修复内存泄漏。并且优化代码格式

2025-04-20 21:00:38 +08:00
parent 13f5160ddc
commit 143a336c8b
11 changed files with 683 additions and 595 deletions
--- a/ai_anti_malware/sandbox_ldr.cpp
+++ b/ai_anti_malware/sandbox_ldr.cpp
@@ -0,0 +1,164 @@
+#include "sandbox.h"
+
+
+auto Sandbox::InitializeLdrData() -> void {
+    if (m_peInfo->isX64 && m_peb64.Ldr == 0) {
+        // ΪLDR_DATA<54><41><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD>
+        uint64_t ldrDataAddress = m_pebBase + sizeof(X64PEB);
+        m_pebEnd = ldrDataAddress + sizeof(X64_PEB_LDR_DATA);
+        m_peb64.Ldr = ldrDataAddress;
+
+        // ӳ<><D3B3>LDR<44><52><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD>
+        uc_mem_map(m_ucEngine, ldrDataAddress, sizeof(X64_PEB_LDR_DATA),
+            UC_PROT_ALL);
+
+        // <20><>ʼ<EFBFBD><CABC>LDR_DATA<54>ṹ
+        X64_PEB_LDR_DATA ldrData = { 0 };
+        ldrData.Length = sizeof(X64_PEB_LDR_DATA);
+        ldrData.Initialized = 1;
+
+        // <20><>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ - ʹ<><CAB9><EFBFBD>ʵ<EFBFBD><CAB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ת<EFBFBD><D7AA>
+        LIST_ENTRY inLoadOrderList = {
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList)),
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList)) };
+        ldrData.InLoadOrderModuleList = inLoadOrderList;
+
+        LIST_ENTRY inMemoryOrderList = {
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList)),
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList)) };
+        ldrData.InMemoryOrderModuleList = inMemoryOrderList;
+
+        LIST_ENTRY inInitOrderList = {
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList)),
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList)) };
+        ldrData.InInitializationOrderModuleList = inInitOrderList;
+
+        uc_mem_write(m_ucEngine, ldrDataAddress, &ldrData,
+            sizeof(X64_PEB_LDR_DATA));
+
+        // <20><><EFBFBD><EFBFBD>PEB<45>е<EFBFBD>Ldrָ<72><D6B8>
+        uc_mem_write(m_ucEngine, m_pebBase, &m_peb64, sizeof(X64PEB));
+    }
+}
+
+auto Sandbox::CreateLdrEntry(const std::shared_ptr<struct_moudle>& module,
+    uint64_t entryAddress, uint64_t fullNameAddress,
+    uint64_t baseNameAddress) -> LDR_DATA_TABLE_ENTRY {
+    LDR_DATA_TABLE_ENTRY entry = { 0 };
+    entry.DllBase = reinterpret_cast<PVOID>(module->base);
+    entry.EntryPoint = reinterpret_cast<PVOID>(module->base + module->entry);
+    entry.SizeOfImages = static_cast<ULONG>(module->size);
+
+    // ׼<><D7BC>ģ<EFBFBD><C4A3><EFBFBD><EFBFBD><EFBFBD>Ƶ<EFBFBD>Unicode<64>ַ<EFBFBD><D6B7><EFBFBD>
+    wchar_t nameBuffer[MAX_PATH] = { 0 };
+    std::mbstowcs(nameBuffer, module->name, strlen(module->name));
+
+    // <20><><EFBFBD><EFBFBD>ȫ·<C8AB><C2B7>
+    entry.FullDllName.Length =
+        static_cast<USHORT>(wcslen(nameBuffer) * sizeof(wchar_t));
+    entry.FullDllName.MaximumLength = MAX_PATH * sizeof(wchar_t);
+    entry.FullDllName.Buffer = reinterpret_cast<PWSTR>(fullNameAddress);
+
+    // <20><><EFBFBD>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+    entry.BaseDllName.Length =
+        static_cast<USHORT>(wcslen(nameBuffer) * sizeof(wchar_t));
+    entry.BaseDllName.MaximumLength = MAX_PATH * sizeof(wchar_t);
+    entry.BaseDllName.Buffer = reinterpret_cast<PWSTR>(baseNameAddress);
+
+    // д<><D0B4>Unicode<64>ַ<EFBFBD><D6B7><EFBFBD>
+    uc_mem_write(m_ucEngine, fullNameAddress, nameBuffer,
+        (wcslen(nameBuffer) + 1) * sizeof(wchar_t));
+    uc_mem_write(m_ucEngine, baseNameAddress, nameBuffer,
