111
This commit is contained in:
huoji
@@ -1044,6 +1044,107 @@ auto Api_GetCommandLineW(void* sandbox, uc_engine* uc, uint64_t address)
|
|||||||
&return_value);
|
&return_value);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// 实现 GetACP API
|
||||||
|
auto Api_GetACP(void* sandbox, uc_engine* uc, uint64_t address) -> void {
|
||||||
|
// 返回默认的 ANSI 代码页 (936 - 简体中文)
|
||||||
|
uint32_t codepage = 936;
|
||||||
|
printf("[*] GetACP: CodePage=%u\n", codepage);
|
||||||
|
|
||||||
|
// 返回代码页值
|
||||||
|
uc_reg_write(uc,
|
||||||
|
static_cast<Sandbox*>(sandbox)->GetPeInfo()->isX64
|
||||||
|
? UC_X86_REG_RAX
|
||||||
|
: UC_X86_REG_EAX,
|
||||||
|
&codepage);
|
||||||
|
}
|
||||||
|
|
||||||
|
// 实现 GetCPInfo API
|
||||||
|
auto Api_GetCPInfo(void* sandbox, uc_engine* uc, uint64_t address) -> void {
|
||||||
|
auto context = static_cast<Sandbox*>(sandbox);
|
||||||
|
uint32_t codePage = 0;
|
||||||
|
uint64_t lpCPInfo = 0;
|
||||||
|
BOOL success = FALSE;
|
||||||
|
|
||||||
|
// 获取参数
|
||||||
|
if (context->GetPeInfo()->isX64) {
|
||||||
|
// x64: rcx = CodePage, rdx = lpCPInfo
|
||||||
|
uint64_t temp_codepage;
|
||||||
|
uc_reg_read(uc, UC_X86_REG_RCX, &temp_codepage);
|
||||||
|
codePage = static_cast<uint32_t>(temp_codepage);
|
||||||
|
uc_reg_read(uc, UC_X86_REG_RDX, &lpCPInfo);
|
||||||
|
} else {
|
||||||
|
// x86: 从栈上读取参数
|
||||||
|
uint32_t esp_address = 0;
|
||||||
|
uc_reg_read(uc, UC_X86_REG_ESP, &esp_address);
|
||||||
|
esp_address += 0x4; // 跳过返回地址
|
||||||
|
uc_mem_read(uc, esp_address, &codePage, sizeof(uint32_t));
|
||||||
|
esp_address += 0x4;
|
||||||
|
uint32_t temp_cpinfo;
|
||||||
|
uc_mem_read(uc, esp_address, &temp_cpinfo, sizeof(uint32_t));
|
||||||
|
lpCPInfo = temp_cpinfo;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (lpCPInfo != 0) {
|
||||||
|
// 创建 CPINFO 结构
|
||||||
|
CPINFO cpInfo = {0};
|
||||||
|
|
||||||
|
// 根据代码页设置相应的信息
|
||||||
|
switch (codePage) {
|
||||||
|
case 936: // 简体中文 GBK
|
||||||
|
cpInfo.MaxCharSize = 2; // 最大字符大小为2字节
|
||||||
|
cpInfo.DefaultChar[0] = '?'; // 默认替换字符
|
||||||
|
cpInfo.DefaultChar[1] = '\0';
|
||||||
|
cpInfo.LeadByte[0] = 0x81; // 前导字节范围
|
||||||
|
cpInfo.LeadByte[1] = 0xFE;
|
||||||
|
cpInfo.LeadByte[2] = 0; // 结束标记
|
||||||
|
success = TRUE;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 437: // US ASCII
|
||||||
|
case 1252: // Western European
|
||||||
|
cpInfo.MaxCharSize = 1; // 单字节字符集
|
||||||
|
cpInfo.DefaultChar[0] = '?';
|
||||||
|
cpInfo.DefaultChar[1] = '\0';
|
||||||
|
cpInfo.LeadByte[0] = 0; // 无前导字节
|
||||||
|
success = TRUE;
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
// 不支持的代码页
|
||||||
|
if (context->GetPeInfo()->isX64) {
|
||||||
|
context->GetTeb64()->LastErrorValue =
|
||||||
|
ERROR_INVALID_PARAMETER;
|
||||||
|
} else {
|
||||||
|
context->GetTeb32()->LastErrorValue =
|
||||||
|
ERROR_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
success = FALSE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (success) {
