amsi/AmsiResultIsMalware.ps1
|
function AmsiResultIsMalware { <# .SYNOPSIS Determines if a previous AmsiScan detected malware, based on it's AmsiResult. Author: Ryan Cobb (@cobbr_io) License: GNU GPLv3 Required Dependecies: PSReflect, AMSI_RESULT Optional Dependencies: none .DESCRIPTION AmsiResultIsMalware takes the result from an AmsiScanString or AmsiScanBuffer scan and uses the AMSI_RESULT enum to determine if the scan detected malware. .PARAMETER AMSIRESULT The result from a AmsiScanString or AmsiScanBuffer call. .OUTPUTS Bool .EXAMPLE $AmsiResult = $AMSI_RESULT::AMSI_RESULT_NOT_DETECTED AmsiScanString $Context $Content $ContentName $Session -result ([ref]$AmsiResult) AmsiResultIsMalware -AMSIRESULT $AmsiResult .NOTES AmsiResultIsMalware is a part of PSAmsi, a tool for auditing and defeating AMSI signatures. PSAmsi is located at https://github.com/cobbr/PSAmsi. Additional information can be found at https://cobbr.io. #> Param ( [Parameter(Position = 0, Mandatory)] [ValidateScript({($_ -in @(0,1)) -OR (($_ -ge 16384) -AND ($_ -le 20479)) -OR ($_ -ge 32768)})] [UInt32] $AMSIRESULT ) If(($AMSIRESULT -ne $AMSI_RESULT::AMSI_RESULT_CLEAN) -and ($AMSIRESULT -ne $AMSI_RESULT::AMSI_RESULT_NOT_DETECTED)) { $True } Else { $False } } |