diff --git a/ai_anti_malware/.vscode/settings.json b/ai_anti_malware/.vscode/settings.json index 9ef98c4..f3671a2 100644 --- a/ai_anti_malware/.vscode/settings.json +++ b/ai_anti_malware/.vscode/settings.json @@ -52,6 +52,10 @@ "xtr1common": "cpp", "xtree": "cpp", "xutility": "cpp", - "functional": "cpp" + "functional": "cpp", + "fstream": "cpp", + "iomanip": "cpp", + "xlocmon": "cpp", + "xloctime": "cpp" } } \ No newline at end of file diff --git a/ai_anti_malware/ai_anti_malware.cpp b/ai_anti_malware/ai_anti_malware.cpp index 3815a78..b031cf6 100644 --- a/ai_anti_malware/ai_anti_malware.cpp +++ b/ai_anti_malware/ai_anti_malware.cpp @@ -32,7 +32,9 @@ auto getPeInfo(std::string inputFilePath) -> std::shared_ptr { return sampleInfo; } int main() { - auto sampleInfo = getPeInfo("E:\\对战平台\\CrowAntiCheat\\CrowAntiCheat\\client\\Console_Test\\x64\\Release\\Console_Test.exe"); + // auto sampleInfo = + // getPeInfo("E:\\对战平台\\CrowAntiCheat\\CrowAntiCheat\\client\\Console_Test\\x64\\Release\\Console_Test.exe"); + auto sampleInfo = getPeInfo("C:\\ConsoleApplication1.exe"); printf("input new file %s \n", sampleInfo->inputFilePath); printf("is x64: %d\n", sampleInfo->isX64); printf("is relocated: %d\n", sampleInfo->isRelocated); diff --git a/ai_anti_malware/sandbox.cpp b/ai_anti_malware/sandbox.cpp index 45e6684..0e3477f 100644 --- a/ai_anti_malware/sandbox.cpp +++ b/ai_anti_malware/sandbox.cpp @@ -396,11 +396,14 @@ auto Sandbox::SetupVirtualMachine() -> void { uc_mem_write(m_ucEngine, m_KSharedUserDataBase, (void*)m_KSharedUserDataBase, m_KSharedUserDataSize); - m_tebBase = TEB_BASE; // 进程TEB地址 - m_pebBase = PEB_BASE; // 进程PEB地址 + m_tebBase = TEB_BASE; // 进程TEB地址 + m_pebBase = PEB_BASE; // 进程PEB地址 + m_envBlockBase = ENV_BLOCK_BASE; // 环境变量块地址 // stack - m_stackBase = AlignSize(this->m_peInfo->isX64 ? STACK_BASE_64 : STACK_BASE_32, 16); - m_stackSize = AlignSize(this->m_peInfo->isX64 ? STACK_SIZE_64 : STACK_SIZE_32, 16); + m_stackBase = + AlignSize(this->m_peInfo->isX64 ? STACK_BASE_64 : STACK_BASE_32, 16); + m_stackSize = + AlignSize(this->m_peInfo->isX64 ? STACK_SIZE_64 : STACK_SIZE_32, 16); m_stackEnd = m_stackBase + m_stackSize; // heap @@ -487,6 +490,22 @@ auto Sandbox::SetupVirtualMachine() -> void { msr.value = m_tebBase; uc_reg_write(m_ucEngine, UC_X86_REG_MSR, &msr); } + // 映射新的内存区域 + size_t envSize = AlignSize(this->GetEnvStringsSize(), PAGE_SIZE); + printf("env block size: %llx\n", envSize); // 添加调试输出 + uc_err envErr = uc_mem_map(m_ucEngine, m_envBlockBase, envSize, + UC_PROT_READ | UC_PROT_WRITE); + if (envErr != UC_ERR_OK) { + throw std::runtime_error("Failed to map environment block"); + } + + auto envData = this->GetEnvString(); + envErr = uc_mem_write(m_ucEngine, m_envBlockBase, envData.data(), + envData.size() * sizeof(wchar_t)); + if (envErr != UC_ERR_OK) { + throw std::runtime_error("Failed to write environment block"); + } + for (DWORD i = 0; i < 64; i++) { GetTeb64()->TlsSlots[i] = (void*)0x1337ffffff; } @@ -640,3 +659,46 @@ auto Sandbox::Run() -> void { } } } + +auto Sandbox::GetEnvString() -> std::vector { + std::vector envBlock; + // 添加一些基本的环境变量 + const std::wstring vars[] = { + L"ALLUSERSPROFILE=C:\\ProgramData", + L"APPDATA=C:\\Users\\User\\AppData\\Roaming", + L"CommonProgramFiles=C:\\Program