From 95df007dbfcc91f5e880868fcf483bf8c3bde72d Mon Sep 17 00:00:00 2001
From: Huoji's <1296564236@qq.com>
Date: Sun, 9 Mar 2025 04:24:46 +0800
Subject: [PATCH] Add README and improve import library parsing with exception
 handling

- Create initial README.md with project overview and motivation
- Add SEH-based exception handling in ExtractFeatures method for import library parsing
- Prevent potential access violations during PE import directory traversal
- Implement basic error logging for skipped files with access violations
---
 ai_anti_malware/ml.cpp | 43 +++++++++++++++++++++++-------------------
 readme.md              | 14 ++++++++++++++
 2 files changed, 38 insertions(+), 19 deletions(-)
 create mode 100644 readme.md

diff --git a/ai_anti_malware/ml.cpp b/ai_anti_malware/ml.cpp
index 8808067..fc01d19 100644
--- a/ai_anti_malware/ml.cpp
+++ b/ai_anti_malware/ml.cpp
@@ -381,27 +381,32 @@ std::vector<double> MachineLearning::ExtractFeatures(const uint8_t* buffer,
 
     // 获取导入DLL列表
     if (peInfo.hasImports) {
-        size_t impRva = 0;
-        IMAGE_DATA_DIRECTORY* impDir =
-            peconv::get_directory_entry(peBuffer, IMAGE_DIRECTORY_ENTRY_IMPORT);
-        if (impDir) {
-            impRva = impDir->VirtualAddress;
-            IMAGE_IMPORT_DESCRIPTOR* impDesc =
-                reinterpret_cast<IMAGE_IMPORT_DESCRIPTOR*>(
-                    RvaToPtr(impRva, peBuffer));
-            while (impDesc && impDesc->Name != 0) {
-                char* libName =
-                    reinterpret_cast<char*>(RvaToPtr(impDesc->Name, peBuffer));
-                if (libName) {
-                    std::string libNameStr = libName;
-                    std::transform(libNameStr.begin(), libNameStr.end(),
-                                   libNameStr.begin(), [](unsigned char c) {
-                                       return std::tolower(c);
-                                   });
-                    importedLibraries.push_back(libNameStr);
+        __try {
+            // 懒得JB处理了,累了.这里是不安全的
+            size_t impRva = 0;
+            IMAGE_DATA_DIRECTORY* impDir = peconv::get_directory_entry(
+                peBuffer, IMAGE_DIRECTORY_ENTRY_IMPORT);
+            if (impDir) {
+                impRva = impDir->VirtualAddress;
+                IMAGE_IMPORT_DESCRIPTOR* impDesc =
+                    reinterpret_cast<IMAGE_IMPORT_DESCRIPTOR*>(
+                        RvaToPtr(impRva, peBuffer));
+                while (impDesc && impDesc->Name != 0) {
+                    char* libName = reinterpret_cast<char*>(
+                        RvaToPtr(impDesc->Name, peBuffer));
+                    if (libName) {
+                        std::string libNameStr = libName;
+                        std::transform(libNameStr.begin(), libNameStr.end(),
+                                       libNameStr.begin(), [](unsigned char c) {
+                                           return std::tolower(c);
+                                       });
+                        importedLibraries.push_back(libNameStr);
+                    }
+                    impDesc++;
                 }
-                impDesc++;
             }
+        } __except (EXCEPTION_EXECUTE_HANDLER) {
+            printf("skip file:  (access violation)\n");
         }
     }
 
diff --git a/readme.md b/readme.md
new file mode 100644
index 0000000..b206f0c
--- /dev/null
+++ b/readme.md
@@ -0,0 +1,14 @@
+[2025]从0制作现代启发式AI杀毒引擎,附源码
+## 前言
+
+冲鸭安全突破3000粉丝了,应该国内大半个搞安全的人都在看了.所以整个大的活.
+
+为什么突然想搞这个,因为在做国内安全业务的时候,我意识到,国内的平均技术水平还有很大的挖掘价值.很多人从事安全,可能也对自己的电脑上的安全软件的工作原理感兴趣.也有很多人把做安全软件视为自己的梦想.或者一个努力方向.所以我觉得,有必要花一些时间,系统的整理一下杀毒引擎的工作原理,在整理工作原理的时候我发现网上基本0资料,有也停留在2006年之前什么特征码扫描,云查杀毒.仿佛杀毒软件这玩意就是个黑盒. 
+
+所以,为了系统性的以及确定性的处理,我花了大概两天时间,写了一个符合现代(2025年)情况的杀毒引擎.现在我将介绍他是如何工作的.以及他的缺陷是什么.并且在文末我还会开源源码,能直接VS编译.方便大家学习
+
+目前查杀引擎各家瞎吹的什么NGAV无非就这几种:
+1. 云查引擎
+    这包括:模糊hash引擎(ssdeep,simhash等都算),模糊hash是一种算法,能比较文件相似度,具体可以看我之前的文章:
+    
+2. 
\ No newline at end of file