|
||||||
|
// 写入 CPINFO 结构到目标内存
|
||||||
|
uc_mem_write(uc, lpCPInfo, &cpInfo, sizeof(CPINFO));
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// 无效的指针参数
|
||||||
|
if (context->GetPeInfo()->isX64) {
|
||||||
|
context->GetTeb64()->LastErrorValue = ERROR_INVALID_PARAMETER;
|
||||||
|
} else {
|
||||||
|
context->GetTeb32()->LastErrorValue = ERROR_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
success = FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("[*] GetCPInfo: CodePage=%u, lpCPInfo=0x%llx, Success=%d\n",
|
||||||
|
codePage, lpCPInfo, success);
|
||||||
|
|
||||||
|
// 返回操作是否成功
|
||||||
|
uc_reg_write(uc,
|
||||||
|
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
||||||
|
&success);
|
||||||
|
}
|
||||||
|
|
||||||
auto Sandbox::CreateHeapSegment(uint64_t base, size_t size) -> HeapSegment* {
|
auto Sandbox::CreateHeapSegment(uint64_t base, size_t size) -> HeapSegment* {
|
||||||
auto segment = new HeapSegment();
|
auto segment = new HeapSegment();
|
||||||
segment->base = base;
|
segment->base = base;
|
||||||
@@ -1226,6 +1327,8 @@ auto Sandbox::InitApiHooks() -> void {
|
|||||||
_fakeApi{.func = Api_GetCommandLineA, .paramCount = 0};
|
_fakeApi{.func = Api_GetCommandLineA, .paramCount = 0};
|
||||||
auto FakeApi_GetCommandLineW =
|
auto FakeApi_GetCommandLineW =
|
||||||
_fakeApi{.func = Api_GetCommandLineW, .paramCount = 0};
|
_fakeApi{.func = Api_GetCommandLineW, .paramCount = 0};
|
||||||
|
auto FakeApi_GetACP = _fakeApi{.func = Api_GetACP, .paramCount = 0};
|
||||||
|
auto FakeApi_GetCPInfo = _fakeApi{.func = Api_GetCPInfo, .paramCount = 2};
|
||||||
|
|
||||||
api_map = {
|
api_map = {
|
||||||
{"GetSystemTimeAsFileTime",
|
{"GetSystemTimeAsFileTime",
|
||||||
@@ -1265,7 +1368,9 @@ auto Sandbox::InitApiHooks() -> void {
|
|||||||
{"GetCommandLineA",
|
{"GetCommandLineA",
|
||||||
std::make_shared<_fakeApi>(FakeApi_GetCommandLineA)},
|
std::make_shared<_fakeApi>(FakeApi_GetCommandLineA)},
|
||||||
{"GetCommandLineW",
|
{"GetCommandLineW",
|
||||||
std::make_shared<_fakeApi>(FakeApi_GetCommandLineW)}};
|
std::make_shared<_fakeApi>(FakeApi_GetCommandLineW)},
|
||||||
|
{"GetACP", std::make_shared<_fakeApi>(FakeApi_GetACP)},
|
||||||
|
{"GetCPInfo", std::make_shared<_fakeApi>(FakeApi_GetCPInfo)}};
|
||||||
}
|
}
|
||||||
auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,
|
auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,
|
||||||
std::string ApiName) -> void {
|
std::string ApiName) -> void {
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
#include "sandbox_callbacks.h"
|
#include "sandbox_callbacks.h"
|
||||||
#define LOG_LEVEL 1
|
#define LOG_LEVEL 0
|
||||||
namespace sandboxCallbacks {
|
namespace sandboxCallbacks {
|
||||||
void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
|
void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
|
||||||
void* userData) {
|
void* userData) {
|
||||||
|
|||||||
Reference in New Issue
Block a user