update

2025-03-18 22:26:09 +08:00
parent 9a44f20d5c
commit c61773dfd8
3 changed files with 19 additions and 4 deletions
--- a/ai_anti_malware/head.h
+++ b/ai_anti_malware/head.h
@@ -1,5 +1,5 @@
 #pragma once
-#define LOG_LEVEL 1
+#define LOG_LEVEL 0

 #define _CRT_SECURE_NO_WARNINGS
 #include <iostream>
--- a/ai_anti_malware/sandbox.cpp
+++ b/ai_anti_malware/sandbox.cpp
@@ -189,7 +189,7 @@ class cFixImprot : public peconv::t_function_resolver {
                }
            }
        }
-        __debugbreak();
+        //__debugbreak();
        return nullptr;
    }

@@ -390,12 +390,14 @@ auto Sandbox::ResolveImportExports() -> void {
        if (module->base == m_peInfo->RecImageBase) {
            continue;
        }
+
        const auto exports = ResolveExport(module->real_base);
        for (const auto item : exports) {
            if (LOG_LEVEL > 0) {
                printf("import export: [%s] %s => %llx\n", module->name,
                       item->name, item->function_address);
            }
+
            module->export_function.push_back(item);
        }
    }
@@ -649,7 +651,14 @@ auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void {
    if (!peconv::load_imports(m_peInfo->peBuffer, &importFixer)) {
        throw std::runtime_error("Failed to fix imports");
    }
-
+    //给所有导入表加c3
+    for (const auto& module : this->GetModuleList()) {
+        // 遍历导出函数查找对应名称
+        for (const auto& exp : module->export_function) {
+            auto inMemAddr = module->base + exp->function_address;
+            uc_mem_write(m_ucEngine, inMemAddr, "\xCC", sizeof(char));
+        }
+    }
    uc_err ucErr = uc_mem_map(m_ucEngine, m_peInfo->RecImageBase,
                              m_peInfo->peSize, UC_PROT_ALL);
    if (ucErr != UC_ERR_OK) {
@@ -740,6 +749,13 @@ auto Sandbox::Run(uint64_t address) -> void {
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to add syscall hook");
    }
+    // 系统调用钩子
+    err = uc_hook_add(m_ucEngine, &hook_syscall, UC_HOOK_INTR | UC_HOOK_INSN,
+        reinterpret_cast<void*>(sandboxCallbacks::handleSyscall),
+        this, 1, 0, UC_X86_INS_SYSCALL);
+    if (err != UC_ERR_OK) {
+        throw std::runtime_error("Failed to add syscall hook");
+    }
    auto customIP = address;
    // 设置EIP/RIP
    err = uc_reg_write(m_ucEngine,
--- a/ai_anti_malware/sandbox_callbacks.cpp
+++ b/ai_anti_malware/sandbox_callbacks.cpp
@@ -311,5 +311,4 @@ void handleSyscall(uc_engine* uc, void* userData) {
    sandbox->SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
    printf("[handleSyscall] Syscall detected\n");
 }
-
 }  // namespace sandboxCallbacks