添加沙箱功能和API钩子支持

- 在沙箱中实现了新的功能，包括内存分配和API钩子初始化 - 更新了沙箱类，增加了对WFP引擎的支持 - 添加了多个API的实现，如GetLastError、InitializeCriticalSection等 - 修改了主函数以使用新的沙箱功能，替换了恶意软件扫描功能 - 更新了项目文件以包含新的源文件和API实现 - 改进了错误处理和日志记录功能
2025-03-18 20:49:18 +08:00
parent 4f3f4c7205
commit 534b6a84a6
15 changed files with 2443 additions and 754 deletions
--- a/ai_anti_malware/sandbox.h
+++ b/ai_anti_malware/sandbox.h
@@ -1,9 +1,7 @@
 #pragma once
-#include <functional>
-#include <map>

 #include "head.h"
-#include <WinInet.h>
+#include <wininet.h>
 #define PAGE_SIZE 0x1000
 #define CF_MASK (1 << 0)
 #define PF_MASK (1 << 2)
@@ -87,12 +85,21 @@ struct InternetHandleInfo {
 class Sandbox {
    friend class cFixImprot;  // 声明cFixImprot为友元类
   public:
+    // WFP引擎相关结构体
+    struct FakeWFPEngine {
+        bool isOpen;
+        std::vector<FWPM_PROVIDER0> providers;
+        std::vector<FWPM_FILTER0> filters;
+    };
+
    Sandbox();
    ~Sandbox();
+    std::map<uint64_t, size_t>
+        process_enum_state;  // 用于跟踪每个句柄的枚举状态

    // Public methods
    auto InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void;
-    auto Run() -> void;
+    auto Run(uint64_t address = 0) -> void;
    auto GetCapstoneHandle() const -> csh { return m_csHandle; }
    auto GetUnicornHandle() const -> uc_engine* { return m_ucEngine; }
    auto GetPeInfo() const -> std::shared_ptr<BasicPeInfo> { return m_peInfo; }
@@ -115,6 +122,9 @@ class Sandbox {
    auto GetEnvStringsSize() -> size_t;
    auto InitCommandLine() -> void;

+    // 内存分配相关的方法
+    auto AllocateMemory(size_t size) -> uint64_t;
+
    // 堆管理相关的公共方法
    auto CreateHeapSegment(uint64_t base, size_t size) -> HeapSegment*;
    auto AllocateFromSegment(HeapSegment* segment, size_t size) -> uint64_t;
@@ -213,6 +223,16 @@ class Sandbox {
    }
    std::vector<std::string> ApiCallList;

+    // WFP引擎相关方法
+    auto GetWfpEngines() -> std::map<HANDLE, FakeWFPEngine*>& {
+        return m_wfpEngines;
+    }
+    auto GetNextWfpEngineHandle() -> HANDLE {
+        auto handle = m_nextWfpEngineHandle;
+        m_nextWfpEngineHandle = (HANDLE)((uint64_t)m_nextWfpEngineHandle + 1);
+        return handle;
+    }
+
   private:
    std::shared_ptr<BasicPeInfo> m_peInfo;
    uint64_t m_gsBase;
@@ -302,4 +322,106 @@ class Sandbox {
    auto UpdateLdrLinks(const LDR_DATA_TABLE_ENTRY& entry,
                        uint64_t entryAddress, X64_PEB_LDR_DATA& ldrData)
        -> void;
+
+    // WFP引擎相关成员
+    std::map<HANDLE, FakeWFPEngine*> m_wfpEngines;
+    HANDLE m_nextWfpEngineHandle;
 };
+std::string getDllNameFromApiSetMap(const std::string& apiSet);
+void Api_GetLastError(void* sandbox, uc_engine* uc, uint64_t address);
+auto Api_InitializeCriticalSectionAndSpinCount(void* sandbox, uc_engine* uc,
+                                               uint64_t address) -> void;
+auto Api_InitializeCriticalSectionEx(void* sandbox, uc_engine* uc,
+                                     uint64_t address) -> void;
+auto Api_IsProcessorFeaturePresent(void* sandbox, uc_engine* uc,
+                                   uint64_t address) -> void;
+auto Api_DeleteCriticalSection(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_TlsAlloc(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_TlsSetValue(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api___set_app_type(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api___p__fmode(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_RegOpenKeyExW(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_RegCloseKey(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_AreFileApisANSI(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_WideCharToMultiByte(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_InitializeSListHead(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetEnvironmentStringsW(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_FreeEnvironmentStringsW(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetProcessHeap(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_HeapAlloc(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_HeapFree(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_TlsGetValue(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_SetLastError(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_EnterCriticalSection(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_LeaveCriticalSection(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetStartupInfoW(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetStdHandle(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_GetFileType(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_HeapCreate(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_GetCommandLineA(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetCommandLineW(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetACP(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_GetCPInfo(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_MultiByteToWideChar(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_SHGetKnownFolderPath(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_EncodePointer(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_Process32NextW(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_CreateToolhelp32Snapshot(void* sandbox, uc_engine* uc,
+                                  uint64_t address) -> void;
+auto Api_Process32FirstW(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_VirtualQuery(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_GetModuleHandleW(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetModuleHandleA(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto GetModuleHandleInternal(void* sandbox, const std::wstring& moduleName)
+    -> HMODULE;
+auto Api_Process32NextW(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_WlanOpenHandle(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_WlanEnumInterfaces(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_WlanGetProfileList(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_WlanFreeMemory(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_WlanCloseHandle(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_ReadFile(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_CreatePipe(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_CloseHandle(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_RtlFormatCurrentUserKeyPath(void* sandbox, uc_engine* uc,
+                                     uint64_t address) -> void;
+auto Api_FlsSetValue(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_CreateFileW(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_WriteFile(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_CreateProcessA(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_GetCurrentProcess(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetCurrentThread(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_OpenProcessToken(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_GetTokenInformation(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+
+// WFP API函数声明
+auto Api_FwpmEngineOpen0(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_FwpmProviderAdd0(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;
+auto Api_FwpmFilterAdd0(void* sandbox, uc_engine* uc, uint64_t address) -> void;
+auto Api_FwpmEngineClose0(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void;