(), GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
46 if (fileHandle == INVALID_HANDLE_VALUE)
47 {
48 AmsiUninitialize(amsiContext);
49 return HRESULT_FROM_WIN32(GetLastError());
50 }
51
52 DWORD fileSize = GetFileSize(fileHandle, nullptr);
53 if (fileSize == INVALID_FILE_SIZE)
54 {
55 CloseHandle(fileHandle);
56 AmsiUninitialize(amsiContext);
57 return HRESULT_FROM_WIN32(GetLastError());
58 }
59
60 LPVOID fileBuffer = VirtualAlloc(nullptr, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
61 if (fileBuffer == nullptr)
62 {
63 CloseHandle(fileHandle);
64 AmsiUninitialize(amsiContext);
65 return HRESULT_FROM_WIN32(GetLastError());
66 }
67
68 DWORD bytesRead;
69 if (!ReadFile(fileHandle, fileBuffer, fileSize, &bytesRead, nullptr))
70 {
71 VirtualFree(fileBuffer, 0, MEM_RELEASE);
72 CloseHandle(fileHandle);
73 AmsiUninitialize(amsiContext);
74 return HRESULT_FROM_WIN32(GetLastError());
75 }
76
77 const int MAX_RETRIES = 3;
78 const int RETRY_DELAY_MS = 1000;
79 int retryCount = 0;
80 AMSI_RESULT result;
81
82 do
83 {
84 hr = AmsiScanBuffer(amsiContext, fileBuffer, fileSize, nullptr, amsiSession, &result);
85 if (FAILED(hr))
86 {
87 if (hr == HRESULT_FROM_WIN32(ERROR_NOT_READY) && retryCount < MAX_RETRIES)
88 {
89 retryCount++;
90 Sleep(RETRY_DELAY_MS);
91 }
92 else
93 {
94 break;
95 }
96 }
97 else {
98 *amsi_result = result;
99 VirtualFree(fileBuffer, 0, MEM_RELEASE);
100 CloseHandle(fileHandle);
101 AmsiUninitialize(amsiContext);
102 return S_OK;
103
104 }
105 } while (FAILED(hr) && retryCount < MAX_RETRIES);
106
107 VirtualFree(fileBuffer, 0, MEM_RELEASE);
108 CloseHandle(fileHandle);
109 AmsiUninitialize(amsiContext);
110 return E_FAIL;
111}
AmsiScanner::AmsiScanFile
static HRESULT AmsiScanFile(std::string PathToFile, std::string CopyPath, int *AmsiResult)
Scan a file using Windows built in AMSI feature set.
Definition amsi-scan.cpp:10
result
ULONG result
Definition events.cpp:22
DWORD
unsigned long DWORD
Definition inject.h:2
Generated by doxygen 1.9.8