fix up

ai_anti_malware/sandbox.cpp

@@ -396,11 +396,14 @@ auto Sandbox::SetupVirtualMachine() -> void {
     uc_mem_write(m_ucEngine, m_KSharedUserDataBase,
                  (void*)m_KSharedUserDataBase, m_KSharedUserDataSize);
 
-    m_tebBase = TEB_BASE;  // 进程TEB地址
-    m_pebBase = PEB_BASE;  // 进程PEB地址
+    m_tebBase = TEB_BASE;             // 进程TEB地址
+    m_pebBase = PEB_BASE;             // 进程PEB地址
+    m_envBlockBase = ENV_BLOCK_BASE;  // 环境变量块地址
     // stack
-    m_stackBase = AlignSize(this->m_peInfo->isX64 ? STACK_BASE_64 : STACK_BASE_32, 16);
-    m_stackSize = AlignSize(this->m_peInfo->isX64 ? STACK_SIZE_64 : STACK_SIZE_32, 16);
+    m_stackBase =
+        AlignSize(this->m_peInfo->isX64 ? STACK_BASE_64 : STACK_BASE_32, 16);
+    m_stackSize =
+        AlignSize(this->m_peInfo->isX64 ? STACK_SIZE_64 : STACK_SIZE_32, 16);
     m_stackEnd = m_stackBase + m_stackSize;
 
     // heap
@@ -487,6 +490,22 @@ auto Sandbox::SetupVirtualMachine() -> void {
         msr.value = m_tebBase;
         uc_reg_write(m_ucEngine, UC_X86_REG_MSR, &msr);
     }
+    // 映射新的内存区域
+    size_t envSize = AlignSize(this->GetEnvStringsSize(), PAGE_SIZE);
+    printf("env block size: %llx\n", envSize);  // 添加调试输出
+    uc_err envErr = uc_mem_map(m_ucEngine, m_envBlockBase, envSize,
+                               UC_PROT_READ | UC_PROT_WRITE);
+    if (envErr != UC_ERR_OK) {
+        throw std::runtime_error("Failed to map environment block");
+    }
+
+    auto envData = this->GetEnvString();
+    envErr = uc_mem_write(m_ucEngine, m_envBlockBase, envData.data(),
+                          envData.size() * sizeof(wchar_t));
+    if (envErr != UC_ERR_OK) {
+        throw std::runtime_error("Failed to write environment block");
+    }
+
     for (DWORD i = 0; i < 64; i++) {
         GetTeb64()->TlsSlots[i] = (void*)0x1337ffffff;
     }
@@ -640,3 +659,46 @@ auto Sandbox::Run() -> void {
         }
     }
 }
+
+auto Sandbox::GetEnvString() -> std::vector<wchar_t> {
+    std::vector<wchar_t> envBlock;
+    // 添加一些基本的环境变量
+    const std::wstring vars[] = {
+        L"ALLUSERSPROFILE=C:\\ProgramData",
+        L"APPDATA=C:\\Users\\User\\AppData\\Roaming",
+        L"CommonProgramFiles=C:\\Program Files\\Common Files",
+        L"COMPUTERNAME=DESKTOP",
+        L"ComSpec=C:\\Windows\\system32\\cmd.exe",
+        L"HOMEDRIVE=C:",
+        L"HOMEPATH=\\Users\\User",
+        L"LOCALAPPDATA=C:\\Users\\User\\AppData\\Local",
+        L"NUMBER_OF_PROCESSORS=8",
+        L"OS=Windows_NT",
+        L"Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem",
+        L"PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC",
+        L"PROCESSOR_ARCHITECTURE=AMD64",
+        L"ProgramData=C:\\ProgramData",
+        L"ProgramFiles=C:\\Program Files",
+        L"PROMPT=$P$G",
+        L"SystemDrive=C:",
+        L"SystemRoot=C:\\Windows",
+        L"TEMP=C:\\Users\\User\\AppData\\Local\\Temp",
+        L"TMP=C:\\Users\\User\\AppData\\Local\\Temp",
+        L"USERDOMAIN=DESKTOP",
+        L"USERNAME=User",
+        L"USERPROFILE=C:\\Users\\User",
+        L"windir=C:\\Windows"};
+
+    // 将环境变量添加到块中
+    for (const auto& var : vars) {
+        envBlock.insert(envBlock.end(), var.begin(), var.end());
+        envBlock.push_back(L'\0');  // 每个变量以null结尾
+    }
+    envBlock.push_back(L'\0');  // 环境块以额外的null结尾
+
+    return envBlock;
+}
+
+auto Sandbox::GetEnvStringsSize() -> size_t {
+    return GetEnvString().size() * sizeof(wchar_t);
+}