GetAttribute Function from IAmsiStream return ERROR_INVALID_PARAMETERS with certain AMSI_ATTRIBUTE

Question

GetAttribute Function from IAmsiStream return ERROR_INVALID_PARAMETERS with certain AMSI_ATTRIBUTE

Closed this issue a month ago · 2 comments

TheoTurletti commented a month ago

Summary

The GetAttribute function return ERROR_INVALID_PARAMETERS with these following AMSI_ATTRIBUTE :

AMSI_ATTRIBUTE_CONTENT_SIZE
AMSI_ATTRIBUTE_SESSION
AMSI_ATTRIBUTE_CONTENT_ADDRESS

windows crate version : 0.58

Here is my implementation of the scan function of my amsi_provider.

impl IAntimalwareProvider_Impl for MyProvider_Impl {
    fn Scan(&self, stream: Option<&IAmsiStream>)  -> Result<AMSI_RESULT>
    {
        if stream.is_none(){
            return Ok(AMSI_RESULT_NOT_DETECTED)
        }
        let stream = stream.unwrap();


        let app_name = get_string_attribute(stream, AMSI_ATTRIBUTE_APP_NAME);
        let content_name = get_string_attribute(stream, AMSI_ATTRIBUTE_CONTENT_NAME);
        let content_size = get_u64_attribute(stream, AMSI_ATTRIBUTE_CONTENT_SIZE);
        let session = get_u64_attribute(stream, AMSI_ATTRIBUTE_SESSION);

       // I know it's a LPVOID result but i am just retrieveing GetAttribute data from a Vec<u8> buffer for the moment
        let address = get_u64_attribute(stream, AMSI_ATTRIBUTE_CONTENT_ADDRESS);

...
}

And here is the result from a log file when i register my customamsi.dll COM server and launch a command on powershell that will call the Scan function :

App Name :PowerShell_C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe_10.0.22621.4163
Content Name :C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1
Content Size : ERROR :The parameter is incorrect.-0x80070057
session :  ERROR :The parameter is incorrect.-0x80070057
address :  ERROR :The parameter is incorrect.-0x80070057

The content of both get_attribute functions starts with :

pub fn get_{...}_attribute(stream: &IAmsiStream,attribute: AMSI_ATTRIBUTE) 
-> String {

    let mut alloc_size: u32 = 0;
    let mut buffer : Vec<u8> = vec![];

    // First call to GetAttribute to get the required size
    let _res = match unsafe {stream.GetAttribute(attribute, &mut buffer, &mut alloc_size) }{
        Ok(_) => {},
        Err(hr) => {
        
        .... Error handling logic to reallocate if ERROR_INSUFFICIENT_BUFFER or exit if invalid paremeters ...
 }

Answer 1 · 2024-08-24T23:53:49.000Z

The IAmsiStream::GetAttribute method does not consistently use variable-sized return buffers. For example, the AMSI_ATTRIBUTE_CONTENT_SIZE attribute returns a ULONGLONG (u64) value, which requires the dataSize parameter to be set to 8. Therefore, make sure to resize the buffer to the appropriate size before making the call.

Closing this for now, but feel free to keep the discussion going.

Answer 2 · 2024-08-25T08:53:35.000Z

Thank you very much !