免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者及本公众号不为此承担任何责任。
Windows ASMI
ASMI基本功能
-
软件开发者集成AMSI:开发者可以在自己的软件中调用AMSI相关的API,将用户执行的脚本、文件等内容送到AMSI接口。AMSI接口再将这些内容送给预先安装的反恶意软件产品进行扫描。 -
实时扫描:当用户在执行脚本或者加载文件时,支持AMSI的应用程序会把相关内容发送给AMSI,接口会实时调用已安装的防病毒产品对内容进行扫描。 -
脚本和宏扫描:AMSI特别适合用来扫描PowerShell或VBScript等脚本语言的代码。例如,Office文档内的宏也会通过AMSI被评估,是否存在潜在的恶意行为。 -
通用接口:AMSI提供了一个厂商无关的接口,允许任何反恶意软件产品接入并为AMSI提供服务。这意味着,无论用户安装了哪家厂商的防病毒软件,都可以通过AMSI获得相应服务。
ASMI开发具体用例
使用AMSI API,首先初始化AMSI环境,创建一个会话:
HRESULT AmsiInitialize(LPCWSTR appName,HAMSICONTEXT *amsiContext);
提交需要检查的内容给AMSI引擎:
HRESULT AmsiScanBuffer(HAMSICONTEXT amsiContext,PVOID buffer,ULONG length,LPCWSTR contentName,HAmsiSession session,AMSI_RESULT *result);
根据返回的结果判断是否为恶意软件:
typedef enum AMSI_RESULT {AMSI_RESULT_CLEAN,AMSI_RESULT_NOT_DETECTED,AMSI_RESULT_BLOCKED_BY_ADMIN_START,AMSI_RESULT_BLOCKED_BY_ADMIN_END,AMSI_RESULT_DETECTED} AMSI_RESULT;
扫描完成后,关闭会话和清理环境:
void AmsiCloseSession(HAMSICONTEXT amsiContext,HAmsiSession session);void AmsiUninitialize(HAMSICONTEXT amsiContext);
查杀器实现
根据ASMI开发实例,我们可以实现一个简单的本地文件病毒查杀器,传入文件名,调用ASMI接口进行查杀:
bool InitializeAmsiContext(HAMSICONTEXT& amsiContext, HAMSISESSION& amsiSession) {HRESULT hr = AmsiInitialize(L"MyAMSIApplication", &amsiContext);if (FAILED(hr)) {std::wcerr << L"AMSI Initialization failed with error code: " << hr << std::endl;return false;}hr = AmsiOpenSession(amsiContext, &amsiSession);if (FAILED(hr)) {std::wcerr << L"AMSI Session open failed with error code: " << hr << std::endl;AmsiUninitialize(amsiContext);return false;}return true;}void UnintializeAmsiContext(HAMSICONTEXT amsiContext, HAMSISESSION amsiSession) {AmsiCloseSession(amsiContext, amsiSession);AmsiUninitialize(amsiContext);}bool ScanFileWithAmsi(const std::wstring& filePath, HAMSICONTEXT amsiContext, HAMSISESSION amsiSession) {std::wcout << L"Scanning file: " << filePath << std::endl;std::ifstream file(filePath, std::ios::binary | std::ios::ate);if (!file.is_open()) {DWORD dw = GetLastError();LPVOID lpMsgBuf;FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |FORMAT_MESSAGE_FROM_SYSTEM |FORMAT_MESSAGE_IGNORE_INSERTS,NULL,dw,MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),(LPTSTR)&lpMsgBuf,0, NULL);std::wcerr << L"Failed to open file: " << filePath << L". Error: " << (LPCTSTR)lpMsgBuf << std::endl;LocalFree(lpMsgBuf);return false;}std::streampos fileSize = file.tellg();file.seekg(0, std::ios::beg);std::vector<char> buffer(fileSize);if (!file.read(buffer.data(), fileSize)) {std::wcerr << L"Failed to read file: " << filePath << std::endl;return false;}AMSI_RESULT amsiResult = AMSI_RESULT_CLEAN;HRESULT hr = AmsiScanBuffer(amsiContext, buffer.data(), static_cast<ULONG>(fileSize), filePath.c_str(), amsiSession, &amsiResult);if (FAILED(hr)) {std::wcerr << L"AMSI Scan failed with error: " << hr << std::endl;return false;}std::wcout << L"Scanning file: " << filePath << " Done." << std::endl;switch (amsiResult) {case AMSI_RESULT_CLEAN:std::wcout << L"The file is clean." << std::endl;break;case AMSI_RESULT_NOT_DETECTED:std::wcout << L"No malware detected." << std::endl;break;case AMSI_RESULT_DETECTED:std::wcout << L"Malware was detected and the file is considered dangerous." << std::endl;return false;default:std::wcout << L"The scan result is uncertain. Result code: " << amsiResult << std::endl;return false;}std::wcout << L"Scan completed successfully." << std::endl;return true;}int wmain(int argc, wchar_t* argv[]) {if (argc < 2) {std::wcerr << L"Usage: " << argv[0] << L" <file_path>" << std::endl;return 1;}std::wstring filePath = argv[1];HAMSICONTEXT amsiContext = nullptr;HAMSISESSION amsiSession = nullptr;if (!InitializeAmsiContext(amsiContext, amsiSession)) {return 1;}bool isFileClean = ScanFileWithAmsi(filePath, amsiContext, amsiSession);UnintializeAmsiContext(amsiContext, amsiSession);return isFileClean ? 0 : 1;}
要注意使用Release模式编译,否则会造成环境缺失:
效果如下:
总结
本文讲述了Windows ASMI的概念、作用和常用开发实例,并实现了一个简单的静态文件查杀器。在新版的PowerShell中,会调用ASMI取检查PowerShell将要执行的脚本,给PowerShell内存马带来阻碍,相关内容将在后文讲解。
原文始发于微信公众号(赛博安全狗):【权限维持技术】Windows ASMI防病毒技术
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论