Update project documentation and enhance malware detection engine

- Completely rewrite README.md with comprehensive project overview and technical details - Add detailed explanation of antivirus engine architecture and detection strategies - Implement multi-stage malware detection with machine learning, sandbox, and PE structure analysis - Update project configuration and add new source files for enhanced detection capabilities - Integrate XGBoost machine learning model with C++ export functionality - Improve sandbox environment with advanced module and LDR data table handling - Remove legacy Python prediction and training scripts in favor of C++ implementation
2025-03-09 21:59:22 +08:00
parent 51f929abfa
commit 60c4ef5f58
23 changed files with 46102 additions and 1717 deletions
--- a/ai_anti_malware/sandbox.cpp
+++ b/ai_anti_malware/sandbox.cpp
@@ -155,7 +155,19 @@ class cFixImprot : public peconv::t_function_resolver {
                }
            }
        }
-        //__debugbreak();
+        for (const auto& module : m_sandbox->m_moduleList) {
+            for (const auto& exp : m_sandbox->m_exportFuncDict) {
+                // 检查函数名是否匹配
+                if (strcmp(exp->name, func_name) == 0) {
+                    auto newBase = reinterpret_cast<FARPROC>(
+                        module->base + exp->function_address);
+                    printf("fix import: %s => %llx \n", func_name, newBase);
+                    // 返回在模拟器中的虚拟地址
+                    return newBase;
+                }
+            }
+        }
+        __debugbreak();
        return nullptr;
    }

@@ -219,6 +231,11 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void {
                                newModule->base) == false) {
        throw std::runtime_error("Failed to relocate module");
    }
+
+    // 将模块添加到LDR链表中
+    if (m_peInfo->isX64) {
+        AddModuleToLdr(newModule);
+    }
 }

 auto Sandbox::CreateModuleInfo(const char* dllName, uint64_t moduleBase,
@@ -344,7 +361,8 @@ auto Sandbox::ResolveImportExports() -> void {
        const auto exports = ResolveExport(module->real_base);
        for (const auto item : exports) {
            if (LOG_LEVEL > 0) {
-                printf("import export: [%s] %s => %llx\n", module->name, item->name, item->function_address);
+                printf("import export: [%s] %s => %llx\n", module->name,
+                       item->name, item->function_address);
            }
            module->export_function.push_back(item);
        }
@@ -586,6 +604,11 @@ auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void {
    _ASSERTE(m_moduleList.size() == 0);
    m_moduleList.push_back(newModule);

+    // 将模块添加到LDR链表中
+    if (m_peInfo->isX64) {
+        AddModuleToLdr(newModule);
+    }
+
    ResoveImport();
    ResolveImportExports();

