I am trying to implement AMSI provider. IAntimalwareProvider::Scan function received IAmsiStream *stream, via that stream we can get data (with type unsigned char) for scanning.
I sent some data from PowerShell and after viewing memory received in my AMSI provider i noticed that ascii data reserves only 1 byte and second is filled with '\0'
So my question is:
- It reserves 2 bytes for 1 character in order to support Unicode, or there is another reason for that?
Could you please provide the steps and sample to help us reproduce the issue? Whether you are referring to this sample or not?
I was using this sample https://github.com/microsoft/Windows-classic-samples/tree/main/Samples/AmsiProvider, data i captured in dynamic array of char
IAntimalwareProvider interface sample is a dynamic library project. Could you please provide the steps to help us reproduce the issue?
Have you got any updates?
Sign in to comment