111

2025-03-06 20:33:02 +08:00
parent ed5e7ae994
commit 3f022ddd01
2 changed files with 107 additions and 2 deletions
--- a/ai_anti_malware/sandbox_api_emu.cpp
+++ b/ai_anti_malware/sandbox_api_emu.cpp
@@ -1044,6 +1044,107 @@ auto Api_GetCommandLineW(void* sandbox, uc_engine* uc, uint64_t address)
                 &return_value);
 }

+// 实现 GetACP API
+auto Api_GetACP(void* sandbox, uc_engine* uc, uint64_t address) -> void {
+    // 返回默认的 ANSI 代码页 (936 - 简体中文)
+    uint32_t codepage = 936;
+    printf("[*] GetACP: CodePage=%u\n", codepage);
+
+    // 返回代码页值
+    uc_reg_write(uc,
+                 static_cast<Sandbox*>(sandbox)->GetPeInfo()->isX64
+                     ? UC_X86_REG_RAX
+                     : UC_X86_REG_EAX,
+                 &codepage);
+}
+
+// 实现 GetCPInfo API
+auto Api_GetCPInfo(void* sandbox, uc_engine* uc, uint64_t address) -> void {
+    auto context = static_cast<Sandbox*>(sandbox);
+    uint32_t codePage = 0;
+    uint64_t lpCPInfo = 0;
+    BOOL success = FALSE;
+
+    // 获取参数
+    if (context->GetPeInfo()->isX64) {
+        // x64: rcx = CodePage, rdx = lpCPInfo
+        uint64_t temp_codepage;
+        uc_reg_read(uc, UC_X86_REG_RCX, &temp_codepage);
+        codePage = static_cast<uint32_t>(temp_codepage);
+        uc_reg_read(uc, UC_X86_REG_RDX, &lpCPInfo);
+    } else {
+        // x86: 从栈上读取参数
+        uint32_t esp_address = 0;
+        uc_reg_read(uc, UC_X86_REG_ESP, &esp_address);
+        esp_address += 0x4;  // 跳过返回地址
+        uc_mem_read(uc, esp_address, &codePage, sizeof(uint32_t));
+        esp_address += 0x4;
+        uint32_t temp_cpinfo;
+        uc_mem_read(uc, esp_address, &temp_cpinfo, sizeof(uint32_t));
+        lpCPInfo = temp_cpinfo;
+    }
+
+    if (lpCPInfo != 0) {
+        // 创建 CPINFO 结构
+        CPINFO cpInfo = {0};
+
+        // 根据代码页设置相应的信息
+        switch (codePage) {
+            case 936:                         // 简体中文 GBK
+                cpInfo.MaxCharSize = 2;       // 最大字符大小为2字节
+                cpInfo.DefaultChar[0] = '?';  // 默认替换字符
+                cpInfo.DefaultChar[1] = '\0';
+                cpInfo.LeadByte[0] = 0x81;  // 前导字节范围
+                cpInfo.LeadByte[1] = 0xFE;
+                cpInfo.LeadByte[2] = 0;  // 结束标记
+                success = TRUE;
+                break;
+
+            case 437:                    // US ASCII
+            case 1252:                   // Western European
+                cpInfo.MaxCharSize = 1;  // 单字节字符集
+                cpInfo.DefaultChar[0] = '?';
+                cpInfo.DefaultChar[1] = '\0';
+                cpInfo.LeadByte[0] = 0;  // 无前导字节
+                success = TRUE;
+                break;
+
+            default:
+                // 不支持的代码页
+                if (context->GetPeInfo()->isX64) {
+                    context->GetTeb64()->LastErrorValue =
+                        ERROR_INVALID_PARAMETER;
+                } else {
+                    context->GetTeb32()->LastErrorValue =
+                        ERROR_INVALID_PARAMETER;
+                }
+                success = FALSE;
+                break;
+        }
+
+        if (success) {
+            // 写入 CPINFO 结构到目标内存
+            uc_mem_write(uc, lpCPInfo, &cpInfo, sizeof(CPINFO));
+        }
+    } else {
+        // 无效的指针参数
+        if (context->GetPeInfo()->isX64) {
+            context->GetTeb64()->LastErrorValue = ERROR_INVALID_PARAMETER;
+        } else {
+            context->GetTeb32()->LastErrorValue = ERROR_INVALID_PARAMETER;
+        }
+        success = FALSE;
+    }
+
+    printf("[*] GetCPInfo: CodePage=%u, lpCPInfo=0x%llx, Success=%d\n",
+           codePage, lpCPInfo, success);
+
+    // 返回操作是否成功
+    uc_reg_write(uc,
+                 context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
+                 &success);
+}
+
 auto Sandbox::CreateHeapSegment(uint64_t base, size_t size) -> HeapSegment* {
    auto segment = new HeapSegment();
    segment->base = base;
@@ -1226,6 +1327,8 @@ auto Sandbox::InitApiHooks() -> void {
        _fakeApi{.func = Api_GetCommandLineA, .paramCount = 0};
    auto FakeApi_GetCommandLineW =
        _fakeApi{.func = Api_GetCommandLineW, .paramCount = 0};
+    auto FakeApi_GetACP = _fakeApi{.func = Api_GetACP, .paramCount = 0};
+    auto FakeApi_GetCPInfo = _fakeApi{.func = Api_GetCPInfo, .paramCount = 2};

    api_map = {
        {"GetSystemTimeAsFileTime",
@@ -1265,7 +1368,9 @@ auto Sandbox::InitApiHooks() -> void {
        {"GetCommandLineA",
         std::make_shared<_fakeApi>(FakeApi_GetCommandLineA)},
        {"GetCommandLineW",
-         std::make_shared<_fakeApi>(FakeApi_GetCommandLineW)}};
+         std::make_shared<_fakeApi>(FakeApi_GetCommandLineW)},
+        {"GetACP", std::make_shared<_fakeApi>(FakeApi_GetACP)},
+        {"GetCPInfo", std::make_shared<_fakeApi>(FakeApi_GetCPInfo)}};
 }
 auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,
                         std::string ApiName) -> void {
--- a/ai_anti_malware/sandbox_callbacks.cpp
+++ b/ai_anti_malware/sandbox_callbacks.cpp
@@ -1,5 +1,5 @@
 #include "sandbox_callbacks.h"
-#define LOG_LEVEL 1
+#define LOG_LEVEL 0
 namespace sandboxCallbacks {
 void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
                   void* userData) {