From dbe2e6a92b5e2dd6f55bbb60d88657c9c6923933 Mon Sep 17 00:00:00 2001 From: Huoji's <1296564236@qq.com> Date: Thu, 6 Mar 2025 04:28:34 +0800 Subject: [PATCH] fix 1 --- ai_anti_malware/ai_anti_malware.cpp | 13 +- ai_anti_malware/native_struct.h | 551 ++++++++++++++-------------- ai_anti_malware/sandbox.cpp | 38 +- ai_anti_malware/sandbox.h | 3 +- 4 files changed, 293 insertions(+), 312 deletions(-) diff --git a/ai_anti_malware/ai_anti_malware.cpp b/ai_anti_malware/ai_anti_malware.cpp index 4744838..a8fbefd 100644 --- a/ai_anti_malware/ai_anti_malware.cpp +++ b/ai_anti_malware/ai_anti_malware.cpp @@ -5,9 +5,7 @@ auto getPeInfo(std::string inputFilePath) -> std::shared_ptr { auto sampleInfo = std::make_shared(); - sampleInfo->inputFilePath = - "E:\\对战平台\\CrowAntiCheat\\CrowAntiCheat\\client\\Console_" - "Test\\Release\\Console_Test.exe"; + sampleInfo->inputFilePath = inputFilePath; sampleInfo->peBuffer = peconv::load_pe_module((const char*)sampleInfo->inputFilePath.c_str(), @@ -17,10 +15,11 @@ auto getPeInfo(std::string inputFilePath) -> std::shared_ptr { sampleInfo->isX64 = peconv::is64bit((BYTE*)sampleInfo->peBuffer); sampleInfo->RecImageBase = sampleInfo->isX64 - ? (DWORD64)sampleInfo->ntHead64->OptionalHeader.ImageBase - : (DWORD)sampleInfo->ntHead32->OptionalHeader.ImageBase; - sampleInfo->isRelocated = peconv::relocate_module( - (BYTE*)sampleInfo->peBuffer, sampleInfo->peSize, sampleInfo->RecImageBase); + ? (DWORD64)sampleInfo->ntHead64->OptionalHeader.ImageBase + : (DWORD)sampleInfo->ntHead32->OptionalHeader.ImageBase; + sampleInfo->isRelocated = + peconv::relocate_module((BYTE*)sampleInfo->peBuffer, sampleInfo->peSize, + sampleInfo->RecImageBase); sampleInfo->entryPoint = sampleInfo->isX64 diff --git a/ai_anti_malware/native_struct.h b/ai_anti_malware/native_struct.h index 7d6bfcd..293f3cb 100644 --- a/ai_anti_malware/native_struct.h +++ b/ai_anti_malware/native_struct.h @@ -387,311 +387,291 @@ typedef struct X64PEB { ULONG NtGlobalFlag2; // 0x7c4 }; static_assert(sizeof(X64PEB) == 0x7c8, "X64PEB Size check"); -//0x8 bytes (sizeof) -struct _STRING32 -{ - USHORT Length; //0x0 - USHORT MaximumLength; //0x2 - ULONG Buffer; //0x4 +// 0x8 bytes (sizeof) +struct _STRING32 { + USHORT Length; // 0x0 + USHORT MaximumLength; // 0x2 + ULONG Buffer; // 0x4 }; -//0x480 bytes (sizeof) -struct X32PEB -{ - UCHAR InheritedAddressSpace; //0x0 - UCHAR ReadImageFileExecOptions; //0x1 - UCHAR BeingDebugged; //0x2 - union - { - UCHAR BitField; //0x3 - struct - { - UCHAR ImageUsesLargePages : 1; //0x3 - UCHAR IsProtectedProcess : 1; //0x3 - UCHAR IsImageDynamicallyRelocated : 1; //0x3 - UCHAR SkipPatchingUser32Forwarders : 1; //0x3 - UCHAR IsPackagedProcess : 1; //0x3 - UCHAR IsAppContainer : 1; //0x3 - UCHAR IsProtectedProcessLight : 1; //0x3 - UCHAR IsLongPathAwareProcess : 1; //0x3 +// 0x480 bytes (sizeof) +struct X32PEB { + UCHAR