修复一个导致崩溃的问题

2025-04-20 23:43:54 +08:00
parent 143a336c8b
commit 8cfd24ab43
7 changed files with 66 additions and 11 deletions
--- a/ai_anti_malware/ai_anti_malware.cpp
+++ b/ai_anti_malware/ai_anti_malware.cpp
@@ -23,10 +23,7 @@ auto getPeInfo(std::string inputFilePath) -> std::shared_ptr<BasicPeInfo> {
    sampleInfo->ntHead64 = peconv::get_nt_hdrs64((BYTE*)sampleInfo->peBuffer);
    sampleInfo->ntHead32 = peconv::get_nt_hdrs32((BYTE*)sampleInfo->peBuffer);
    sampleInfo->isX64 = peconv::is64bit((BYTE*)sampleInfo->peBuffer);
-    sampleInfo->RecImageBase =
-        sampleInfo->isX64
-            ? (DWORD64)sampleInfo->ntHead64->OptionalHeader.ImageBase
-            : (DWORD)sampleInfo->ntHead32->OptionalHeader.ImageBase;
+    sampleInfo->RecImageBase = MAIN_MODULE_BASE;
    sampleInfo->isRelocated =
        peconv::relocate_module((BYTE*)sampleInfo->peBuffer, sampleInfo->peSize,
                                sampleInfo->RecImageBase);
@@ -335,11 +332,50 @@ int doSandbox(int argc, char* argv[]) {
    }
    return 0;
 }
+#include <filesystem>

+void DetectMalwareInDirectory(const std::string& directoryPath) {
+    std::map<DetectEngineType, int> detectionCount;
+
+    for (const auto& entry : std::filesystem::recursive_directory_iterator(directoryPath)) {
+        if (!entry.is_regular_file()) {
+            continue;
+        }
+
+        std::string filePath = entry.path().string();
+        std::cout << "Processing: " << filePath << std::endl;
+        DetectEngine scanner;
+        DetectEngineType result = scanner.DetectMalware(filePath);
+        detectionCount[result]++;
+    }
+
+    // 输出统计结果
+    std::cout << "\nDetection Summary:\n";
+    for (const auto& pair : detectionCount) {
+        std::string name;
+        switch (pair.first) {
+        case DetectEngineType::kNone: name = "None"; break;
+        case DetectEngineType::kPeStruct: name = "PE Struct"; break;
+        case DetectEngineType::kMachineLearning: name = "Machine Learning"; break;
+        case DetectEngineType::kSandbox: name = "Sandbox"; break;
+        }
+        std::cout << "  " << name << ": " << pair.second << "\n";
+    }
+}
 int main(int argc, char* argv[]) {
    // doMl(argc, argv);
    // doPredict(argc, argv);
    // doMalwareScan(argc, argv);
-    doSandbox(argc, argv);
+    // doSandbox(argc, argv);
+    /*
+    if (argc < 3) {
+        std::cout << "用法: " << argv[0] << " <文件夹路径>" << std::endl;
+        return 0;
+    }
+    
+    std::string filePath = argv[1];
+    */
+    std::string filePath = "Z:\\malware";
+    DetectMalwareInDirectory(filePath);
    return 0;
 }
--- a/ai_anti_malware/ai_anti_malware.vcxproj
+++ b/ai_anti_malware/ai_anti_malware.vcxproj
@@ -135,6 +135,8 @@
      <PreprocessorDefinitions>NDEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <LanguageStandard>stdcpplatest</LanguageStandard>
+      <Optimization>MaxSpeed</Optimization>
+      <WholeProgramOptimization>true</WholeProgramOptimization>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@@ -191,7 +193,6 @@
    <ClCompile Include="sandbox_malware_check.cpp" />
  </ItemGroup>
  <ItemGroup>
-    <ClInclude Include="..\ml\malware_detector.h" />
    <ClInclude Include="head.h" />
    <ClInclude Include="libpeconv\libpeconv\src\fix_dot_net_ep.h" />
    <ClInclude Include="libpeconv\libpeconv\src\ntddk.h" />
--- a/ai_anti_malware/ai_anti_malware.vcxproj.filters
+++ b/ai_anti_malware/ai_anti_malware.vcxproj.filters
@@ -191,9 +191,6 @@
    <ClInclude Include="ml.h">
      <Filter>头文件\machine_learning</Filter>
    </ClInclude>
-    <ClInclude Include="..\ml\malware_detector.h">
-      <Filter>头文件\machine_learning</Filter>
-    </ClInclude>
    <ClInclude Include="sandbox_api_winhttp.h">
      <Filter>头文件\sandbox</Filter>
    </ClInclude>
--- a/ai_anti_malware/head.h
+++ b/ai_anti_malware/head.h
@@ -1,5 +1,5 @@
 #pragma once
-#define LOG_LEVEL 1
+#define LOG_LEVEL 0

 #define _CRT_SECURE_NO_WARNINGS
 #include <iostream>
--- a/ai_anti_malware/ml.cpp
+++ b/ai_anti_malware/ml.cpp
@@ -475,6 +475,24 @@ std::vector<double> MachineLearning::ExtractFeatures(const uint8_t* buffer,

    // 提取所有特征
    std::vector<double> allFeatures;
+    const size_t EXPECTED_PROPERTY_FEATURES = 14;  // 14个布尔值属性
+    const size_t EXPECTED_LIBRARY_FEATURES = 150;  // _libraries数组大小
+    const size_t EXPECTED_ENTROPY_FEATURES = 1;    // 文件熵
+    const size_t EXPECTED_ENTRYPOINT_FEATURES = 64; // EncodeEntrypoint实际使用64字节
+    const size_t EXPECTED_SECTION_FEATURES = 5;    // EncodeSections实际返回5个特征
+    const size_t EXPECTED_RATIO_FEATURES = 1;      // 代码比率
+    const size_t EXPECTED_SECTION_COUNT_FEATURES = 1; // 节区数量
+
+    const size_t TOTAL_EXPECTED_FEATURES =
+        EXPECTED_PROPERTY_FEATURES +
+        EXPECTED_LIBRARY_FEATURES +
+        EXPECTED_ENTROPY_FEATURES +
+        EXPECTED_ENTRYPOINT_FEATURES +
+        EXPECTED_SECTION_FEATURES +
+        EXPECTED_RATIO_FEATURES +
+        EXPECTED_SECTION_COUNT_FEATURES;
+
+    allFeatures.reserve(TOTAL_EXPECTED_FEATURES);

    // 1. PE段属性
    std::vector<double> propFeatures =
@@ -512,7 +530,6 @@ std::vector<double> MachineLearning::ExtractFeatures(const uint8_t* buffer,

    // 清理资源
    peconv::free_pe_buffer(peBuffer);
-
    return allFeatures;
 }

--- a/ai_anti_malware/sandbox.h
+++ b/ai_anti_malware/sandbox.h
@@ -20,6 +20,7 @@
 #define HEAP_SIZE_32 0x5000000
 #define ENV_BLOCK_BASE 0x50000
 #define DLL_MODULE_BASE 0x130000
+#define MAIN_MODULE_BASE 0xff0000

 #define PEB_BASE 0x90000
 #define TEB_BASE 0x90000
--- a/ml/malware_detector.cpp
+++ b/ml/malware_detector.cpp
@@ -1,5 +1,7 @@
 #include <math.h>
 #include <string.h>
+#pragma optimize("", off)
+
 double sigmoid(double x) {
    if (x < 0.0) {
        double z = exp(x);
@@ -6621,3 +6623,4 @@ double score(double* input) {
         var99));
    return var100;
 }
+#pragma optimize("", on)