Skip to content

Commit 11e0645

Browse files
committed
Centralized NativeMethods
1 parent f31224e commit 11e0645

File tree

7 files changed

+38
-60
lines changed

7 files changed

+38
-60
lines changed

src/ClipboardMonitor/AMSI/AmsiSession.cs

Lines changed: 2 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -22,19 +22,10 @@ public bool IsMalware(string payload, string contentName)
2222
throw new Win32Exception(returnValue);
2323
}
2424

25-
return NativeMethods.AmsiResultIsMalware(result);
25+
return AmsiResultIsMalware(result);
2626
}
2727

28-
public bool IsMalware(byte[] payload, string contentName)
29-
{
30-
var returnValue = NativeMethods.AmsiScanBuffer(_context, payload, (uint)payload.Length, contentName, _session, out var result);
31-
if (returnValue != 0)
32-
{
33-
throw new Win32Exception(returnValue);
34-
}
35-
36-
return NativeMethods.AmsiResultIsMalware(result);
37-
}
28+
private static bool AmsiResultIsMalware(AmsiResult result) => result >= AmsiResult.AMSI_RESULT_DETECTED;
3829

3930
public void Dispose()
4031
{

src/ClipboardMonitor/AMSI/NativeMethods.cs

Lines changed: 0 additions & 38 deletions
This file was deleted.

src/ClipboardMonitor/ClipboardMonitor.csproj

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,6 @@
8080
</ApplicationDefinition>
8181
<Compile Include="AhoCorasickTree.cs" />
8282
<Compile Include="Alert.cs" />
83-
<Compile Include="AMSI\NativeMethods.cs" />
8483
<Compile Include="AMSI\AmsiContext.cs" />
8584
<Compile Include="AMSI\AmsiContextSafeHandle.cs" />
8685
<Compile Include="AMSI\AmsiResult.cs" />
@@ -108,7 +107,7 @@
108107
<Compile Include="ClipboardNotification.cs" />
109108
<Compile Include="DelegateCommand.cs" />
110109
<Compile Include="Logger.cs" />
111-
<Compile Include="Helpers\NativeMethods.cs" />
110+
<Compile Include="NativeMethods.cs" />
112111
<Compile Include="PANException.cs" />
113112
<Compile Include="PAN\Luhn.cs" />
114113
<Compile Include="PAN\PaymentBrandRegistry.cs" />

src/ClipboardMonitor/ClipboardNotification.NotificationHandlerForm.cs

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@
22
using System.Diagnostics;
33
using System.IO;
44
using System.Windows.Forms;
5-
using ClipboardMonitor.Helpers;
65
using Windows.UI.Notifications;
76

87
namespace ClipboardMonitor

src/ClipboardMonitor/Helpers/ProcessHelper.cs

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
using System.Security.AccessControl;
66
using System.Security.Principal;
77
using System.Text;
8-
using ClipboardMonitor.Helpers;
98

109
namespace ClipboardMonitor
1110
{

src/ClipboardMonitor/Helpers/NativeMethods.cs renamed to src/ClipboardMonitor/NativeMethods.cs

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
11
using System;
22
using System.Runtime.InteropServices;
33
using System.Text;
4+
using ClipboardMonitor.AMSI;
45

