Centralized NativeMethods

Author: zbalkan

src/ClipboardMonitor/AMSI/AmsiSession.cs

@@ -22,19 +22,10 @@ public bool IsMalware(string payload, string contentName)
                 throw new Win32Exception(returnValue);
             }
 
-            return NativeMethods.AmsiResultIsMalware(result);
+            return AmsiResultIsMalware(result);
         }
 
-        public bool IsMalware(byte[] payload, string contentName)
-        {
-            var returnValue = NativeMethods.AmsiScanBuffer(_context, payload, (uint)payload.Length, contentName, _session, out var result);
-            if (returnValue != 0)
-            {
-                throw new Win32Exception(returnValue);
-            }
-
-            return NativeMethods.AmsiResultIsMalware(result);
-        }
+        private static bool AmsiResultIsMalware(AmsiResult result) => result >= AmsiResult.AMSI_RESULT_DETECTED;
 
         public void Dispose()
         {

src/ClipboardMonitor/AMSI/NativeMethods.cs

@@ -80,7 +80,6 @@
     </ApplicationDefinition>
     <Compile Include="AhoCorasickTree.cs" />
     <Compile Include="Alert.cs" />
-    <Compile Include="AMSI\NativeMethods.cs" />
     <Compile Include="AMSI\AmsiContext.cs" />
     <Compile Include="AMSI\AmsiContextSafeHandle.cs" />
     <Compile Include="AMSI\AmsiResult.cs" />
@@ -108,7 +107,7 @@
     <Compile Include="ClipboardNotification.cs" />
     <Compile Include="DelegateCommand.cs" />
     <Compile Include="Logger.cs" />
-    <Compile Include="Helpers\NativeMethods.cs" />
+    <Compile Include="NativeMethods.cs" />
     <Compile Include="PANException.cs" />
     <Compile Include="PAN\Luhn.cs" />
     <Compile Include="PAN\PaymentBrandRegistry.cs" />

src/ClipboardMonitor/ClipboardMonitor.csproj

@@ -2,7 +2,6 @@
 using System.Diagnostics;
 using System.IO;
 using System.Windows.Forms;
-using ClipboardMonitor.Helpers;
 using Windows.UI.Notifications;
 
 namespace ClipboardMonitor

src/ClipboardMonitor/ClipboardNotification.NotificationHandlerForm.cs

@@ -5,7 +5,6 @@
 using System.Security.AccessControl;
 using System.Security.Principal;
 using System.Text;
-using ClipboardMonitor.Helpers;
 
 namespace ClipboardMonitor
 {

src/ClipboardMonitor/Helpers/ProcessHelper.cs

@@ -1,8 +1,9 @@
 using System;
 using System.Runtime.InteropServices;
 using System.Text;
+using ClipboardMonitor.AMSI;
 
-namespace ClipboardMonitor.Helpers
+namespace ClipboardMonitor
 {
     internal static class NativeMethods
     {
@@ -97,5 +98,32 @@ internal static extern IntPtr SetWinEventHook(
         [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
         internal static extern int SetCurrentProcessExplicitAppUserModelID(string appID);
         #endregion shell32.dll
+
+        #region Amsi.dll
+        // Based on Meziantou's samples at <see href="https://www.meziantou.net/using-windows-antimalware-scan-interface-in-dotnet.htm"/>.
+        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+        [DllImport("Amsi.dll", EntryPoint = "AmsiInitialize", CallingConvention = CallingConvention.StdCall)]
+        internal static extern int AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)] string appName, out AmsiContextSafeHandle amsiContext);
+
+        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+        [DllImport("Amsi.dll", EntryPoint = "AmsiUninitialize", CallingConvention = CallingConvention.StdCall)]
+        internal static extern void AmsiUninitialize(IntPtr amsiContext);
+
+        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+        [DllImport("Amsi.dll", EntryPoint = "AmsiOpenSession", CallingConvention = CallingConvention.StdCall)]
+        internal static extern int AmsiOpenSession(AmsiContextSafeHandle amsiContext, out AmsiSessionSafeHandle session);
+
+        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+        [DllImport("Amsi.dll", EntryPoint = "AmsiCloseSession", CallingConvention = CallingConvention.StdCall)]
+        internal static extern void AmsiCloseSession(AmsiContextSafeHandle amsiContext, IntPtr session);
+
+        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+        [DllImport("Amsi.dll", EntryPoint = "AmsiScanString", CallingConvention = CallingConvention.StdCall)]
+        internal static extern int AmsiScanString(AmsiContextSafeHandle amsiContext, [In, MarshalAs(UnmanagedType.LPWStr)] string payload, [In, MarshalAs(UnmanagedType.LPWStr)] string contentName, AmsiSessionSafeHandle session, out AmsiResult result);
+
+        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+        [DllImport("Amsi.dll", EntryPoint = "AmsiScanBuffer", CallingConvention = CallingConvention.StdCall)]
+        internal static extern int AmsiScanBuffer(AmsiContextSafeHandle amsiContext, byte[] buffer, uint length, string contentName, AmsiSessionSafeHandle session, out AmsiResult result);
+        #endregion Amsi.dll
     }
 }