Files\\Common Files", + L"COMPUTERNAME=DESKTOP", + L"ComSpec=C:\\Windows\\system32\\cmd.exe", + L"HOMEDRIVE=C:", + L"HOMEPATH=\\Users\\User", + L"LOCALAPPDATA=C:\\Users\\User\\AppData\\Local", + L"NUMBER_OF_PROCESSORS=8", + L"OS=Windows_NT", + L"Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem", + L"PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", + L"PROCESSOR_ARCHITECTURE=AMD64", + L"ProgramData=C:\\ProgramData", + L"ProgramFiles=C:\\Program Files", + L"PROMPT=$P$G", + L"SystemDrive=C:", + L"SystemRoot=C:\\Windows", + L"TEMP=C:\\Users\\User\\AppData\\Local\\Temp", + L"TMP=C:\\Users\\User\\AppData\\Local\\Temp", + L"USERDOMAIN=DESKTOP", + L"USERNAME=User", + L"USERPROFILE=C:\\Users\\User", + L"windir=C:\\Windows"}; + + // 将环境变量添加到块中 + for (const auto& var : vars) { + envBlock.insert(envBlock.end(), var.begin(), var.end()); + envBlock.push_back(L'\0'); // 每个变量以null结尾 + } + envBlock.push_back(L'\0'); // 环境块以额外的null结尾 + + return envBlock; +} + +auto Sandbox::GetEnvStringsSize() -> size_t { + return GetEnvString().size() * sizeof(wchar_t); +} diff --git a/ai_anti_malware/sandbox.h b/ai_anti_malware/sandbox.h index 148d3f3..72b6504 100644 --- a/ai_anti_malware/sandbox.h +++ b/ai_anti_malware/sandbox.h @@ -10,6 +10,7 @@ #define SF_MASK (1 << 7) #define OF_MASK (1 << 11) #define ALL_MASK (OF_MASK | SF_MASK | ZF_MASK | PF_MASK | CF_MASK) +// 随便瞎JB写的 #define STACK_BASE_64 0x14A0000 #define STACK_BASE_32 0x14A0000 #define STACK_SIZE_64 0x40000 @@ -18,6 +19,7 @@ #define HEAP_SIZE_64 0x5000000 #define HEAP_ADDRESS_32 0x5000000 #define HEAP_SIZE_32 0x5000000 +#define ENV_BLOCK_BASE 0x50000 #define PEB_BASE 0x90000 #define TEB_BASE 0x90000 @@ -93,6 +95,11 @@ class Sandbox { auto GetCommandLine() const -> const char* { return m_commandLine.c_str(); } auto GetCommandLineAddress() const -> uint64_t { return CMDLINE_ADDRESS; } auto GetCommandLineWAddress() const -> uint64_t { return CMDLINEW_ADDRESS; } + auto GetEnvStrings() const -> std::vector { + return envStrings; + } + auto GetEnvString() -> std::vector; + auto GetEnvStringsSize() -> size_t; auto InitCommandLine() -> void; // 堆管理相关的公共方法 @@ -102,6 +109,7 @@ class Sandbox { auto FindHeapSegment(uint64_t address) -> HeapSegment*; auto MergeBlocks(HeapBlock* block) -> void; auto SplitBlock(HeapBlock* block, size_t size) -> void; + auto GetEnvBlockBase() const -> uint64_t { return m_envBlockBase; } std::map m_heapSegments; // 堆段映射表 private: @@ -119,6 +127,7 @@ class Sandbox { uint64_t m_heapSize; uint64_t m_heapEnd; uint64_t m_fakeBase; + uint64_t m_envBlockBase; struct_gs_base m_gsBaseStruct = {0}; X64TEB m_teb64 = {0}; X64PEB m_peb64 = {0}; @@ -131,7 +140,32 @@ class Sandbox { std::vector> m_moduleList; std::map> api_map; std::string m_commandLine; // 存储命令行字符串 - + // 创建一些基本的环境变量 + std::vector envStrings = { + L"ALLUSERSPROFILE=C:\\ProgramData", + L"APPDATA=C:\\Users\\User\\AppData\\Roaming", + L"CommonProgramFiles=C:\\Program Files\\Common Files", + L"COMPUTERNAME=DESKTOP", + L"ComSpec=C:\\Windows\\system32\\cmd.exe", + L"HOMEDRIVE=C:", + L"HOMEPATH=\\Users\\User", + L"LOCALAPPDATA=C:\\Users\\User\\AppData\\Local", + L"NUMBER_OF_PROCESSORS=8", + L"OS=Windows_NT", + L"Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem", + L"PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", + L"PROCESSOR_ARCHITECTURE=AMD64", + L"ProgramData=C:\\ProgramData", + L"ProgramFiles=C:\\Program