5-
namespace ClipboardMonitor.Helpers
6+
namespace ClipboardMonitor
67
{
78
internal static class NativeMethods
89
{
@@ -97,5 +98,32 @@ internal static extern IntPtr SetWinEventHook(
9798
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
9899
internal static extern int SetCurrentProcessExplicitAppUserModelID(string appID);
99100
#endregion shell32.dll
101+
102+
#region Amsi.dll
103+
// Based on Meziantou's samples at <see href="https://www.meziantou.net/using-windows-antimalware-scan-interface-in-dotnet.htm"/>.
104+
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
105+
[DllImport("Amsi.dll", EntryPoint = "AmsiInitialize", CallingConvention = CallingConvention.StdCall)]
106+
internal static extern int AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)] string appName, out AmsiContextSafeHandle amsiContext);
107+
108+
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
109+
[DllImport("Amsi.dll", EntryPoint = "AmsiUninitialize", CallingConvention = CallingConvention.StdCall)]
110+
internal static extern void AmsiUninitialize(IntPtr amsiContext);
111+
112+
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
113+
[DllImport("Amsi.dll", EntryPoint = "AmsiOpenSession", CallingConvention = CallingConvention.StdCall)]
114+
internal static extern int AmsiOpenSession(AmsiContextSafeHandle amsiContext, out AmsiSessionSafeHandle session);
115+
116+
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
117+
[DllImport("Amsi.dll", EntryPoint = "AmsiCloseSession", CallingConvention = CallingConvention.StdCall)]
118+
internal static extern void AmsiCloseSession(AmsiContextSafeHandle amsiContext, IntPtr session);
119+
120+
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
121+
[DllImport("Amsi.dll", EntryPoint = "AmsiScanString", CallingConvention = CallingConvention.StdCall)]
122+
internal static extern int AmsiScanString(AmsiContextSafeHandle amsiContext, [In, MarshalAs(UnmanagedType.LPWStr)] string payload, [In, MarshalAs(UnmanagedType.LPWStr)] string contentName, AmsiSessionSafeHandle session, out AmsiResult result);
123+
124+
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
125+
[DllImport("Amsi.dll", EntryPoint = "AmsiScanBuffer", CallingConvention = CallingConvention.StdCall)]
126+
internal static extern int AmsiScanBuffer(AmsiContextSafeHandle amsiContext, byte[] buffer, uint length, string contentName, AmsiSessionSafeHandle session, out AmsiResult result);
127+
#endregion Amsi.dll
100128
}
101129
}

src/ClipboardMonitor/PasteGuard.cs

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ namespace ClipboardMonitor.PasteGuard
1010
internal static class PasteGuard
1111
{
1212
private const int LAST_N_SECONDS = 30;
13-
private static readonly Helpers.NativeMethods.WinEventDelegate _winEventProc = WinEventCallback;
13+
private static readonly NativeMethods.WinEventDelegate _winEventProc = WinEventCallback;
1414
private static readonly TimeSpan Window = TimeSpan.FromSeconds(LAST_N_SECONDS);
1515

1616
private static IntPtr _lastRunDialog = IntPtr.Zero;
@@ -26,8 +26,8 @@ public static void Install()
2626
{
2727
if (_winEventHookForeground == IntPtr.Zero)
2828
{
29-
_winEventHookForeground = Helpers.NativeMethods.SetWinEventHook(Helpers.NativeMethods.EVENT_SYSTEM_FOREGROUND, Helpers.NativeMethods.EVENT_SYSTEM_FOREGROUND,
30-
IntPtr.Zero, _winEventProc, 0, 0, Helpers.NativeMethods.WINEVENT_OUTOFCONTEXT);
29+
_winEventHookForeground = NativeMethods.SetWinEventHook(NativeMethods.EVENT_SYSTEM_FOREGROUND, NativeMethods.EVENT_SYSTEM_FOREGROUND,
30+
IntPtr.Zero, _winEventProc, 0, 0, NativeMethods.WINEVENT_OUTOFCONTEXT);
3131
}
3232
}
3333

@@ -38,7 +38,7 @@ public static void Remove()
3838
{
3939
if (_winEventHookForeground != IntPtr.Zero)
4040
{
41-
Helpers.NativeMethods.UnhookWinEvent(_winEventHookForeground);
41+
NativeMethods.UnhookWinEvent(_winEventHookForeground);
4242
_winEventHookForeground = IntPtr.Zero;
4343
}
4444
}
@@ -54,7 +54,7 @@ public static void SetSuspiciousActivityContent(ProcessSummary processSummary, s
5454
private static string GetClassName(IntPtr hWnd)
5555
{
5656
var sb = new StringBuilder(256);
57-
Helpers.NativeMethods.GetClassName(hWnd, sb, sb.Capacity);
57+
NativeMethods.GetClassName(hWnd, sb, sb.Capacity);
5858
return sb.ToString();
5959
}
6060

@@ -80,7 +80,7 @@ private static void WinEventCallback(
8080
var cls = GetClassName(hwnd);
8181
if (cls == "#32770")
8282
{
83-
Helpers.NativeMethods.GetWindowThreadProcessId(hwnd, out var pid);
83+
NativeMethods.GetWindowThreadProcessId(hwnd, out var pid);
8484
try
8585
{
8686
using (var proc = Process.GetProcessById((int)pid))

0 commit comments

Comments
 (0)