update
This commit is contained in:
Huoji's
@@ -1,5 +1,5 @@
|
|||||||
#pragma once
|
#pragma once
|
||||||
#define LOG_LEVEL 1
|
#define LOG_LEVEL 0
|
||||||
|
|
||||||
#define _CRT_SECURE_NO_WARNINGS
|
#define _CRT_SECURE_NO_WARNINGS
|
||||||
#include <iostream>
|
#include <iostream>
|
||||||
|
|||||||
@@ -189,7 +189,7 @@ class cFixImprot : public peconv::t_function_resolver {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
__debugbreak();
|
//__debugbreak();
|
||||||
return nullptr;
|
return nullptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -390,12 +390,14 @@ auto Sandbox::ResolveImportExports() -> void {
|
|||||||
if (module->base == m_peInfo->RecImageBase) {
|
if (module->base == m_peInfo->RecImageBase) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
const auto exports = ResolveExport(module->real_base);
|
const auto exports = ResolveExport(module->real_base);
|
||||||
for (const auto item : exports) {
|
for (const auto item : exports) {
|
||||||
if (LOG_LEVEL > 0) {
|
if (LOG_LEVEL > 0) {
|
||||||
printf("import export: [%s] %s => %llx\n", module->name,
|
printf("import export: [%s] %s => %llx\n", module->name,
|
||||||
item->name, item->function_address);
|
item->name, item->function_address);
|
||||||
}
|
}
|
||||||
|
|
||||||
module->export_function.push_back(item);
|
module->export_function.push_back(item);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -649,7 +651,14 @@ auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void {
|
|||||||
if (!peconv::load_imports(m_peInfo->peBuffer, &importFixer)) {
|
if (!peconv::load_imports(m_peInfo->peBuffer, &importFixer)) {
|
||||||
throw std::runtime_error("Failed to fix imports");
|
throw std::runtime_error("Failed to fix imports");
|
||||||
}
|
}
|
||||||
|
//给所有导入表加c3
|
||||||
|
for (const auto& module : this->GetModuleList()) {
|
||||||
|
// 遍历导出函数查找对应名称
|
||||||
|
for (const auto& exp : module->export_function) {
|
||||||
|
auto inMemAddr = module->base + exp->function_address;
|
||||||
|
uc_mem_write(m_ucEngine, inMemAddr, "\xCC", sizeof(char));
|
||||||
|
}
|
||||||
|
}
|
||||||
uc_err ucErr = uc_mem_map(m_ucEngine, m_peInfo->RecImageBase,
|
uc_err ucErr = uc_mem_map(m_ucEngine, m_peInfo->RecImageBase,
|
||||||
m_peInfo->peSize, UC_PROT_ALL);
|
m_peInfo->peSize, UC_PROT_ALL);
|
||||||
if (ucErr != UC_ERR_OK) {
|
if (ucErr != UC_ERR_OK) {
|
||||||
@@ -740,6 +749,13 @@ auto Sandbox::Run(uint64_t address) -> void {
|
|||||||
if (err != UC_ERR_OK) {
|
if (err != UC_ERR_OK) {
|
||||||
throw std::runtime_error("Failed to add syscall hook");
|
throw std::runtime_error("Failed to add syscall hook");
|
||||||
}
|
}
|
||||||
|
// 系统调用钩子
|
||||||
|
err = uc_hook_add(m_ucEngine, &hook_syscall, UC_HOOK_INTR | UC_HOOK_INSN,
|
||||||
|
reinterpret_cast<void*>(sandboxCallbacks::handleSyscall),
|
||||||
|
this, 1, 0, UC_X86_INS_SYSCALL);
|
||||||
|
if (err != UC_ERR_OK) {
|
||||||
|
throw std::runtime_error("Failed to add syscall hook");
|
||||||
|
}
|
||||||
auto customIP = address;
|
auto customIP = address;
|
||||||
// 设置EIP/RIP
|
// 设置EIP/RIP
|
||||||
err = uc_reg_write(m_ucEngine,
|
err = uc_reg_write(m_ucEngine,
|
||||||
|
|||||||
@@ -311,5 +311,4 @@ void handleSyscall(uc_engine* uc, void* userData) {
|
|||||||
sandbox->SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
|
sandbox->SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
|
||||||
printf("[handleSyscall] Syscall detected\n");
|
printf("[handleSyscall] Syscall detected\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
} // namespace sandboxCallbacks
|
} // namespace sandboxCallbacks
|
||||||
|
|||||||
Reference in New Issue
Block a user