Files", + L"PROMPT=$P$G", + L"SystemDrive=C:", + L"SystemRoot=C:\\Windows", + L"TEMP=C:\\Users\\User\\AppData\\Local\\Temp", + L"TMP=C:\\Users\\User\\AppData\\Local\\Temp", + L"USERDOMAIN=DESKTOP", + L"USERNAME=User", + L"USERPROFILE=C:\\Users\\User", + L"windir=C:\\Windows"}; auto ResoveImport() -> void; auto SetupVirtualMachine() -> void; auto PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void; diff --git a/ai_anti_malware/sandbox_api_emu.cpp b/ai_anti_malware/sandbox_api_emu.cpp index ea4538d..6de4e25 100644 --- a/ai_anti_malware/sandbox_api_emu.cpp +++ b/ai_anti_malware/sandbox_api_emu.cpp @@ -1891,6 +1891,130 @@ auto Api_WideCharToMultiByte(void* sandbox, uc_engine* uc, uint64_t address) &result); } +// 实现 InitializeSListHead API +auto Api_InitializeSListHead(void* sandbox, uc_engine* uc, uint64_t address) + -> void { + auto context = static_cast(sandbox); + uint64_t ListHead = 0; + + // 获取参数 + if (context->GetPeInfo()->isX64) { + // x64: rcx = ListHead + uc_reg_read(uc, UC_X86_REG_RCX, &ListHead); + } else { + // x86: 从栈上读取参数 + uint32_t esp_address = 0; + uint32_t temp_listhead = 0; + uc_reg_read(uc, UC_X86_REG_ESP, &esp_address); + esp_address += 0x4; // 跳过返回地址 + uc_mem_read(uc, esp_address, &temp_listhead, sizeof(uint32_t)); + ListHead = temp_listhead; + } + + if (ListHead != 0) { + if (context->GetPeInfo()->isX64) { + // 64位系统的SLIST_HEADER结构 (16字节对齐) + struct SLIST_HEADER64 { + union { + struct { + ULONGLONG Alignment; + ULONGLONG Region; + } DUMMYSTRUCTNAME; + struct { + ULONGLONG Depth : 16; + ULONGLONG Sequence : 48; + ULONGLONG Reserved : 4; + ULONGLONG NextEntry : 60; + } HeaderX64; + }; + } header = {0}; + + // 初始化Depth和Sequence为0 + header.HeaderX64.Depth = 0; + header.HeaderX64.Sequence = 0; + header.HeaderX64.Reserved = 0; + header.HeaderX64.NextEntry = 0; + + // 写入初始化的结构 + uc_mem_write(uc, ListHead, &header, sizeof(SLIST_HEADER64)); + } else { + // 32位系统的SLIST_HEADER结构 (8字节) + struct SLIST_HEADER32 { + union { + ULONGLONG Alignment; + struct { + SLIST_ENTRY* Next; + WORD Depth; + WORD Sequence; + } Header32; + }; + } header = {0}; + + // 初始化Next、Depth和Sequence为0 + header.Header32.Next = nullptr; + header.Header32.Depth = 0; + header.Header32.Sequence = 0; + + // 写入初始化的结构 + uc_mem_write(uc, ListHead, &header, sizeof(SLIST_HEADER32)); + } + } + + printf("[*] InitializeSListHead: ListHead=0x%llx\n", ListHead); +} + +// 实现 GetEnvironmentStringsW API +auto Api_GetEnvironmentStringsW(void* sandbox, uc_engine* uc, uint64_t address) + -> void { + auto context = static_cast(sandbox); + uint64_t envBlock = context->GetEnvBlockBase(); + uc_reg_write(uc, + context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX, + &envBlock); +} + +// 实现 FreeEnvironmentStringsW API +auto Api_FreeEnvironmentStringsW(void* sandbox, uc_engine* uc, uint64_t address) + -> void { + auto context = static_cast(sandbox); + uint64_t lpszEnvironmentBlock = 0; + + // 获取参数 + if (context->GetPeInfo()->isX64) { + // x64: rcx = lpszEnvironmentBlock + uc_reg_read(uc, UC_X86_REG_RCX, &lpszEnvironmentBlock); + } else { + // x86: 