按照样本优化了一下

ai_anti_malware/sandbox.h

@@ -26,6 +26,7 @@
 #define TEB_BASE 0x90000
 #define CMDLINE_ADDRESS 0x100000   // 命令行字符串的固定地址
 #define CMDLINEW_ADDRESS 0x110000  // 宽字符命令行字符串的固定地址
+#define PROCESS_PARAMS_BASE 0x120000  // 进程参数结构的基址
 
 #define X86_GDT_ADDR 0x30000
 #define X86_GDT_LIMIT 0x1000
@@ -244,6 +245,7 @@ class Sandbox {
         -> void {
         m_lastImpRead = {address, imp};
     }
+    auto TestLdrListTraversal() -> bool;
 
     // 注册COM相关API
     void RegisterComApis();
@@ -266,6 +268,7 @@ class Sandbox {
     uint64_t m_heapEnd;
     uint64_t m_fakeBase;
     uint64_t m_envBlockBase;
+    uint64_t m_processParamsBase;
     struct_gs_base m_gsBaseStruct = {0};
     X64TEB m_teb64 = {0};
     X64PEB m_peb64 = {0};
@@ -307,8 +310,9 @@ class Sandbox {
         L"USERPROFILE=C:\\Users\\huoji",
         L"windir=C:\\Windows"};
     auto ResoveImport() -> void;
+    auto BuildPebParameter() -> void;
     auto ResolveImportExports() -> void;
-    auto CreateModuleInfo(const char* dllName, uint64_t moduleBase,
+    auto CreateModuleInfo(std::string dllName, uint64_t moduleBase,
                           uint64_t realModuleBase, uint64_t bufferAddress)
         -> std::shared_ptr<struct_moudle>;
     auto ResolveExport(uint64_t moduleBase)
@@ -333,6 +337,9 @@ class Sandbox {
     // 将模块添加到LDR链表中
     auto AddModuleToLdr(const std::shared_ptr<struct_moudle>& module) -> void;
 
+
+    auto DumpLdrList(const char* listName, uint64_t ldrDataBase, size_t listOffset, size_t entryLinkOffset) -> void;
+
     // 创建LDR_DATA_TABLE_ENTRY结构
     auto CreateLdrEntry(const std::shared_ptr<struct_moudle>& module,
                         uint64_t entryAddress, uint64_t fullNameAddress,