From c61773dfd83b95a00ba0a60a754a39470698cdb2 Mon Sep 17 00:00:00 2001 From: Huoji's <1296564236@qq.com> Date: Tue, 18 Mar 2025 22:26:09 +0800 Subject: [PATCH] update --- ai_anti_malware/head.h | 2 +- ai_anti_malware/sandbox.cpp | 20 ++++++++++++++++++-- ai_anti_malware/sandbox_callbacks.cpp | 1 - 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/ai_anti_malware/head.h b/ai_anti_malware/head.h index 0cc949c..f99b4c4 100644 --- a/ai_anti_malware/head.h +++ b/ai_anti_malware/head.h @@ -1,5 +1,5 @@ #pragma once -#define LOG_LEVEL 1 +#define LOG_LEVEL 0 #define _CRT_SECURE_NO_WARNINGS #include diff --git a/ai_anti_malware/sandbox.cpp b/ai_anti_malware/sandbox.cpp index 5b224ef..ba3203f 100644 --- a/ai_anti_malware/sandbox.cpp +++ b/ai_anti_malware/sandbox.cpp @@ -189,7 +189,7 @@ class cFixImprot : public peconv::t_function_resolver { } } } - __debugbreak(); + //__debugbreak(); return nullptr; } @@ -390,12 +390,14 @@ auto Sandbox::ResolveImportExports() -> void { if (module->base == m_peInfo->RecImageBase) { continue; } + const auto exports = ResolveExport(module->real_base); for (const auto item : exports) { if (LOG_LEVEL > 0) { printf("import export: [%s] %s => %llx\n", module->name, item->name, item->function_address); } + module->export_function.push_back(item); } } @@ -649,7 +651,14 @@ auto Sandbox::InitEnv(std::shared_ptr peInfo) -> void { if (!peconv::load_imports(m_peInfo->peBuffer, &importFixer)) { throw std::runtime_error("Failed to fix imports"); } - + //给所有导入表加c3 + for (const auto& module : this->GetModuleList()) { + // 遍历导出函数查找对应名称 + for (const auto& exp : module->export_function) { + auto inMemAddr = module->base + exp->function_address; + uc_mem_write(m_ucEngine, inMemAddr, "\xCC", sizeof(char)); + } + } uc_err ucErr = uc_mem_map(m_ucEngine, m_peInfo->RecImageBase, m_peInfo->peSize, UC_PROT_ALL); if (ucErr != UC_ERR_OK) { @@ -740,6 +749,13 @@ auto Sandbox::Run(uint64_t address) -> void { if (err != UC_ERR_OK) { throw std::runtime_error("Failed to add syscall hook"); } + // 系统调用钩子 + err = uc_hook_add(m_ucEngine, &hook_syscall, UC_HOOK_INTR | UC_HOOK_INSN, + reinterpret_cast(sandboxCallbacks::handleSyscall), + this, 1, 0, UC_X86_INS_SYSCALL); + if (err != UC_ERR_OK) { + throw std::runtime_error("Failed to add syscall hook"); + } auto customIP = address; // 设置EIP/RIP err = uc_reg_write(m_ucEngine, diff --git a/ai_anti_malware/sandbox_callbacks.cpp b/ai_anti_malware/sandbox_callbacks.cpp index c495a3d..f361ae4 100644 --- a/ai_anti_malware/sandbox_callbacks.cpp +++ b/ai_anti_malware/sandbox_callbacks.cpp @@ -311,5 +311,4 @@ void handleSyscall(uc_engine* uc, void* userData) { sandbox->SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious); printf("[handleSyscall] Syscall detected\n"); } - } // namespace sandboxCallbacks