从栈上读取参数 + uint32_t esp_address = 0; + uint32_t temp_block = 0; + uc_reg_read(uc, UC_X86_REG_ESP, &esp_address); + esp_address += 0x4; // 跳过返回地址 + uc_mem_read(uc, esp_address, &temp_block, sizeof(uint32_t)); + lpszEnvironmentBlock = temp_block; + } + + // 检查传入的地址是否是我们之前分配的环境块地址 + BOOL success = (lpszEnvironmentBlock == context->GetEnvBlockBase()); + + if (!success) { + // 如果地址无效,设置错误码 + DWORD error = ERROR_INVALID_PARAMETER; + if (context->GetPeInfo()->isX64) { + context->GetTeb64()->LastErrorValue = error; + } else { + context->GetTeb32()->LastErrorValue = error; + } + } + + printf("[*] FreeEnvironmentStringsW: Block=0x%llx, Success=%d\n", + lpszEnvironmentBlock, success); + + // 返回操作是否成功 + uc_reg_write(uc, + context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX, + &success); +} + auto Sandbox::InitApiHooks() -> void { auto FakeApi_GetSystemTimeAsFileTime = _fakeApi{.func = Api_GetSystemTimeAsFileTime, .paramCount = 1}; @@ -1949,6 +2073,12 @@ auto Sandbox::InitApiHooks() -> void { _fakeApi{.func = Api_AreFileApisANSI, .paramCount = 0}; auto FakeApi_WideCharToMultiByte = _fakeApi{.func = Api_WideCharToMultiByte, .paramCount = 8}; + auto FakeApi_InitializeSListHead = + _fakeApi{.func = Api_InitializeSListHead, .paramCount = 1}; + auto FakeApi_GetEnvironmentStringsW = + _fakeApi{.func = Api_GetEnvironmentStringsW, .paramCount = 0}; + auto FakeApi_FreeEnvironmentStringsW = + _fakeApi{.func = Api_FreeEnvironmentStringsW, .paramCount = 1}; api_map = { {"GetSystemTimeAsFileTime", @@ -1999,6 +2129,12 @@ auto Sandbox::InitApiHooks() -> void { std::make_shared<_fakeApi>(FakeApi_AreFileApisANSI)}, {"WideCharToMultiByte", std::make_shared<_fakeApi>(FakeApi_WideCharToMultiByte)}, + {"InitializeSListHead", + std::make_shared<_fakeApi>(FakeApi_InitializeSListHead)}, + {"GetEnvironmentStringsW", + std::make_shared<_fakeApi>(FakeApi_GetEnvironmentStringsW)}, + {"FreeEnvironmentStringsW", + std::make_shared<_fakeApi>(FakeApi_FreeEnvironmentStringsW)}, }; } auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip, @@ -2023,10 +2159,10 @@ auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip, uc_mem_read(uc, rsp, &return_address, 8); // x64下,前4个参数通过寄存器传递,超过的部分通过栈传递 - int stack_params = (paramCount > 4) ? (paramCount - 4) : 0; + // int stack_params = (paramCount > 4) ? (paramCount - 4) : 0; // 调整栈指针:每个参数8字节 + 返回地址8字节 - rsp += (stack_params * 8) + 8; - + // rsp += (stack_params * 8) + 8; + rsp += 8; // 设置RIP为返回地址 uc_reg_write(uc, UC_X86_REG_RIP, &return_address); } else { // 32位系统 diff --git a/ai_anti_malware/sandbox_callbacks.cpp b/ai_anti_malware/sandbox_callbacks.cpp index b8f7ded..cac3c81 100644 --- a/ai_anti_malware/sandbox_callbacks.cpp +++ b/ai_anti_malware/sandbox_callbacks.cpp @@ -47,7 +47,7 @@ void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size, } cs_free(instruction, instructionCount); - dumpVmenv(uc, userData); + // dumpVmenv(uc, userData); } } @@ -75,7 +75,6 @@ void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address, "[handleMemoryRead] Address: %p Size: %p Rax: %p Rip: %p Error: %d " "ReadData: %p Rbp: %p\n", address, size, regRax, regRip, readError, readAddress, regRbp); - sandboxCallbacks::dumpVmenv(uc, sandbox); } } void dumpVmenv(uc_engine* uc, void* userData) {