update

2025-03-20 19:56:39 +08:00
parent 662e2398eb
commit 8e2e0c19ec
7 changed files with 268 additions and 180 deletions
--- a/ai_anti_malware/sandbox.cpp
+++ b/ai_anti_malware/sandbox.cpp
@@ -103,9 +103,11 @@ class ImportResolver : public peconv::t_function_resolver {
 class cListImportNames : public peconv::ImportThunksCallback {
   public:
    cListImportNames(BYTE* _modulePtr, size_t _moduleSize,
-                     std::vector<std::shared_ptr<moudle_import>>& name_to_addr)
+                     std::vector<std::shared_ptr<moudle_import>>& name_to_addr,
+                     std::vector<std::shared_ptr<moudle_import_ordinal>>& name_to_ordinal)
        : ImportThunksCallback(_modulePtr, _moduleSize),
-          nameToAddr(name_to_addr) {}
+          nameToAddr(name_to_addr),
+          ordinalImportFunc(name_to_ordinal) {}

    virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr,
                               ULONG_PTR firstThunkPtr) {
@@ -148,10 +150,19 @@ class cListImportNames : public peconv::ImportThunksCallback {
            import_data->is_delayed_import = false;
            nameToAddr.push_back(import_data);
        }
+        else {
+            auto importFunc = std::make_shared<moudle_import_ordinal>();
+            T_FIELD raw_ordinal = desc->u1.Ordinal & (~ordinal_flag);
+
+            importFunc->function_address = call_via_rva;
+            importFunc->ordinal = raw_ordinal;
+            ordinalImportFunc.push_back(importFunc);
+        }
        return true;
    }

    std::vector<std::shared_ptr<moudle_import>>& nameToAddr;
+    std::vector<std::shared_ptr<moudle_import_ordinal>>& ordinalImportFunc;
 };
 class cFixImprot : public peconv::t_function_resolver {
   public:
@@ -455,8 +466,7 @@ auto Sandbox::ResoveImport() -> void {
    peconv::load_delayed_imports(static_cast<BYTE*>(m_peInfo->peBuffer), 0);

    // 解析导入表
-    cListImportNames importCallback(static_cast<BYTE*>(m_peInfo->peBuffer),
-                                    m_peInfo->peSize, m_impFuncDict);
+    cListImportNames importCallback(static_cast<BYTE*>(m_peInfo->peBuffer), m_peInfo->peSize, m_impFuncDict, m_impFuncOrdinalDict);

    if (!peconv::process_import_table(static_cast<BYTE*>(m_peInfo->peBuffer),
                                      m_peInfo->peSize, &importCallback)) {