@@ -697,7 +720,7 @@ auto Sandbox::Run() -> void {
    InitApiHooks();
    std::cout << "Starting execution at " << std::hex << entryPoint
              << std::endl;
-    uint64_t timeout = 60 * 1000;
+    uint64_t timeout = 60 * 1000 * 1000;
    err = uc_emu_start(m_ucEngine, entryPoint, m_peInfo->imageEnd, timeout, 0);
    std::cerr << "Emulation error: " << uc_strerror(err) << std::endl;
 }
@@ -1083,3 +1106,165 @@ void Sandbox::UpdateBaseOfCode(PIMAGE_SECTION_HEADER sectionHeader,
        }
    }
 }
+
+auto Sandbox::InitializeLdrData() -> void {
+    if (m_peInfo->isX64 && m_peb64.Ldr == 0) {
+        // 为LDR_DATA分配内存
+        uint64_t ldrDataAddress = m_pebBase + sizeof(X64PEB);
+        m_pebEnd = ldrDataAddress + sizeof(X64_PEB_LDR_DATA);
+        m_peb64.Ldr = ldrDataAddress;
+
+        // 映射LDR数据内存
+        uc_mem_map(m_ucEngine, ldrDataAddress, sizeof(X64_PEB_LDR_DATA),
+                   UC_PROT_ALL);
+
+        // 初始化LDR_DATA结构
+        X64_PEB_LDR_DATA ldrData = {0};
+        ldrData.Length = sizeof(X64_PEB_LDR_DATA);
+        ldrData.Initialized = 1;
+
+        // 初始化链表头 - 使用适当的类型转换
+        LIST_ENTRY inLoadOrderList = {
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList)),
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList))};
+        ldrData.InLoadOrderModuleList = inLoadOrderList;
+
+        LIST_ENTRY inMemoryOrderList = {
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList)),
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList))};
+        ldrData.InMemoryOrderModuleList = inMemoryOrderList;
+
+        LIST_ENTRY inInitOrderList = {
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList)),
+            reinterpret_cast<LIST_ENTRY*>(
+                ldrDataAddress +
+                offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList))};
+        ldrData.InInitializationOrderModuleList = inInitOrderList;
+
+        uc_mem_write(m_ucEngine, ldrDataAddress, &ldrData,
+                     sizeof(X64_PEB_LDR_DATA));
+
+        // 更新PEB中的Ldr指针
+        uc_mem_write(m_ucEngine, m_pebBase, &m_peb64, sizeof(X64PEB));
+    }
+}
+
+auto Sandbox::CreateLdrEntry(const std::shared_ptr<struct_moudle>& module,
+                             uint64_t entryAddress, uint64_t fullNameAddress,
+                             uint64_t baseNameAddress) -> LDR_DATA_TABLE_ENTRY {
+    LDR_DATA_TABLE_ENTRY entry = {0};
+    entry.DllBase = reinterpret_cast<PVOID>(module->base);
+    entry.EntryPoint = reinterpret_cast<PVOID>(module->base + module->entry);
+    entry.SizeOfImages = static_cast<ULONG>(module->size);
+
+    // 准备模块名称的Unicode字符串
+    wchar_t nameBuffer[MAX_PATH] = {0};
+    std::mbstowcs(nameBuffer, module->name, strlen(module->name));
+
+    // 设置全路径
+    entry.FullDllName.Length =
+        static_cast<USHORT>(wcslen(nameBuffer) * sizeof(wchar_t));
+    entry.FullDllName.MaximumLength = MAX_PATH * sizeof(wchar_t);
+    entry.FullDllName.Buffer = reinterpret_cast<PWSTR>(fullNameAddress);
+
+    // 设置基本名称
+    entry.BaseDllName.Length =
+        static_cast<USHORT>(wcslen(nameBuffer) * sizeof(wchar_t));
+    entry.BaseDllName.MaximumLength = MAX_PATH * sizeof(wchar_t);
+    entry.BaseDllName.Buffer = reinterpret_cast<PWSTR>(baseNameAddress);
+
+    // 写入Unicode字符串
+    uc_mem_write(m_ucEngine, fullNameAddress, nameBuffer,
+                 (wcslen(nameBuffer) + 1) * sizeof(wchar_t));
+    uc_mem_write(m_ucEngine, baseNameAddress, nameBuffer,
+                 (wcslen(nameBuffer) + 1) * sizeof(wchar_t));
+
+    return entry;
+}
+
+auto Sandbox::UpdateLdrLinks(const LDR_DATA_TABLE_ENTRY& entry,
+                             uint64_t entryAddress, X64_PEB_LDR_DATA& ldrData)
+    -> void {
+    // 更新LDR_DATA中的链表头
+    ldrData.InLoadOrderModuleList.Flink = reinterpret_cast<LIST_ENTRY*>(
+        entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InLoadOrderLinks));
+    ldrData.InMemoryOrderModuleList.Flink = reinterpret_cast<LIST_ENTRY*>(
+        entryAddress + offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks));
+    ldrData.InInitializationOrderModuleList.Flink =
+        reinterpret_cast<LIST_ENTRY*>(
+            entryAddress +
+            offsetof(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks));
+
+    // 写回更新后的LDR_DATA
+    uc_mem_write(m_ucEngine, m_peb64.Ldr, &ldrData, sizeof(X64_PEB_LDR_DATA));
+}
+
+auto Sandbox::AddModuleToLdr(const std::shared_ptr<struct_moudle>& module)
+    -> void {
+    if (!m_peInfo->isX64) {
+        return;  // 暂时只处理64位
+    }
+
+    if (m_peb64.Ldr == 0) {
+        InitializeLdrData();
+    }
+
+    // 为模块创建LDR_DATA_TABLE_ENTRY
+    uint64_t entrySize = sizeof(LDR_DATA_TABLE_ENTRY) +
+                         MAX_PATH * 2;  // 额外空间用于Unicode字符串
+    uint64_t entryAddress = m_pebEnd;
+    m_pebEnd += entrySize;
+
+    // 映射内存
+    uc_mem_map(m_ucEngine, entryAddress, entrySize, UC_PROT_ALL);
+
+    // 设置Unicode字符串地址
+    uint64_t fullNameAddress = entryAddress + sizeof(LDR_DATA_TABLE_ENTRY);
+    uint64_t baseNameAddress = fullNameAddress + MAX_PATH;
+
+    // 创建并初始化LDR_DATA_TABLE_ENTRY
+    auto entry =
+        CreateLdrEntry(module, entryAddress, fullNameAddress, baseNameAddress);
+
+    // 从PEB读取当前LDR_DATA结构
+    X64_PEB_LDR_DATA ldrData;
+    uc_mem_read(m_ucEngine, m_peb64.Ldr, &ldrData, sizeof(X64_PEB_LDR_DATA));
+
+    // 设置链表指针
+    entry.InLoadOrderLinks.Flink = reinterpret_cast<LIST_ENTRY*>(
+        reinterpret_cast<uintptr_t>(ldrData.InLoadOrderModuleList.Flink));
+    entry.InLoadOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
+        m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList));
+
+    entry.InMemoryOrderLinks.Flink = reinterpret_cast<LIST_ENTRY*>(
+        reinterpret_cast<uintptr_t>(ldrData.InMemoryOrderModuleList.Flink));
+    entry.InMemoryOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
+        m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList));
+
+    entry.InInitializationOrderLinks.Flink =
+        reinterpret_cast<LIST_ENTRY*>(reinterpret_cast<uintptr_t>(
+            ldrData.InInitializationOrderModuleList.Flink));
+    entry.InInitializationOrderLinks.Blink = reinterpret_cast<LIST_ENTRY*>(
+        m_peb64.Ldr +
+        offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList));
+
+    // 写入LDR_DATA_TABLE_ENTRY结构
+    uc_mem_write(m_ucEngine, entryAddress, &entry,
+                 sizeof(LDR_DATA_TABLE_ENTRY));
+
+    // 更新链表
+    UpdateLdrLinks(entry, entryAddress, ldrData);
+
+    printf("Added module '%s' to LDR data tables at 0x%llx\n", module->name,
+           entryAddress);
+}