xenomuta/amsi-eicar.py

## amsi-eicar.py
# Python Port of https://gist.github.com/richinseattle/1cafd9368890ecf3d8e1dbbc18f2fe38

from ctypes import HRESULT, windll, POINTER, byref
from ctypes.wintypes import HANDLE, LPCWSTR, UINT, LPCSTR
from enum import IntEnum
from comtypes.hresult import S_OK

class AMSI_RESULT(IntEnum):
    AMSI_RESULT_CLEAN = 0,
    AMSI_RESULT_NOT_DETECTED = 1
    AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
    AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
    AMSI_RESULT_DETECTED = 32768

def eicar_test():
    hres = HRESULT(0)
    amsi_ctx = HANDLE(0)

    AmsiInitialize = windll.amsi.AmsiInitialize
    AmsiInitialize.argtypes = [LPCWSTR, POINTER(HANDLE)]
    AmsiInitialize.restype = HRESULT
    hres = AmsiInitialize("rich-amsi-test", byref(amsi_ctx))
    # print(f"hres: {hres}")
    if hres != S_OK:
        print(f"AmsiInitialize error: {hres}")
        return

    EICAR = b'\x58\x35\x4F\x21\x50\x25\x40\x41\x50\x5B\x34\x5C\x50\x5A\x58\x35\x34\x28\x50\x5E\x29\x37\x43\x43\x29\x37\x7D\x24\x45\x49\x43\x41\x52\x2D\x53\x54\x41\x4E\x44\x41\x52\x44\x2D\x41\x4E\x54\x49\x56\x49\x52\x55\x53\x2D\x54\x45\x53\x54\x2D\x46\x49\x4C\x45\x21\x24\x48\x2B\x48\x2A'
    amsi_res = UINT()

    AmsiScanBuffer = windll.amsi.AmsiScanBuffer
    AmsiScanBuffer.argtypes = [HANDLE, LPCSTR, UINT, LPCWSTR, UINT, POINTER(UINT)]
    AmsiScanBuffer.restype = HRESULT
    hres = AmsiScanBuffer(amsi_ctx, EICAR, 68, "EICAR", 0, byref(amsi_res))
    # print(f"hres: {hres}")
    if hres != S_OK:
        print(f"AmsiScan error: {hres}")
        return
    # print(f"amsi_res: {amsi_res.value}")
    AmsiUninitialize = windll.amsi.AmsiUninitialize
    AmsiUninitialize.argtypes = [HANDLE]
    AmsiUninitialize(amsi_ctx)
    if amsi_res.value in [AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_END, AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_START, AMSI_RESULT.AMSI_RESULT_DETECTED]:
        print("SUCCESS: EICAR detected")
    else:
        print("ERROR: did not detect EICAR")

def main():
    eicar_test()

if __name__ == "__main__":
    main()
	# Python Port of https://gist.github.com/richinseattle/1cafd9368890ecf3d8e1dbbc18f2fe38

	from ctypes import HRESULT, windll, POINTER, byref
	from ctypes.wintypes import HANDLE, LPCWSTR, UINT, LPCSTR
	from enum import IntEnum
	from comtypes.hresult import S_OK

	class AMSI_RESULT(IntEnum):
	AMSI_RESULT_CLEAN = 0,
	AMSI_RESULT_NOT_DETECTED = 1
	AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
	AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
	AMSI_RESULT_DETECTED = 32768

	def eicar_test():
	hres = HRESULT(0)
	amsi_ctx = HANDLE(0)

	AmsiInitialize = windll.amsi.AmsiInitialize
	AmsiInitialize.argtypes = [LPCWSTR, POINTER(HANDLE)]
	AmsiInitialize.restype = HRESULT
	hres = AmsiInitialize("rich-amsi-test", byref(amsi_ctx))
	# print(f"hres: {hres}")
	if hres != S_OK:
	print(f"AmsiInitialize error: {hres}")
	return

	EICAR = b'\x58\x35\x4F\x21\x50\x25\x40\x41\x50\x5B\x34\x5C\x50\x5A\x58\x35\x34\x28\x50\x5E\x29\x37\x43\x43\x29\x37\x7D\x24\x45\x49\x43\x41\x52\x2D\x53\x54\x41\x4E\x44\x41\x52\x44\x2D\x41\x4E\x54\x49\x56\x49\x52\x55\x53\x2D\x54\x45\x53\x54\x2D\x46\x49\x4C\x45\x21\x24\x48\x2B\x48\x2A'
	amsi_res = UINT()

	AmsiScanBuffer = windll.amsi.AmsiScanBuffer
	AmsiScanBuffer.argtypes = [HANDLE, LPCSTR, UINT, LPCWSTR, UINT, POINTER(UINT)]
	AmsiScanBuffer.restype = HRESULT
	hres = AmsiScanBuffer(amsi_ctx, EICAR, 68, "EICAR", 0, byref(amsi_res))
	# print(f"hres: {hres}")
	if hres != S_OK:
	print(f"AmsiScan error: {hres}")
	return
	# print(f"amsi_res: {amsi_res.value}")
	AmsiUninitialize = windll.amsi.AmsiUninitialize
	AmsiUninitialize.argtypes = [HANDLE]
	AmsiUninitialize(amsi_ctx)
	if amsi_res.value in [AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_END, AMSI_RESULT.AMSI_RESULT_BLOCKED_BY_ADMIN_START, AMSI_RESULT.AMSI_RESULT_DETECTED]:
	print("SUCCESS: EICAR detected")
	else:
	print("ERROR: did not detect EICAR")

	def main():
	eicar_test()

	if __name__ == "__main__":
	main()