在沙箱中添加了RegisterComApis函数声明，并在InitEnv函数中调用该函数以注册COM相关API。还更新了头文件以包含新函数的声明。

ai_anti_malware/sandbox.cpp

@@ -1,6 +1,6 @@
 #include "sandbox.h"
-
 #include "sandbox_callbacks.h"
+#include "sandbox_api_com.h"
 
 // 在文件开头添加AllocateMemory函数的声明
 auto Sandbox::AllocateMemory(size_t size) -> uint64_t {
@@ -656,6 +656,26 @@ auto Sandbox::SetupVirtualMachine() -> void {
         GetTeb32()->TlsSlots[i] = 0x1337;
     }
 }
+/*
+// 在InitEnv函数之前添加这个函数
+void Sandbox::RegisterComApis() {
+    // 注册COM相关API
+    _fakeApi coInitializeEx = {Api_CoInitializeEx, 2};  // pvReserved, dwCoInit
+    _fakeApi coCreateInstance = {
+        Api_CoCreateInstance, 5};  // rclsid, pUnkOuter, dwClsContext, riid, ppv
+    _fakeApi variantInit = {Api_VariantInit, 1};        // pvarg
+    _fakeApi variantClear = {Api_VariantClear, 1};      // pvarg
+    _fakeApi sysAllocString = {Api_SysAllocString, 1};  // psz
+
+    // 将API添加到映射表中
+    m_apiMap["CoInitializeEx"] = coInitializeEx;
+    m_apiMap["CoCreateInstance"] = coCreateInstance;
+    m_apiMap["VariantInit"] = variantInit;
+    m_apiMap["VariantClear"] = variantClear;
+    m_apiMap["SysAllocString"] = sysAllocString;
+}
+*/
+// 在InitEnv函数中调用RegisterComApis
 auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void {
     m_peInfo = peInfo;
     if (cs_open(CS_ARCH_X86, peInfo->isX64 ? CS_MODE_64 : CS_MODE_32,

ai_anti_malware/sandbox.h

@@ -244,6 +244,9 @@ class Sandbox {
         m_lastImpRead = {address, imp};
     }
 
+    // 注册COM相关API
+    void RegisterComApis();
+
    private:
     std::shared_ptr<BasicPeInfo> m_peInfo;
     std::pair<uint64_t, std::shared_ptr<moudle_import>> m_lastImpRead;