+        (wcslen(nameBuffer) + 1) * sizeof(wchar_t));
+
+    return entry;
+}
+
+auto Sandbox::UpdateLdrLinks(const LDR_DATA_TABLE_ENTRY& entry,
+    uint64_t entryAddress, X64_PEB_LDR_DATA& ldrData)
+    -> void {
+    // <20><><EFBFBD><EFBFBD>LDR_DATA<54>е<EFBFBD><D0B5><EFBFBD><EFBFBD><EFBFBD>ͷ
+    ldrData.InLoadOrderModuleList.Flink = reinterpret_cast<LIST_ENTRY*>(
+        entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InLoadOrderLinks));
+    ldrData.InMemoryOrderModuleList.Flink = reinterpret_cast<LIST_ENTRY*>(
+        entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks));
+    ldrData.InInitializationOrderModuleList.Flink =
+        reinterpret_cast<LIST_ENTRY*>(
+            entryAddress +
+            offsetof(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks));
+
+    // д<>ظ<EFBFBD><D8B8>º<EFBFBD><C2BA><EFBFBD>LDR_DATA
+    uc_mem_write(m_ucEngine, m_peb64.Ldr, &ldrData, sizeof(X64_PEB_LDR_DATA));
+}
+
+auto Sandbox::AddModuleToLdr(const std::shared_ptr<struct_moudle>& module)
+-> void {
+    if (!m_peInfo->isX64) {
+        return;  // <20><>ʱֻ<CAB1><D6BB><EFBFBD><EFBFBD>64λ
+    }
+
+    if (m_peb64.Ldr == 0) {
+        InitializeLdrData();
+    }
+
+    // Ϊģ<CEAA>鴴<EFBFBD><E9B4B4>LDR_DATA_TABLE_ENTRY
+    uint64_t entrySize = sizeof(LDR_DATA_TABLE_ENTRY) +
+        MAX_PATH * 2;  // <20><><EFBFBD><EFBFBD><EFBFBD>ռ<EFBFBD><D5BC><EFBFBD><EFBFBD><EFBFBD>Unicode<64>ַ<EFBFBD><D6B7><EFBFBD>
+    uint64_t entryAddress = m_pebEnd;
+    m_pebEnd += entrySize;
+
+    // ӳ<><D3B3><EFBFBD>ڴ<EFBFBD>
+    uc_mem_map(m_ucEngine, entryAddress, entrySize, UC_PROT_ALL);
+
+    // <20><><EFBFBD><EFBFBD>Unicode<64>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD>ַ
+    uint64_t fullNameAddress = entryAddress + sizeof(LDR_DATA_TABLE_ENTRY);
+    uint64_t baseNameAddress = fullNameAddress + MAX_PATH;
+
+    // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼ<EFBFBD><CABC>LDR_DATA_TABLE_ENTRY
+    auto entry =
+        CreateLdrEntry(module, entryAddress, fullNameAddress, baseNameAddress);
+
+    // <20><>PEB<45><42>ȡ<EFBFBD><C8A1>ǰLDR_DATA<54>ṹ
+    X64_PEB_LDR_DATA ldrData;
+    uc_mem_read(m_ucEngine, m_peb64.Ldr, &ldrData, sizeof(X64_PEB_LDR_DATA));
+
+    // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8>
+    entry.InLoadOrderLinks.Flink = reinterpret_cast<LIST_ENTRY*>(
+        reinterpret_cast<uintptr_t>(ldrData.InLoadOrderModuleList.Flink));
+    entry.InLoadOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
+        m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList));
+
+    entry.InMemoryOrderLinks.Flink = reinterpret_cast<LIST_ENTRY*>(
+        reinterpret_cast<uintptr_t>(ldrData.InMemoryOrderModuleList.Flink));
+    entry.InMemoryOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
+        m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList));
+
+    entry.InInitializationOrderLinks.Flink =
+        reinterpret_cast<LIST_ENTRY*>(reinterpret_cast<uintptr_t>(
+            ldrData.InInitializationOrderModuleList.Flink));
+    entry.InInitializationOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
+        m_peb64.Ldr +
+        offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList));
+
+    // д<><D0B4>LDR_DATA_TABLE_ENTRY<52>ṹ
+    uc_mem_write(m_ucEngine, entryAddress, &entry,
+        sizeof(LDR_DATA_TABLE_ENTRY));
+
+    // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+    UpdateLdrLinks(entry, entryAddress, ldrData);
+
+    printf("Added module '%s' to LDR data tables at 0x%llx\n", module->name,
+        entryAddress);
+}