admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update & fix logic bug

Browse Source
This commit is contained in:
Huoji's
2025-03-20 04:56:31 +08:00
parent 3a6e331f31
commit 91dca661ba
5 changed files with 243 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
ai_anti_malware/sandbox.cpp
View File

@@ -164,8 +164,8 @@ class cFixImprot : public peconv::t_function_resolver {
for (const auto& module : m_sandbox->m_moduleList) {
// 检查模块名是否匹配
if (_stricmp(module->name, lib_name) == 0) {
// 遍历模块的导出函数
for (const auto& exp : m_sandbox->m_exportFuncDict) {
// 遍历模块的导出函数
for (const auto& exp : module->export_function) {
// 检查函数名是否匹配
if (strcmp(exp->name, func_name) == 0) {
auto newBase = reinterpret_cast<FARPROC>(
@@ -177,18 +177,24 @@ class cFixImprot : public peconv::t_function_resolver {
}
}
}
// 如果没有找到精确匹配的模块名,尝试在所有模块中查找该函数
for (const auto& module : m_sandbox->m_moduleList) {
for (const auto& exp : m_sandbox->m_exportFuncDict) {
for (const auto& exp : module->export_function) {
// 检查函数名是否匹配
if (strcmp(exp->name, func_name) == 0) {
auto newBase = reinterpret_cast<FARPROC>(
module->base + exp->function_address);
printf("fix import: %s => %llx \n", func_name, newBase);
printf("fix import (fallback): %s found in %s => %llx \n",
func_name, module->name, newBase);
// 返回在模拟器中的虚拟地址
return newBase;
}
}
}
printf("Warning: Could not resolve import: %s from library: %s\n",
func_name, lib_name);
//__debugbreak();
return nullptr;
}
@@ -200,7 +206,7 @@ Sandbox::Sandbox() {
m_ucEngine = nullptr;
m_peInfo = nullptr;
m_nextWfpEngineHandle = (HANDLE)0x1000; // 初始化WFP引擎句柄
m_lastImpRead = { 0,0 };
m_lastImpRead = {0, 0};
}
Sandbox::~Sandbox() {
@@ -253,16 +259,22 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void {
m_usedModuleBase = DLL_MODULE_BASE;
}
// 创建新模块
auto newModule = CreateModuleInfo(dllName, AlignSize(m_usedModuleBase, PAGE_SIZE), moduleBase, moduleBase);
auto newModule =
CreateModuleInfo(dllName, AlignSize(m_usedModuleBase, PAGE_SIZE),
moduleBase, moduleBase);
m_usedModuleBase += PAGE_SIZE + newModule->size;
m_moduleList.push_back(newModule);
printf("push `%s` module to vm base: %llx vm size: %llx\n", newModule->name,
newModule->base, newModule->size);
uc_mem_map(m_ucEngine, newModule->base, newModule->size,
UC_PROT_READ | UC_PROT_EXEC);
uc_mem_write(m_ucEngine, newModule->base, (void*)moduleBase,
newModule->size);
if (uc_mem_map(m_ucEngine, newModule->base, newModule->size,
UC_PROT_READ | UC_PROT_EXEC) != UC_ERR_OK) {
throw std::runtime_error("Failed to map module");
}
if (uc_mem_write(m_ucEngine, newModule->base, (void*)moduleBase,
newModule->size) != UC_ERR_OK) {
throw std::runtime_error("Failed to write data to map module");
}
if (peconv::relocate_module((BYTE*)moduleBase, newModule->size,
newModule->base) == false) {
throw std::runtime_error("Failed to relocate module");
