Update project documentation and enhance malware detection engine

- Completely rewrite README.md with comprehensive project overview and technical details
- Add detailed explanation of antivirus engine architecture and detection strategies
- Implement multi-stage malware detection with machine learning, sandbox, and PE structure analysis
- Update project configuration and add new source files for enhanced detection capabilities
- Integrate XGBoost machine learning model with C++ export functionality
- Improve sandbox environment with advanced module and LDR data table handling
- Remove legacy Python prediction and training scripts in favor of C++ implementation

ai_anti_malware/sandbox_malware_check.cpp

@@ -0,0 +1,96 @@
+#include "sandbox.h"
+#include <windows.h>
+
+auto Sandbox::CheckMalwareActive_Registry(std::wstring registryPath) -> void {
+    // 定义敏感注册表路径列表
+    const std::vector<std::wstring> sensitiveRegistryPaths = {
+        L"SOFTWARE\\DingTalk", L"SOFTWARE\\Tencent",
+        L"SOFTWARE\\WOW6432Node\\DingTalk", L"SOFTWARE\\WOW6432Node\\Tencent"};
+
+    // 检查提供的注册表路径是否在敏感列表中
+    bool isSensitiveRegistry = false;
+    for (const auto& sensitivePath : sensitiveRegistryPaths) {
+        if (registryPath.find(sensitivePath) != std::wstring::npos) {
+            isSensitiveRegistry = true;
+            break;
+        }
+    }
+
+    // 如果是敏感注册表路径，尝试打开它检查是否可访问
+    if (isSensitiveRegistry) {
+        SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
+
+// 记录日志 (如果有日志系统的话)
+#if LOG_LEVEL >= 1
+        printf("[!!!] SensitiveRegistry Access %s\n", registryPath.c_str());
+#endif
+    }
+}
+auto Sandbox::CheckMalwareActive_Sleep(uint32_t secToSleep) -> void {
+    if (secToSleep > 1000 * 30) {
+        SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
+        printf("[!!!] suspicious Sleep %d seconds\n", secToSleep);
+    }
+}
+auto Sandbox::CheckMalwareActive_GetProcAddress(std::string wantName) -> void {
+    const std::vector<std::string> sensitiveGetProcAddressNames = {
+        "ZwAllocateVirtualMemory",
+        "NtAllocateVirtualMemory",
+        "NtFreeVirtualMemory",
+        "NtProtectVirtualMemory",
+        "NtWriteVirtualMemory",
+        "NtReadVirtualMemory",
+        "NtCreateThreadEx",
+        "NtOpenThread",
+        "NtTerminateThread",
+        "NtResumeThread",
+        "NtSuspendThread",
+        "NtCreateThread",
+        "NtOpenThread",
+        "NtTerminateThread",
+        "NtResumeThread",
+        "NtSuspendThread"};
+    // more
+    if (std::find(sensitiveGetProcAddressNames.begin(),
+                  sensitiveGetProcAddressNames.end(),
+                  wantName) != sensitiveGetProcAddressNames.end()) {
+        SetMalwareAnalysisType(MalwareAnalysisType::kMalware);
+        printf("[!!!] suspicious GetProcAddress %s\n", wantName.c_str());
+    }
+}
+
+auto Sandbox::CheckMalwareActive_FilePath(std::wstring filePath) -> void {
+    // 定义敏感文件路径列表
+    const std::vector<std::wstring> sensitiveFilePaths = {
+        L"\\AppData\\",
+        L"\\Temp\\",
+        L"\\Windows\\System32\\",
+        L"\\Program Files\\",
+        L"\\Program Files (x86)\\",
+        L"\\Documents\\",
+        L"\\Downloads\\",
+        L"\\Desktop\\",
+        L"\\Users\\All Users\\",
+        L"\\ProgramData\\",
+        L"\\Microsoft\\Windows\\Start Menu\\",
+        L"\\Startup\\"};
+
+    // 检查提供的文件路径是否在敏感列表中
+    bool isSensitiveFilePath = false;
+    for (const auto& sensitivePath : sensitiveFilePaths) {
+        if (filePath.find(sensitivePath) != std::wstring::npos) {
+            isSensitiveFilePath = true;
+            break;
+        }
+    }
+
+    // 如果是敏感文件路径，将恶意软件分析类型设置为可疑
+    if (isSensitiveFilePath) {
+        SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
+
+        // 记录日志
+#if LOG_LEVEL >= 1
+        printf("[!!!] SensitiveFilePath Access: %ls\n", filePath.c_str());
+#endif
+    }
+}