修复沙箱功能和API实现

- 在沙箱中添加了对CreateProcessW的支持，整合了CreateProcessA和CreateProcessW的共同逻辑
- 实现了URLDownloadToFileW函数，增加了对可疑URL的检测
- 更新了API钩子以支持新的API功能
- 改进了错误处理和日志记录，确保更好的调试信息输出
- 调整了主函数中的恶意软件扫描和沙箱功能调用顺序，确保恶意软件扫描优先执行

ai_anti_malware/sandbox_api_winhttp.cpp

@@ -347,4 +347,100 @@ auto Api_InternetReadFile(void* sandbox, uc_engine* uc, uint64_t address)
     uc_reg_write(uc,
                  context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
                  &returnValue);
+}
+
+auto Api_URLDownloadToFileW(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void {
+    auto context = static_cast<Sandbox*>(sandbox);
+
+    // 获取参数
+    uint64_t pCaller = 0;     // LPUNKNOWN pCaller
+    uint64_t szURL = 0;       // LPCWSTR szURL
+    uint64_t szFileName = 0;  // LPCWSTR szFileName
+    uint64_t dwReserved = 0;  // DWORD dwReserved
+    uint64_t lpfnCB = 0;      // LPBINDSTATUSCALLBACK lpfnCB
+
+    // 根据x86或x64架构读取参数
+    if (context->GetPeInfo()->isX64) {
+        uc_reg_read(uc, UC_X86_REG_RCX, &pCaller);
+        uc_reg_read(uc, UC_X86_REG_RDX, &szURL);
+        uc_reg_read(uc, UC_X86_REG_R8, &szFileName);
+        uc_reg_read(uc, UC_X86_REG_R9, &dwReserved);
+
+        uint64_t rsp = 0;
+        uc_reg_read(uc, UC_X86_REG_RSP, &rsp);
+        uc_mem_read(uc, rsp + 0x28, &lpfnCB, sizeof(lpfnCB));
+    } else {
+        uint32_t esp = 0;
+        uc_reg_read(uc, UC_X86_REG_ESP, &esp);
+
+        uint32_t param_addr = esp + 4;
+        uc_mem_read(uc, param_addr, &pCaller, sizeof(uint32_t));
+
+        param_addr += 4;
+        uc_mem_read(uc, param_addr, &szURL, sizeof(uint32_t));
+
+        param_addr += 4;
+        uc_mem_read(uc, param_addr, &szFileName, sizeof(uint32_t));
+
+        param_addr += 4;
+        uc_mem_read(uc, param_addr, &dwReserved, sizeof(uint32_t));
+
+        param_addr += 4;
+        uc_mem_read(uc, param_addr, &lpfnCB, sizeof(uint32_t));
+    }
+
+    // 将此行为标记为可能的恶意行为
+    context->SetMalwareAnalysisType(MalwareAnalysisType::kMalware);
+
+    // 读取URL (宽字符)
+    std::wstring wUrlString;
+    if (szURL != 0) {
+        wchar_t buffer[1024] = {0};
+        uc_mem_read(uc, szURL, buffer, sizeof(buffer) - sizeof(wchar_t));
+        wUrlString = buffer;
+
+        // 转换为UTF-8字符串用于日志记录
+        std::string urlString(wUrlString.begin(), wUrlString.end());
+        printf("[URLDownloadToFileW] URL: %s\n", urlString.c_str());
+
+        // 记录到API调用列表
+        context->ApiCallList.push_back("URLDownloadToFileW: " + urlString);
+    }
+
+    // 读取文件名 (宽字符)
+    std::wstring wFileNameString;
+    if (szFileName != 0) {
+        wchar_t buffer[1024] = {0};
+        uc_mem_read(uc, szFileName, buffer, sizeof(buffer) - sizeof(wchar_t));
+        wFileNameString = buffer;
+
+        // 转换为UTF-8字符串用于日志记录
+        std::string fileNameString(wFileNameString.begin(),
+                                   wFileNameString.end());
+        printf("[URLDownloadToFileW] File name: %s\n", fileNameString.c_str());
+    }
+
+    // 检查URL是否包含可疑内容
+    const std::vector<std::wstring> suspiciousUrlPatterns = {
+        L"http://", L"https://", L"ftp://", L".exe", L".dll", L".bat",
+        L".ps1",    L".vbs",     L".js",    L".cmd", L".msi", L".hta"};
+
+    for (const auto& pattern : suspiciousUrlPatterns) {
+        if (wUrlString.find(pattern) != std::wstring::npos) {
+            context->SetMalwareAnalysisType(MalwareAnalysisType::kMalware);
+#if LOG_LEVEL >= 1
+            std::string patternString(pattern.begin(), pattern.end());
+            printf("[!!!] Malicious URL pattern detected: %s\n",
+                   patternString.c_str());
+#endif
+            break;
+        }
+    }
+
+    // 模拟下载成功
+    uint32_t returnValue = S_OK;  // 0 表示成功
+    uc_reg_write(uc,
+                 context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
+                 &returnValue);
 }