InheritedAddressSpace; // 0x0 + UCHAR ReadImageFileExecOptions; // 0x1 + UCHAR BeingDebugged; // 0x2 + union { + UCHAR BitField; // 0x3 + struct { + UCHAR ImageUsesLargePages : 1; // 0x3 + UCHAR IsProtectedProcess : 1; // 0x3 + UCHAR IsImageDynamicallyRelocated : 1; // 0x3 + UCHAR SkipPatchingUser32Forwarders : 1; // 0x3 + UCHAR IsPackagedProcess : 1; // 0x3 + UCHAR IsAppContainer : 1; // 0x3 + UCHAR IsProtectedProcessLight : 1; // 0x3 + UCHAR IsLongPathAwareProcess : 1; // 0x3 }; }; - ULONG Mutant; //0x4 - ULONG ImageBaseAddress; //0x8 - ULONG Ldr; //0xc - ULONG ProcessParameters; //0x10 - ULONG SubSystemData; //0x14 - ULONG ProcessHeap; //0x18 - ULONG FastPebLock; //0x1c - ULONG AtlThunkSListPtr; //0x20 - ULONG IFEOKey; //0x24 - union - { - ULONG CrossProcessFlags; //0x28 - struct - { - ULONG ProcessInJob : 1; //0x28 - ULONG ProcessInitializing : 1; //0x28 - ULONG ProcessUsingVEH : 1; //0x28 - ULONG ProcessUsingVCH : 1; //0x28 - ULONG ProcessUsingFTH : 1; //0x28 - ULONG ProcessPreviouslyThrottled : 1; //0x28 - ULONG ProcessCurrentlyThrottled : 1; //0x28 - ULONG ProcessImagesHotPatched : 1; //0x28 - ULONG ReservedBits0 : 24; //0x28 + ULONG Mutant; // 0x4 + ULONG ImageBaseAddress; // 0x8 + ULONG Ldr; // 0xc + ULONG ProcessParameters; // 0x10 + ULONG SubSystemData; // 0x14 + ULONG ProcessHeap; // 0x18 + ULONG FastPebLock; // 0x1c + ULONG AtlThunkSListPtr; // 0x20 + ULONG IFEOKey; // 0x24 + union { + ULONG CrossProcessFlags; // 0x28 + struct { + ULONG ProcessInJob : 1; // 0x28 + ULONG ProcessInitializing : 1; // 0x28 + ULONG ProcessUsingVEH : 1; // 0x28 + ULONG ProcessUsingVCH : 1; // 0x28 + ULONG ProcessUsingFTH : 1; // 0x28 + ULONG ProcessPreviouslyThrottled : 1; // 0x28 + ULONG ProcessCurrentlyThrottled : 1; // 0x28 + ULONG ProcessImagesHotPatched : 1; // 0x28 + ULONG ReservedBits0 : 24; // 0x28 }; }; - union - { - ULONG KernelCallbackTable; //0x2c - ULONG UserSharedInfoPtr; //0x2c + union { + ULONG KernelCallbackTable; // 0x2c + ULONG UserSharedInfoPtr; // 0x2c }; - ULONG SystemReserved; //0x30 - ULONG AtlThunkSListPtr32; //0x34 - ULONG ApiSetMap; //0x38 - ULONG TlsExpansionCounter; //0x3c - ULONG TlsBitmap; //0x40 - ULONG TlsBitmapBits[2]; //0x44 - ULONG ReadOnlySharedMemoryBase; //0x4c - ULONG SharedData; //0x50 - ULONG ReadOnlyStaticServerData; //0x54 - ULONG AnsiCodePageData; //0x58 - ULONG OemCodePageData; //0x5c - ULONG UnicodeCaseTableData; //0x60 - ULONG NumberOfProcessors; //0x64 - ULONG NtGlobalFlag; //0x68 - union _LARGE_INTEGER CriticalSectionTimeout; //0x70 - ULONG HeapSegmentReserve; //0x78 - ULONG HeapSegmentCommit; //0x7c - ULONG HeapDeCommitTotalFreeThreshold; //0x80 - ULONG HeapDeCommitFreeBlockThreshold; //0x84 - ULONG NumberOfHeaps; //0x88 - ULONG MaximumNumberOfHeaps; //0x8c - ULONG ProcessHeaps; //0x90 - ULONG GdiSharedHandleTable; //0x94 - ULONG ProcessStarterHelper; //0x98 - ULONG