admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Huoji's
2025-03-20 02:18:00 +08:00
parent 07d66baf36
commit 3a6e331f31
7 changed files with 66 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
ai_anti_malware/sandbox.h
View File

@@ -19,6 +19,7 @@
#define HEAP_ADDRESS_32 0x5000000
#define HEAP_SIZE_32 0x5000000
#define ENV_BLOCK_BASE 0x50000
#define DLL_MODULE_BASE 0x130000
#define PEB_BASE 0x90000
#define TEB_BASE 0x90000
@@ -96,7 +97,6 @@ class Sandbox {
~Sandbox();
std::map<uint64_t, size_t>
process_enum_state; // 用于跟踪每个句柄的枚举状态
// Public methods
auto InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void;
auto Run(uint64_t address = 0) -> void;
@@ -107,7 +107,7 @@ class Sandbox {
return m_moduleList;
}
auto EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,
std::string ApiName) -> void;
std::string ApiName) -> bool;
auto GetPeb32() -> X32PEB* { return &m_peb32; }
auto GetPeb64() -> X64PEB* { return &m_peb64; }
auto GetTeb32() -> X32TEB* { return &m_teb32; }
@@ -232,9 +232,20 @@ class Sandbox {
m_nextWfpEngineHandle = (HANDLE)((uint64_t)m_nextWfpEngineHandle + 1);
return handle;
}
auto GetImpFuncDict() -> std::vector<std::shared_ptr<moudle_import>> {
return m_impFuncDict;
}
auto GetLastImpRead() -> std::pair<uint64_t, std::shared_ptr<moudle_import>> {
return m_lastImpRead;
}
auto SetLastImpRead(uint64_t address, std::shared_ptr<moudle_import> imp) -> void {
m_lastImpRead = { address, imp };
}
private:
std::shared_ptr<BasicPeInfo> m_peInfo;
std::pair<uint64_t, std::shared_ptr<moudle_import>> m_lastImpRead;
uint64_t m_usedModuleBase;
uint64_t m_gsBase;
uint64_t m_pebBase;
uint64_t m_pebEnd;
@@ -289,7 +300,7 @@ class Sandbox {
L"windir=C:\\Windows"};
auto ResoveImport() -> void;
auto ResolveImportExports() -> void;
auto CreateModuleInfo(const char* dllName, uint64_t moduleBase,
auto CreateModuleInfo(const char* dllName, uint64_t moduleBase, uint64_t realModuleBase,
uint64_t bufferAddress)
-> std::shared_ptr<struct_moudle>;
auto ResolveExport(uint64_t moduleBase)