I want to associate scan requests related to a particular script; As we receive several script blocks during the process of execution of a script we need to associate them.
I have implemented a "IAntimalwareProvider" COM component. I receive "IAmsiStream" as an input format for "scan" method which itself has "GetAttribute" as a method.
Now I want to call the method to get "AMSI_ATTRIBUTE_SESSION" attribute. It's not clear for me how to call this method to get info. Usually the system provides a unique identifier to associate calls but from the explanations from the following page it seems like we have to return a value...!
I receive 0x80070057,E_INVALIDARG, calling method for "AMSI_ATTRIBUTE_SESSION".
note: as a side note I don't have problem calling IAmsiStream::GetAttribute to retrieve info about other attributes. the problem is specifically related to "AMSI_ATTRIBUTE_SESSION".
https://msdn.microsoft.com/en-us/library/windows/desktop/dn889590(v=vs.85).aspx
HRESULT hRes = stream->GetAttribute(attribute, 0, NULL, &readSize);
if (hRes != S_OK)
{
itoa(hRes, (char *)buffer, 0x10);
MessageBoxA(NULL, (LPCSTR)buffer, "HRESULT", MB_OK);
// The output is 0x80070057 always
memset(buffer, 0, 0x10);
itoa(readSize, (char *)buffer, 0x10);
MessageBoxA(NULL, (LPCSTR)buffer, "ReadSize", MB_OK);
// The output is 0 always
}
User contributions licensed under CC BY-SA 3.0