…lipboardMonitor/Helpers/NativeMethods.cs src/ClipboardMonitor/NativeMethods.cssrc/ClipboardMonitor/Helpers/NativeMethods.cs renamed to src/ClipboardMonitor/NativeMethods.cs src/ClipboardMonitor/Helpers/NativeMethods.cs renamed to src/ClipboardMonitor/NativeMethods.cs

@@ -10,7 +10,7 @@ namespace ClipboardMonitor.PasteGuard
     internal static class PasteGuard
     {
         private const int LAST_N_SECONDS = 30;
-        private static readonly Helpers.NativeMethods.WinEventDelegate _winEventProc = WinEventCallback;
+        private static readonly NativeMethods.WinEventDelegate _winEventProc = WinEventCallback;
         private static readonly TimeSpan Window = TimeSpan.FromSeconds(LAST_N_SECONDS);
 
         private static IntPtr _lastRunDialog = IntPtr.Zero;
@@ -26,8 +26,8 @@ public static void Install()
         {
             if (_winEventHookForeground == IntPtr.Zero)
             {
-                _winEventHookForeground = Helpers.NativeMethods.SetWinEventHook(Helpers.NativeMethods.EVENT_SYSTEM_FOREGROUND, Helpers.NativeMethods.EVENT_SYSTEM_FOREGROUND,
-                    IntPtr.Zero, _winEventProc, 0, 0, Helpers.NativeMethods.WINEVENT_OUTOFCONTEXT);
+                _winEventHookForeground = NativeMethods.SetWinEventHook(NativeMethods.EVENT_SYSTEM_FOREGROUND, NativeMethods.EVENT_SYSTEM_FOREGROUND,
+                    IntPtr.Zero, _winEventProc, 0, 0, NativeMethods.WINEVENT_OUTOFCONTEXT);
             }
         }
 
@@ -38,7 +38,7 @@ public static void Remove()
         {
             if (_winEventHookForeground != IntPtr.Zero)
             {
-                Helpers.NativeMethods.UnhookWinEvent(_winEventHookForeground);
+                NativeMethods.UnhookWinEvent(_winEventHookForeground);
                 _winEventHookForeground = IntPtr.Zero;
             }
         }
@@ -54,7 +54,7 @@ public static void SetSuspiciousActivityContent(ProcessSummary processSummary, s
         private static string GetClassName(IntPtr hWnd)
         {
             var sb = new StringBuilder(256);
-            Helpers.NativeMethods.GetClassName(hWnd, sb, sb.Capacity);
+            NativeMethods.GetClassName(hWnd, sb, sb.Capacity);
             return sb.ToString();
         }
 
@@ -80,7 +80,7 @@ private static void WinEventCallback(
             var cls = GetClassName(hwnd);
             if (cls == "#32770")
             {
-                Helpers.NativeMethods.GetWindowThreadProcessId(hwnd, out var pid);
+                NativeMethods.GetWindowThreadProcessId(hwnd, out var pid);
                 try
                 {
                     using (var proc = Process.GetProcessById((int)pid))