ai_anti_malware/sandbox_api_com.cpp

@@ -0,0 +1,182 @@
+#include "sandbox.h"
+#include "sandbox_callbacks.h"
+#include "sandbox_api_winhttp.h"
+#include <tlhelp32.h>
+#include "sandbox_api_com.h"
+
+// COM 初始化状态跟踪
+static bool g_comInitialized = false;
+
+// 计划任务COM组件具体实现
+class TaskServiceImpl : public TaskServiceSimulator {
+   private:
+    ULONG m_refCount = 1;
+
+   public:
+    HRESULT QueryInterface(REFIID riid, void** ppv) override {
+        // 这里只模拟基本的ITaskService接口
+        *ppv = this;
+        AddRef();
+        return S_OK;
+    }
+
+    ULONG AddRef() override { return ++m_refCount; }
+
+    ULONG Release() override {
+        ULONG ref = --m_refCount;
+        if (ref == 0) {
+            delete this;
+        }
+        return ref;
+    }
+
+    HRESULT Connect(VARIANT ServerName, VARIANT User, VARIANT Domain,
+                    VARIANT Password) override {
+        // 模拟连接成功
+        return S_OK;
+    }
+
+    HRESULT GetFolder(BSTR path, ITaskFolder** ppFolder) override {
+        // 模拟获取文件夹成功
+        *ppFolder = nullptr;  // 实际使用时需要创建ITaskFolder实现
+        return S_OK;
+    }
+
+    HRESULT NewTask(DWORD flags, ITaskDefinition** ppDefinition) override {
+        // 模拟创建新任务成功
+        *ppDefinition = nullptr;  // 实际使用时需要创建ITaskDefinition实现
+        return S_OK;
+    }
+};
+
+// COM 组件工厂实现
+bool ComObjectFactory::IsTaskSchedulerCLSID(const CLSID& clsid) {
+    // 检查是否是Task Scheduler 2.0 的CLSID
+    static const CLSID CLSID_TaskScheduler = {
+        0x0f87369f,
+        0xa4e5,
+        0x4cfc,
+        {0xbd, 0x3e, 0x73, 0xe6, 0x15, 0x45, 0x72, 0xdd}};
+
+    return IsEqualCLSID(clsid, CLSID_TaskScheduler);
+}
+
+ComObjectSimulator* ComObjectFactory::CreateInstance(const CLSID& clsid) {
+    if (IsTaskSchedulerCLSID(clsid)) {
+        return new TaskServiceImpl();
+    }
+    return nullptr;
+}
+
+// COM API 实现
+void Api_CoInitializeEx(void* sandbox, uc_engine* uc, uint64_t address) {
+    Sandbox* sb = static_cast<Sandbox*>(sandbox);
+
+    // 获取参数
+    uint32_t pvReserved = 0;
+    uint32_t dwCoInit = 0;
+    uc_mem_read(uc, address + 4, &pvReserved, sizeof(pvReserved));
+    uc_mem_read(uc, address + 8, &dwCoInit, sizeof(dwCoInit));
+
+    // 设置COM初始化状态
+    g_comInitialized = true;
+
+    // 返回成功
+    uc_reg_write(uc, UC_X86_REG_EAX, &(uint32_t){S_OK});
+}
+
+void Api_CoCreateInstance(void* sandbox, uc_engine* uc, uint64_t address) {
+    Sandbox* sb = static_cast<Sandbox*>(sandbox);
+
+    if (!g_comInitialized) {
+        uint32_t result = CO_E_NOTINITIALIZED;
+        uc_reg_write(uc, UC_X86_REG_EAX, &result);
+        return;
+    }
+
+    // 获取参数
+    CLSID rclsid;
+    uint32_t pUnkOuter = 0;
+    uint32_t dwClsContext = 0;
+    IID riid;
+    uint32_t ppv = 0;
+
+    uc_mem_read(uc, address + 4, &rclsid, sizeof(rclsid));
+    uc_mem_read(uc, address + 20, &pUnkOuter, sizeof(pUnkOuter));
+    uc_mem_read(uc, address + 24, &dwClsContext, sizeof(dwClsContext));
+    uc_mem_read(uc, address + 28, &riid, sizeof(riid));
+    uc_mem_read(uc, address + 44, &ppv, sizeof(ppv));
+
+    // 创建COM对象
+    ComObjectSimulator* obj = ComObjectFactory::CreateInstance(rclsid);
+    if (obj == nullptr) {
+        uint32_t result = CLASS_E_CLASSNOTAVAILABLE;
+        uc_reg_write(uc, UC_X86_REG_EAX, &result);
+        return;
+    }
+
+    // 写入对象指针
+    uint32_t objPtr = reinterpret_cast<uint32_t>(obj);
+    uc_mem_write(uc, ppv, &objPtr, sizeof(objPtr));
+
+    uint32_t result = S_OK;
+    uc_reg_write(uc, UC_X86_REG_EAX, &result);
+}
+
+void Api_VariantInit(void* sandbox, uc_engine* uc, uint64_t address) {
+    Sandbox* sb = static_cast<Sandbox*>(sandbox);
+
+    // 获取VARIANT指针
+    uint32_t pvarg = 0;
+    uc_mem_read(uc, address + 4, &pvarg, sizeof(pvarg));
+
+    // 初始化VARIANT结构体
+    VARIANT v;
+    VariantInit(&v);
+
+    // 写回初始化后的VARIANT
+    uc_mem_write(uc, pvarg, &v, sizeof(VARIANT));
+
+    uint32_t result = S_OK;
+    uc_reg_write(uc, UC_X86_REG_EAX, &result);
+}
+
+void Api_VariantClear(void* sandbox, uc_engine* uc, uint64_t address) {
+    Sandbox* sb = static_cast<Sandbox*>(sandbox);
+
+    // 获取VARIANT指针
+    uint32_t pvarg = 0;
+    uc_mem_read(uc, address + 4, &pvarg, sizeof(pvarg));
+
+    // 读取VARIANT结构体
+    VARIANT v;
+    uc_mem_read(uc, pvarg, &v, sizeof(VARIANT));
+
+    // 清理VARIANT
+    VariantClear(&v);
+
+    // 写回清理后的VARIANT
+    uc_mem_write(uc, pvarg, &v, sizeof(VARIANT));
+
+    uint32_t result = S_OK;
+    uc_reg_write(uc, UC_X86_REG_EAX, &result);
+}
+
+void Api_SysAllocString(void* sandbox, uc_engine* uc, uint64_t address) {
+    Sandbox* sb = static_cast<Sandbox*>(sandbox);
+
+    // 获取字符串指针
+    uint32_t psz = 0;
+    uc_mem_read(uc, address + 4, &psz, sizeof(psz));
+
+    // 读取字符串
+    wchar_t buffer[MAX_PATH];
+    uc_mem_read(uc, psz, buffer, sizeof(buffer));
+
+    // 分配BSTR
+    BSTR bstr = SysAllocString(buffer);
+
+    // 返回BSTR指针
+    uint32_t result = reinterpret_cast<uint32_t>(bstr);
+    uc_reg_write(uc, UC_X86_REG_EAX, &result);
+}

