From 65cce9b39348ee37bcfca680e40ace10b11b4fd7 Mon Sep 17 00:00:00 2001 From: Olorunfemi-Ojo Tomiwa Date: Mon, 10 Oct 2022 21:06:00 +0100 Subject: [PATCH] updated docs in some files and readme --- README.md | 6 +++--- example.py | 5 ----- src/pyamsi/Amsi.py | 3 ++- src/scanner.c | 26 +++++++++++++++++++------- 4 files changed, 24 insertions(+), 16 deletions(-) delete mode 100644 example.py diff --git a/README.md b/README.md index 4542861..f07cd60 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,12 @@ # py-amsi py-amsi is a library that scans strings or files for malware using the Windows -Antimalware Scan Interface (AMSI). AMSI is an interface native to Windows +Antimalware Scan Interface (AMSI) API. AMSI is an interface native to Windows that allows applications to ask the antivirus installed on the system to analyse a file/string. AMSI is not tied to Windows Defender. Antivirus providers implement the AMSI interface to receive calls from applications. -This library takes advantage of the interface to make antivirus scans -in python. +This library takes advantage of the API to make antivirus scans in python. +Read more about the Windows AMSI API [here](https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal). ## Installation - Via pip diff --git a/example.py b/example.py deleted file mode 100644 index fe5393f..0000000 --- a/example.py +++ /dev/null @@ -1,5 +0,0 @@ -import amsi - -a = amsi.scan_file("C:\\Users\ENVY 15\\Desktop\\Postman.lnk", True) -print(a) -print(amsi.__doc__) \ No newline at end of file diff --git a/src/pyamsi/Amsi.py b/src/pyamsi/Amsi.py index 00e91fc..43d0632 100644 --- a/src/pyamsi/Amsi.py +++ b/src/pyamsi/Amsi.py @@ -4,8 +4,9 @@ Name: py-amsi (v1.0) Description: Scan strings and files using the windows antimalware interface Author: Olorunfemi-Ojo Tomiwa +URL: https://github.com/Tomiwa-Ot/py-amsi License: MIT -© Copyright 2022 +Copyright (c) @Tomiwa-Ot 2022 """ import os diff --git a/src/scanner.c b/src/scanner.c index a8413b8..391397d 100644 --- a/src/scanner.c +++ b/src/scanner.c @@ -1,19 +1,28 @@ +/** + * Implementation of Windows AMSI API as a shared library(DLL) + * + * Author: Olorunfemi-Ojo Tomiwa + * URL: https://github.com/Tomiwa-Ot + * AMSI Docs: https://learn.microsoft.com/en-us/windows/win32/api/amsi + * + * Compile commands: + * ----------------- + * gcc -c -fPIC scanner.c -o scanner.o + * gcc --whole-file -shared -Wl,-soname,scanner.dll -o amsiscanner.dll scanner.o C:\Windows\System32\amsi.dll + * + */ + #include #include "amsi.h" #pragma comment(lib, "amsi.lib") -// Compile commands: -// ----------------- -// gcc -c -fPIC scanner.c -o scanner.o -// gcc --whole-file -shared -Wl,-soname,scanner.dll -o amsiscanner.dll scanner.o C:\Windows\System32\amsi.dll HAMSICONTEXT amsiContext; HAMSISESSION amsiSession; AMSI_RESULT result; HRESULT hr; -// IAntimalwareProvider iap; - +// Initialise the AMSI API void initialize(int debug) { hr = AmsiInitialize(L"py-amsi", &amsiContext); @@ -27,6 +36,7 @@ void initialize(int debug) } } +// Opens a session within which scan requests can be correlated void openSession(int debug) { hr = AmsiOpenSession(amsiContext, &amsiSession); @@ -39,13 +49,14 @@ void openSession(int debug) } } - +// Close and remove the instance of the AMSI API opened void terminate() { AmsiCloseSession(amsiContext, amsiSession); AmsiUninitialize(amsiContext); } +// Scan string for malware int scanString(LPCWSTR text, LPCWSTR name, int debug) { @@ -103,6 +114,7 @@ int scanString(LPCWSTR text, LPCWSTR name, int debug) return returnCode; } +// Scan file for malware int scanBytes(BYTE* payload, ULONG payloadSize, LPCWSTR name, int debug) { int returnCode;