按照样本优化了一下

ai_anti_malware/sandbox_callbacks.cpp

@@ -51,7 +51,17 @@ void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
         // 记录跨区段执行地址
         sandbox->SetCrossSectionExecution(address);
     }
-
+    if (address == 0xff1160) {
+        uint64_t rcx = 0;
+        uc_reg_read(uc, UC_X86_REG_RCX, &rcx);
+        printf("malware try find hash: %llx \n", rcx);
+    }
+    /*
+    if (address == 0xff12B7) {
+        sandboxCallbacks::dumpVmenv(uc, userData);
+        __debugbreak();
+    }
+    */
     // 更新上次执行的区段
     if (currentSectionIndex >= 0) {
         sandbox->SetLastExecuteSectionIndex(currentSectionIndex);
@@ -120,8 +130,8 @@ void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address,
             address < (ldrAddress + sizeof(X64_PEB_LDR_DATA))) {
             printf(
                 "[WARNING] Suspicious direct LDR access detected at RIP: "
-                "0x%llx, accessing address: 0x%llx\n",
-                regRip, address);
+                "0x%llx, accessing address: 0x%llx accessing offset: 0x%llx\n",
+                regRip, address, address - ldrAddress);
             sandbox->SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
         }
     } else {
@@ -170,6 +180,8 @@ void dumpVmenv(uc_engine* uc, void* userData) {
     uint64_t Rdx = 0;
     uint64_t Eax = 0;
     uint64_t Ecx = 0;
+    uint64_t R15 = 0;
+
     uc_reg_read(uc,
                 sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP,
                 &Rip);
@@ -188,16 +200,15 @@ void dumpVmenv(uc_engine* uc, void* userData) {
     uc_reg_read(uc,
                 sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RDX : UC_X86_REG_EDX,
                 &Rdx);
-    uc_reg_read(uc,
-                sandbox->GetPeInfo()->isX64 ? UC_X86_REG_EAX : UC_X86_REG_EAX,
-                &Eax);
+    uc_reg_read(uc, UC_X86_REG_EAX, &Eax);
     uc_reg_read(uc,
                 sandbox->GetPeInfo()->isX64 ? UC_X86_REG_ECX : UC_X86_REG_ECX,
                 &Ecx);
+    uc_reg_read(uc, UC_X86_REG_R15D, &R15);
     printf(
-        "[dumpVmenv] Rip: %p lastRip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p Eax: "
-        "%08x Ecx: %08x\n",
-        Rip, Rax, Rsp, Rbp, Rcx, Rdx, Eax, Ecx);
+        "[dumpVmenv] Rip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p Eax: "
+        "%08x Ecx: %llx R15D: %llx\n",
+        Rip, Rax, Rsp, Rbp, Rcx, Rdx, Eax, Ecx, R15);
 
     // 打印32层栈内存
     printf("\n[Stack Memory Dump (32 levels)]\n");