Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Public Types | Static Public Member Functions | List of all members
AmsiScanner Class Reference

#include <PanoptesAMSI.h>

Public Types

enum  AMSI_RESULT_PANO {
  AMSI_RESULT_PANO_CLEAN = 0 , AMSI_RESULT_PANO_NOT_DETECTED = 1 , AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_START = 0x4000 , AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_END = 0x4fff ,
  AMSI_RESULT_PANO_DETECTED = 32768
}
 The result of the AMSI scan. More...
 
typedef enum AmsiScanner::AMSI_RESULT_PANO AMSI_RESULT_PANO
 The result of the AMSI scan.
 

Static Public Member Functions

static HRESULT AmsiScanFile (std::string PathToFile, std::string CopyPath, int *AmsiResult)
 Scan a file using Windows built in AMSI feature set.
 

Detailed Description

Definition at line 15 of file PanoptesAMSI.h.

Member Typedef Documentation

◆ AMSI_RESULT_PANO

typedef enum AmsiScanner::AMSI_RESULT_PANO AmsiScanner::AMSI_RESULT_PANO

The result of the AMSI scan.

Member Enumeration Documentation

◆ AMSI_RESULT_PANO

enum AmsiScanner::AMSI_RESULT_PANO

The result of the AMSI scan.

Enumerator
AMSI_RESULT_PANO_CLEAN 
AMSI_RESULT_PANO_NOT_DETECTED 
AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_START 
AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_END 
AMSI_RESULT_PANO_DETECTED 

Definition at line 18 of file PanoptesAMSI.h.

19 {
20 AMSI_RESULT_PANO_CLEAN = 0,
21 AMSI_RESULT_PANO_NOT_DETECTED = 1,
22 AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_START = 0x4000,
23 AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_END = 0x4fff,
24 AMSI_RESULT_PANO_DETECTED = 32768
25 } AMSI_RESULT_PANO;
AmsiScanner::AMSI_RESULT_PANO
AMSI_RESULT_PANO
The result of the AMSI scan.
Definition PanoptesAMSI.h:19
AmsiScanner::AMSI_RESULT_PANO_CLEAN
@ AMSI_RESULT_PANO_CLEAN
Definition PanoptesAMSI.h:20
AmsiScanner::AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_END
@ AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_END
Definition PanoptesAMSI.h:23
AmsiScanner::AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_START
@ AMSI_RESULT_PANO_BLOCKED_BY_ADMIN_START
Definition PanoptesAMSI.h:22
AmsiScanner::AMSI_RESULT_PANO_DETECTED
@ AMSI_RESULT_PANO_DETECTED
Definition PanoptesAMSI.h:24
AmsiScanner::AMSI_RESULT_PANO_NOT_DETECTED
@ AMSI_RESULT_PANO_NOT_DETECTED
Definition PanoptesAMSI.h:21

Member Function Documentation

◆ AmsiScanFile()

HRESULT AmsiScanner::AmsiScanFile ( std::string  file_path,
std::string  copy_path,
int *  amsi_result 
)
static

Scan a file using Windows built in AMSI feature set.

Parameters
file_pathThe path of the file to scan
copy_pathThe path to copy the file to, if empty the file will not be copied
amsi_resultThe result of the scan, will be set to the result of the scan
Returns
The result of the scan

Definition at line 10 of file amsi-scan.cpp.

11{
12 LPWSTR message{};
13 HAMSICONTEXT amsiContext = nullptr;
14 HAMSISESSION amsiSession = nullptr;
15 std::string copy_path_destination;
16
17 if (copy_path != "") {
18 LPCSTR baseName = PathFindFileNameA(file_path.c_str());
19 copy_path_destination = copy_path + baseName;
20 CopyFileA(file_path.c_str(), copy_path_destination.c_str(), false);
21 }
22 else {
23 copy_path_destination = file_path;
24 }
25
26 HRESULT hr = AmsiInitialize(L"Panoptes Scanner", &amsiContext);
27 if (FAILED(hr))
28 {
29 return HRESULT_FROM_WIN32(GetLastError());
30 }
31
32 hr = AmsiOpenSession(amsiContext, &amsiSession);
33 if (FAILED(hr))
34 {
35 AmsiUninitialize(amsiContext);
36 return HRESULT_FROM_WIN32(GetLastError());
37 }
38
39 // Check if file exist
40 DWORD dwFileAttributes = GetFileAttributesA(copy_path_destination.c_str());
41 if (dwFileAttributes == INVALID_FILE_ATTRIBUTES) {
42 return HRESULT_FROM_WIN32(GetLastError());
43 }
44
45 HANDLE fileHandle = CreateFileA(copy_path_destination.c_str(), GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
46 if (fileHandle == INVALID_HANDLE_VALUE)
47 {
48 AmsiUninitialize(amsiContext);
49 return HRESULT_FROM_WIN32(GetLastError());
50 }
51
52 DWORD fileSize = GetFileSize(fileHandle, nullptr);
53 if (fileSize == INVALID_FILE_SIZE)
54 {
55 CloseHandle(fileHandle);
56 AmsiUninitialize(amsiContext);
57 return HRESULT_FROM_WIN32(GetLastError());
58 }
59
60 LPVOID fileBuffer = VirtualAlloc(nullptr, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
61 if (fileBuffer == nullptr)
62 {
63 CloseHandle(fileHandle);
64 AmsiUninitialize(amsiContext);
65 return HRESULT_FROM_WIN32(GetLastError());
66 }
67
68 DWORD bytesRead;
69 if (!ReadFile(fileHandle, fileBuffer, fileSize, &bytesRead, nullptr))
70 {
71 VirtualFree(fileBuffer, 0, MEM_RELEASE);
72 CloseHandle(fileHandle);
73 AmsiUninitialize(amsiContext);
74 return HRESULT_FROM_WIN32(GetLastError());
75 }
76
77 const int MAX_RETRIES = 3;
78 const int RETRY_DELAY_MS = 1000;
79 int retryCount = 0;
80 AMSI_RESULT result;
81
82 do
83 {
84 hr = AmsiScanBuffer(amsiContext, fileBuffer, fileSize, nullptr, amsiSession, &result);
85 if (FAILED(hr))
86 {
87 if (hr == HRESULT_FROM_WIN32(ERROR_NOT_READY) && retryCount < MAX_RETRIES)
88 {
89 retryCount++;
90 Sleep(RETRY_DELAY_MS);
91 }
92 else
93 {
94 break;
95 }
96 }
97 else {
98 *amsi_result = result;
99 VirtualFree(fileBuffer, 0, MEM_RELEASE);
100 CloseHandle(fileHandle);
101 AmsiUninitialize(amsiContext);
102 return S_OK;
103
104 }
105 } while (FAILED(hr) && retryCount < MAX_RETRIES);
106
107 VirtualFree(fileBuffer, 0, MEM_RELEASE);
108 CloseHandle(fileHandle);
109 AmsiUninitialize(amsiContext);
110 return E_FAIL;
111}
result
ULONG result
Definition events.cpp:22
DWORD
unsigned long DWORD
Definition inject.h:2

References result.

Referenced by PanoEntry(), AMSI::TEST(), and AMSI::TEST().

The documentation for this class was generated from the following files:
Generated by doxygen 1.9.8