Implement Rich Header parsing for PE file analysis

- Added ParseRichHeader method to extract Rich header information from PE files - Defined RichEntry and RichHeaderInfo structures to store Rich header details - Implemented decoding of Rich header entries with checksum XOR technique - Updated ml.h and ml.cpp to support Rich header parsing - Improved error handling and logging in ProcessDirectory method - Translated some log messages to English for consistency
2025-03-09 03:29:14 +08:00
parent 2fed2d5bae
commit 4d1ccb16aa
2 changed files with 79 additions and 6 deletions
--- a/ai_anti_malware/ml.h
+++ b/ai_anti_malware/ml.h
@@ -15,7 +15,16 @@
 struct PeInfo;
 struct SectionInfo;
 class BasicPeInfo;
+struct RichEntry {
+    uint16_t productId;  // 组件ID
+    uint16_t buildId;    // 版本号
+    uint32_t useCount;   // 使用次数
+};

+struct RichHeaderInfo {
+    uint32_t checksum;               // 校验和
+    std::vector<RichEntry> entries;  // Rich头条目
+};
 // RVA转换为内存中的指针的辅助函数
 inline BYTE* RvaToPtr(DWORD rva, BYTE* peBuffer) {
    if (!peBuffer || rva == 0) return nullptr;
@@ -61,7 +70,7 @@ class MachineLearning {
   public:
    MachineLearning();
    ~MachineLearning();
-
+    bool ParseRichHeader(const uint8_t* peBuffer, RichHeaderInfo& richInfo);
    // 提取特征并返回特征向量
    std::vector<double> ExtractFeatures(const uint8_t* buffer,
                                        size_t bufferSize);