ai_anti_malware/sandbox_api_com.h

@@ -0,0 +1,52 @@
+#pragma once
+#include <windows.h>
+#include <combaseapi.h>
+#include <unicorn/unicorn.h>
+#include "sandbox.h"
+
+// 辅助函数声明
+void read_from_unicorn(uc_engine* uc, uint64_t address, void* buffer,
+                       size_t size);
+void write_to_unicorn(uc_engine* uc, uint64_t address, const void* buffer,
+                      size_t size);
+void set_return_value(uc_engine* uc, uint32_t value);
+
+// COM 组件接口定义
+struct ITaskService;
+struct ITaskFolder;
+struct ITaskDefinition;
+struct IRegisteredTask;
+
+// COM 组件模拟器基类
+class ComObjectSimulator {
+   public:
+    virtual ~ComObjectSimulator() = default;
+    virtual HRESULT QueryInterface(REFIID riid, void** ppv) = 0;
+    virtual ULONG AddRef() = 0;
+    virtual ULONG Release() = 0;
+};
+
+// 计划任务COM组件模拟器
+class TaskServiceSimulator : public ComObjectSimulator {
+   public:
+    virtual HRESULT Connect(VARIANT ServerName, VARIANT User, VARIANT Domain,
+                            VARIANT Password) = 0;
+    virtual HRESULT GetFolder(BSTR path, ITaskFolder** ppFolder) = 0;
+    virtual HRESULT NewTask(DWORD flags, ITaskDefinition** ppDefinition) = 0;
+};
+
+// COM API 模拟函数声明
+void Api_CoInitializeEx(void* sandbox, uc_engine* uc, uint64_t address);
+void Api_CoCreateInstance(void* sandbox, uc_engine* uc, uint64_t address);
+void Api_VariantInit(void* sandbox, uc_engine* uc, uint64_t address);
+void Api_VariantClear(void* sandbox, uc_engine* uc, uint64_t address);
+void Api_SysAllocString(void* sandbox, uc_engine* uc, uint64_t address);
+
+// COM 组件工厂
+class ComObjectFactory {
+   public:
+    static ComObjectSimulator* CreateInstance(const CLSID& clsid);
+
+   private:
+    static bool IsTaskSchedulerCLSID(const CLSID& clsid);
+};