@@ -274,8 +286,8 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void {
}
}
auto Sandbox::CreateModuleInfo(const char* dllName, uint64_t moduleBase, uint64_t realModuleBase,
uint64_t bufferAddress)
auto Sandbox::CreateModuleInfo(const char* dllName, uint64_t moduleBase,
uint64_t realModuleBase, uint64_t bufferAddress)
-> std::shared_ptr<struct_moudle> {
// 解析PE头
auto* dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(bufferAddress);
@@ -574,6 +586,13 @@ auto Sandbox::SetupVirtualMachine() -> void {
m_teb32.ProcessEnvironmentBlock = static_cast<ULONG>(m_pebBase);
m_teb32.NtTib.StackBase = static_cast<ULONG>(m_stackBase);
m_teb32.NtTib.StackLimit = static_cast<ULONG>(m_stackSize);
// 初始化NT_TIB结构的其余部分
m_teb32.NtTib.Self =
static_cast<ULONG>(m_tebBase); // 关键设置Self指针指向TEB本身
m_teb32.NtTib.ExceptionList = 0xFFFFFFFF; // 初始异常链表指向特殊值
m_teb32.NtTib.Version = 0;
m_teb32.NtTib.FiberData = 0;
m_teb32.NtTib.ArbitraryUserPointer = 0;
// 设置堆
m_peb32.ProcessHeap = static_cast<ULONG>(m_heapBase);
@@ -591,6 +610,7 @@ auto Sandbox::SetupVirtualMachine() -> void {
// 对于32位我们需要设置FS段寄存器指向TEB
SegmentSelector fs = {0};
fs.fields.index = 3;
// 不需要设置present和dpl因为SegmentSelector结构体中没有这些字段
uc_reg_write(m_ucEngine, UC_X86_REG_FS, &fs.all);
// 设置FS基址MSR
@@ -598,6 +618,19 @@ auto Sandbox::SetupVirtualMachine() -> void {
msr.rid = static_cast<uint32_t>(Msr::kIa32FsBase);
msr.value = m_tebBase;
uc_reg_write(m_ucEngine, UC_X86_REG_MSR, &msr);
// 确保TEB中关键字段被正确初始化
// 特别是FS:18h (0x18)处应该指向自身
// 根据Native_Struct.h中X32TEB定义偏移0x18处是SelfTeb
uint32_t self_teb_ptr = static_cast<uint32_t>(m_tebBase);
// 在NT_TIB中设置SelfTeb (offset 0x18)
uc_mem_write(m_ucEngine, m_tebBase + 0x18, &self_teb_ptr,
sizeof(uint32_t));
// 确保TEB中的ProcessEnvironmentBlock字段指向PEB
uint32_t peb_ptr = static_cast<uint32_t>(m_pebBase);
// 偏移0x30处是ProcessEnvironmentBlock
uc_mem_write(m_ucEngine, m_tebBase + 0x30, &peb_ptr, sizeof(uint32_t));
}
// 映射新的内存区域
size_t envSize =
@@ -635,9 +668,9 @@ auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void {
throw std::runtime_error("Failed to initialize Unicorn");
}
// 一定要确保他是第一个.
auto newModule =
CreateModuleInfo("huoji.exe", m_peInfo->RecImageBase, m_peInfo->RecImageBase,
reinterpret_cast<uint64_t>(m_peInfo->peBuffer));
auto newModule = CreateModuleInfo(
"huoji.exe", m_peInfo->RecImageBase, m_peInfo->RecImageBase,
reinterpret_cast<uint64_t>(m_peInfo->peBuffer));
_ASSERTE(m_moduleList.size() == 0);
m_moduleList.push_back(newModule);
@@ -842,8 +875,8 @@ auto Sandbox::GetEnvString() -> std::vector<wchar_t> {
L"PROMPT=$P$G",
L"SystemDrive=C:",
L"SystemRoot=C:\\Windows",
L"TEMP=C:\\Users\\User\\AppData\\Local\\Temp",
L"TMP=C:\\Users\\User\\AppData\\Local\\Temp",
L"TEMP=C:\\Users\\huoji\\AppData\\Local\\Temp",
L"TMP=C:\\Users\\huoji\\AppData\\Local\\Temp",
L"USERDOMAIN=DESKTOP",
L"USERNAME=User",
L"USERPROFILE=C:\\Users\\User",