Update project documentation and enhance malware detection engine

- Completely rewrite README.md with comprehensive project overview and technical details - Add detailed explanation of antivirus engine architecture and detection strategies - Implement multi-stage malware detection with machine learning, sandbox, and PE structure analysis - Update project configuration and add new source files for enhanced detection capabilities - Integrate XGBoost machine learning model with C++ export functionality - Improve sandbox environment with advanced module and LDR data table handling - Remove legacy Python prediction and training scripts in favor of C++ implementation
2025-03-09 21:59:22 +08:00
parent 51f929abfa
commit 60c4ef5f58
23 changed files with 46102 additions and 1717 deletions
--- a/ai_anti_malware/sandbox.h
+++ b/ai_anti_malware/sandbox.h
@@ -3,6 +3,7 @@
 #include <map>

 #include "head.h"
+#include <WinInet.h>
 #define PAGE_SIZE 0x1000
 #define CF_MASK (1 << 0)
 #define PF_MASK (1 << 2)
@@ -70,6 +71,18 @@ struct HeapSegment {
    size_t size;        // 堆段的总大小
    HeapBlock* blocks;  // 块链表
 };
+enum class MalwareAnalysisType {
+    kNone,
+    kSuspicious,
+    kMalware,
+};
+struct InternetHandleInfo {
+    HINTERNET handle;
+    bool isConnection;
+    std::string url;
+    std::vector<char> responseData;
+    size_t currentPosition;
+};

 class Sandbox {
    friend class cFixImprot;  // 声明cFixImprot为友元类
@@ -114,6 +127,11 @@ class Sandbox {
    auto GetHeapBlocks() const -> std::map<uint64_t, HeapSegment*> {
        return m_heapSegments;
    }
+    auto PrintApiCallList() -> void {
+        for (auto& api : ApiCallList) {
+            printf("%s\n", api.c_str());
+        }
+    }

    // 从内存中提取PE文件并修复重定位和导入表，返回原始PE的缓冲区
    auto DumpPE() -> std::pair<std::unique_ptr<BYTE[]>, size_t>;
@@ -151,6 +169,49 @@ class Sandbox {
    auto SetCrossSectionExecution(uint64_t address) -> void {
        return m_crossSectionExecution.push_back(address);
    }
+    auto GetMalwareAnalysisType() -> MalwareAnalysisType {
+        return m_malwareAnalysisType;
+    }
+    auto SetMalwareAnalysisType(MalwareAnalysisType type) -> void {
+        if (type == MalwareAnalysisType::kMalware &&
+            m_malwareAnalysisType == MalwareAnalysisType::kSuspicious) {
+            m_malwareAnalysisType = type;
+        } else if (m_malwareAnalysisType == MalwareAnalysisType::kNone) {
+            m_malwareAnalysisType = type;
+        }
+    }
+    auto CheckMalwareActive_Registry(std::wstring registryPath) -> void;
+
+    auto CheckMalwareActive_Sleep(uint32_t secToSleep) -> void;
+
+    auto CheckMalwareActive_GetProcAddress(std::string wantName) -> void;
+
+    auto CheckMalwareActive_FilePath(std::wstring filePath) -> void;
+
+    // WinHTTP API相关方法
+    auto GetNextInternetHandle() -> uint64_t { return m_nextInternetHandle++; }
+
+    auto AddInternetHandle(uint64_t handle, const InternetHandleInfo& info)
+        -> void {
+        m_internetHandles[handle] = info;
+    }
+
+    auto GetInternetHandle(uint64_t handle) -> InternetHandleInfo* {
+        auto it = m_internetHandles.find(handle);
+        if (it != m_internetHandles.end()) {
+            return &it->second;
+        }
+        return nullptr;
+    }
+
+    auto RemoveInternetHandle(uint64_t handle) -> bool {
+        return m_internetHandles.erase(handle) > 0;
+    }
+
+    auto GetAllInternetHandles() -> std::map<uint64_t, InternetHandleInfo>& {
+        return m_internetHandles;
+    }
+    std::vector<std::string> ApiCallList;

   private:
    std::shared_ptr<BasicPeInfo> m_peInfo;
@@ -219,4 +280,26 @@ class Sandbox {
    uint64_t m_lastExecuteSectionIndex = 0;         // 上次执行的区段索引
    uint64_t m_KSharedUserDataBase{0};
    uint64_t m_KSharedUserDataSize{0};
+
+    MalwareAnalysisType m_malwareAnalysisType = MalwareAnalysisType::kNone;
+
+    // WinHTTP API相关成员变量
+    std::map<uint64_t, InternetHandleInfo> m_internetHandles;
+    uint64_t m_nextInternetHandle = 0x1000;
+
+    // 初始化PEB的LDR数据结构
+    auto InitializeLdrData() -> void;
+
+    // 将模块添加到LDR链表中
+    auto AddModuleToLdr(const std::shared_ptr<struct_moudle>& module) -> void;
+
+    // 创建LDR_DATA_TABLE_ENTRY结构
+    auto CreateLdrEntry(const std::shared_ptr<struct_moudle>& module,
+                        uint64_t entryAddress, uint64_t fullNameAddress,
+                        uint64_t baseNameAddress) -> LDR_DATA_TABLE_ENTRY;
+
+    // 更新LDR链表
+    auto UpdateLdrLinks(const LDR_DATA_TABLE_ENTRY& entry,
+                        uint64_t entryAddress, X64_PEB_LDR_DATA& ldrData)
+        -> void;
 };