fix up

ai_anti_malware/sandbox_callbacks.cpp

@@ -1,5 +1,5 @@
 #include "sandbox_callbacks.h"
-#define LOG_LEVEL 1
+#define LOG_LEVEL 0
 namespace sandboxCallbacks {
 void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
                    void* userData) {
@@ -24,6 +24,39 @@ void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
     uc_reg_read(uc,
                 sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RSP : UC_X86_REG_ESP,
                 &currentRsp);
+
+    // 检查当前执行地址所在区段
+    int currentSectionIndex = -1;
+    for (size_t i = 0; i < sandbox->GetModuleList()[0]->sections.size(); i++) {
+        auto section = sandbox->GetModuleList()[0]->sections[i];
+        uint64_t sectionStart =
+            sandbox->GetPeInfo()->RecImageBase + section->base;
+        uint64_t sectionEnd = sectionStart + section->size;
+
+        if (address >= sectionStart && address < sectionEnd) {
+            currentSectionIndex = static_cast<int>(i);
+            break;
+        }
+    }
+
+    // 如果找到区段，并且与上次执行的区段不同，记录跨区段行为
+    if (currentSectionIndex >= 0 &&
+        sandbox->GetLastExecuteSectionIndex() != currentSectionIndex &&
+        sandbox->GetLastExecuteSectionIndex() != 0) {
+        printf(
+            "[!!!]detect cross section excute, from %d to %d,address: 0x%llx\n",
+            sandbox->GetLastExecuteSectionIndex(), currentSectionIndex,
+            address);
+
+        // 记录跨区段执行地址
+        sandbox->SetCrossSectionExecution(address);
+    }
+
+    // 更新上次执行的区段
+    if (currentSectionIndex >= 0) {
+        sandbox->SetLastExecuteSectionIndex(currentSectionIndex);
+    }
+
     for (auto module : sandbox->GetModuleList()) {
         for (auto item : module->export_function) {
             const auto vmAddress = module->base + item->function_address;