GdiDCAttributeList; //0x9c - ULONG LoaderLock; //0xa0 - ULONG OSMajorVersion; //0xa4 - ULONG OSMinorVersion; //0xa8 - USHORT OSBuildNumber; //0xac - USHORT OSCSDVersion; //0xae - ULONG OSPlatformId; //0xb0 - ULONG ImageSubsystem; //0xb4 - ULONG ImageSubsystemMajorVersion; //0xb8 - ULONG ImageSubsystemMinorVersion; //0xbc - ULONG ActiveProcessAffinityMask; //0xc0 - ULONG GdiHandleBuffer[34]; //0xc4 - ULONG PostProcessInitRoutine; //0x14c - ULONG TlsExpansionBitmap; //0x150 - ULONG TlsExpansionBitmapBits[32]; //0x154 - ULONG SessionId; //0x1d4 - union _ULARGE_INTEGER AppCompatFlags; //0x1d8 - union _ULARGE_INTEGER AppCompatFlagsUser; //0x1e0 - ULONG pShimData; //0x1e8 - ULONG AppCompatInfo; //0x1ec - struct _STRING32 CSDVersion; //0x1f0 - ULONG ActivationContextData; //0x1f8 - ULONG ProcessAssemblyStorageMap; //0x1fc - ULONG SystemDefaultActivationContextData; //0x200 - ULONG SystemAssemblyStorageMap; //0x204 - ULONG MinimumStackCommit; //0x208 - ULONG SparePointers[4]; //0x20c - ULONG SpareUlongs[5]; //0x21c - ULONG WerRegistrationData; //0x230 - ULONG WerShipAssertPtr; //0x234 - ULONG pUnused; //0x238 - ULONG pImageHeaderHash; //0x23c - union - { - ULONG TracingFlags; //0x240 - struct - { - ULONG HeapTracingEnabled : 1; //0x240 - ULONG CritSecTracingEnabled : 1; //0x240 - ULONG LibLoaderTracingEnabled : 1; //0x240 - ULONG SpareTracingBits : 29; //0x240 + ULONG SystemReserved; // 0x30 + ULONG AtlThunkSListPtr32; // 0x34 + ULONG ApiSetMap; // 0x38 + ULONG TlsExpansionCounter; // 0x3c + ULONG TlsBitmap; // 0x40 + ULONG TlsBitmapBits[2]; // 0x44 + ULONG ReadOnlySharedMemoryBase; // 0x4c + ULONG SharedData; // 0x50 + ULONG ReadOnlyStaticServerData; // 0x54 + ULONG AnsiCodePageData; // 0x58 + ULONG OemCodePageData; // 0x5c + ULONG UnicodeCaseTableData; // 0x60 + ULONG NumberOfProcessors; // 0x64 + ULONG NtGlobalFlag; // 0x68 + union _LARGE_INTEGER CriticalSectionTimeout; // 0x70 + ULONG HeapSegmentReserve; // 0x78 + ULONG HeapSegmentCommit; // 0x7c + ULONG HeapDeCommitTotalFreeThreshold; // 0x80 + ULONG HeapDeCommitFreeBlockThreshold; // 0x84 + ULONG NumberOfHeaps; // 0x88 + ULONG MaximumNumberOfHeaps; // 0x8c + ULONG ProcessHeaps; // 0x90 + ULONG GdiSharedHandleTable; // 0x94 + ULONG ProcessStarterHelper; // 0x98 + ULONG GdiDCAttributeList; // 0x9c + ULONG LoaderLock; // 0xa0 + ULONG OSMajorVersion; // 0xa4 + ULONG OSMinorVersion; // 0xa8 + USHORT OSBuildNumber; // 0xac + USHORT OSCSDVersion; // 0xae + ULONG OSPlatformId; // 0xb0 + ULONG ImageSubsystem; // 0xb4 + ULONG ImageSubsystemMajorVersion; // 0xb8 + ULONG ImageSubsystemMinorVersion; // 0xbc + ULONG ActiveProcessAffinityMask; // 0xc0 + ULONG GdiHandleBuffer[34]; // 0xc4 + ULONG PostProcessInitRoutine; // 0x14c + ULONG TlsExpansionBitmap; // 0x150 + ULONG TlsExpansionBitmapBits[32]; // 0x154 + ULONG SessionId; // 0x1d4 + union _ULARGE_INTEGER AppCompatFlags; // 0x1d8 + union _ULARGE_INTEGER AppCompatFlagsUser; // 0x1e0 + ULONG pShimData; // 0x1e8 + ULONG AppCompatInfo; // 0x1ec + struct _STRING32 CSDVersion; // 0x1f0 + ULONG ActivationContextData; // 0x1f8 + ULONG ProcessAssemblyStorageMap; // 0x1fc + ULONG SystemDefaultActivationContextData; // 0x200 + ULONG SystemAssemblyStorageMap; // 0x204 + ULONG MinimumStackCommit; // 0x208 + ULONG SparePointers[4]; // 0x20c + ULONG SpareUlongs[5]; // 0x21c + ULONG WerRegistrationData; // 0x230 + ULONG WerShipAssertPtr; // 0x234 + ULONG pUnused; // 0x238 + ULONG pImageHeaderHash; // 0x23c + union { + ULONG TracingFlags; // 0x240 + struct { + ULONG HeapTracingEnabled : 1; // 0x240 + ULONG CritSecTracingEnabled : 1; // 0x240 + ULONG LibLoaderTracingEnabled : 1; // 0x240 + ULONG SpareTracingBits : 29; // 0x240 }; }; - ULONGLONG CsrServerReadOnlySharedMemoryBase; //0x248 - ULONG TppWorkerpListLock; //0x250 - struct LIST_ENTRY32 TppWorkerpList; //0x254 - ULONG WaitOnAddressHashTable[128]; //0x25c - ULONG TelemetryCoverageHeader; //0x45c - ULONG CloudFileFlags; //0x460 - ULONG CloudFileDiagFlags; //0x464 - CHAR PlaceholderCompatibilityMode; //0x468 - CHAR PlaceholderCompatibilityModeReserved[7]; //0x469 - ULONG LeapSecondData; //0x470 - union - { - ULONG LeapSecondFlags; //0x474 - struct - { - ULONG SixtySecondEnabled : 1; //0x474 - ULONG Reserved : 31; //0x474 + ULONGLONG CsrServerReadOnlySharedMemoryBase; // 0x248 + ULONG TppWorkerpListLock; // 0x250 + struct LIST_ENTRY32 TppWorkerpList; // 0x254 + ULONG WaitOnAddressHashTable[128]; // 0x25c + ULONG TelemetryCoverageHeader; // 0x45c + ULONG CloudFileFlags; // 0x460 + ULONG CloudFileDiagFlags; // 0x464 + CHAR PlaceholderCompatibilityMode; // 0x468 + CHAR PlaceholderCompatibilityModeReserved[7]; // 0x469 + ULONG LeapSecondData; // 0x470 + union { + ULONG LeapSecondFlags; // 0x474 + struct { + ULONG SixtySecondEnabled : 1; // 0x474 + ULONG Reserved : 31; // 0x474 }; }; - ULONG NtGlobalFlag2; //0x478 + ULONG NtGlobalFlag2; // 0x478 }; static_assert(sizeof(X32PEB) == 0x480, "X64PEB Size check"); -//0x4e0 bytes (sizeof) -struct _GDI_TEB_BATCH32 -{ - ULONG Offset : 31; //0x0 - ULONG HasRenderingCommand : 1; //0x0 - ULONG HDC; //0x4 - ULONG Buffer[310]; //0x8 +// 0x4e0 bytes (sizeof) +struct _GDI_TEB_BATCH32 { + ULONG Offset : 31; // 0x0 + ULONG HasRenderingCommand : 1; // 0x0 + ULONG HDC; // 0x4 + ULONG Buffer[310]; // 0x8 }; -//0x18 bytes (sizeof) -struct _ACTIVATION_CONTEXT_STACK32 -{ - ULONG ActiveFrame; //0x0 - struct LIST_ENTRY32 FrameListCache; //0x4 - ULONG Flags; //0xc - ULONG NextCookieSequenceNumber; //0x10 - ULONG StackId; //0x14 +// 0x18 bytes (sizeof) +struct _ACTIVATION_CONTEXT_STACK32 { + ULONG ActiveFrame; // 0x0 + struct LIST_ENTRY32 FrameListCache; // 0x4 + ULONG Flags; // 0xc + ULONG NextCookieSequenceNumber; // 0x10 + ULONG StackId; // 0x14 }; -//0x8 bytes (sizeof) -struct _CLIENT_ID32 -{ - ULONG UniqueProcess; //0x0 - ULONG UniqueThread; //0x4 +// 0x8 bytes (sizeof) +struct _CLIENT_ID32 { + ULONG UniqueProcess; // 0x0 + ULONG UniqueThread; // 0x4 }; -//0x1000 bytes (sizeof) -struct X32TEB -{ - struct _NT_TIB32 NtTib; //0x0 - ULONG EnvironmentPointer; //0x1c - struct _CLIENT_ID32 ClientId; //0x20 - ULONG ActiveRpcHandle; //0x28 - ULONG ThreadLocalStoragePointer; //0x2c - ULONG ProcessEnvironmentBlock; //0x30 - ULONG LastErrorValue; //0x34 - ULONG CountOfOwnedCriticalSections; //0x38 - ULONG CsrClientThread; //0x3c - ULONG Win32ThreadInfo; //0x40 - ULONG User32Reserved[26]; //0x44 - ULONG UserReserved[5]; //0xac - ULONG WOW32Reserved; //0xc0 - ULONG CurrentLocale; //0xc4 - ULONG FpSoftwareStatusRegister; //0xc8 - ULONG ReservedForDebuggerInstrumentation[16]; //0xcc - ULONG SystemReserved1[26]; //0x10c - CHAR PlaceholderCompatibilityMode; //0x174 - UCHAR PlaceholderHydrationAlwaysExplicit; //0x175 - CHAR PlaceholderReserved[10]; //0x176 - ULONG ProxiedProcessId; //0x180 - struct _ACTIVATION_CONTEXT_STACK32 _ActivationStack; //0x184 - UCHAR WorkingOnBehalfTicket[8]; //0x19c - LONG ExceptionCode; //0x1a4 - ULONG ActivationContextStackPointer; //0x1a8 - ULONG InstrumentationCallbackSp; //0x1ac - ULONG InstrumentationCallbackPreviousPc; //0x1b0 - ULONG InstrumentationCallbackPreviousSp; //0x1b4 - UCHAR InstrumentationCallbackDisabled; //0x1b8 - UCHAR SpareBytes[23]; //0x1b9 - ULONG TxFsContext; //0x1d0 - struct _GDI_TEB_BATCH32 GdiTebBatch; //0x1d4 - struct _CLIENT_ID32 RealClientId; //0x6b4 - ULONG GdiCachedProcessHandle; //0x6bc - ULONG GdiClientPID; //0x6c0 - ULONG GdiClientTID; //0x6c4 - ULONG GdiThreadLocalInfo; //0x6c8 - ULONG Win32ClientInfo[62]; //0x6cc - ULONG glDispatchTable[233]; //0x7c4 - ULONG glReserved1[29]; //0xb68 - ULONG glReserved2; //0xbdc - ULONG glSectionInfo; //0xbe0 - ULONG glSection; //0xbe4 - ULONG glTable; //0xbe8 - ULONG glCurrentRC; //0xbec - ULONG glContext; //0xbf0 - ULONG LastStatusValue; //0xbf4 - struct _STRING32 StaticUnicodeString; //0xbf8 - WCHAR StaticUnicodeBuffer[261]; //0xc00 - ULONG DeallocationStack; //0xe0c - ULONG TlsSlots[64]; //0xe10 - struct LIST_ENTRY32 TlsLinks; //0xf10 - ULONG Vdm; //0xf18 - ULONG ReservedForNtRpc; //0xf1c - ULONG DbgSsReserved[2]; //0xf20 - ULONG HardErrorMode; //0xf28 - ULONG Instrumentation[9]; //0xf2c - struct _GUID ActivityId; //0xf50 - ULONG SubProcessTag; //0xf60 - ULONG PerflibData; //0xf64 - ULONG EtwTraceData; //0xf68 - ULONG WinSockData; //0xf6c - ULONG GdiBatchCount; //0xf70 - union - { - struct _PROCESSOR_NUMBER CurrentIdealProcessor; //0xf74 - ULONG IdealProcessorValue; //0xf74 - struct - { - UCHAR ReservedPad0; //0xf74 - UCHAR ReservedPad1; //0xf75 - UCHAR ReservedPad2; //0xf76 - UCHAR IdealProcessor; //0xf77 +// 0x1000 bytes (sizeof) +struct X32TEB { + struct _NT_TIB32 NtTib; // 0x0 + ULONG EnvironmentPointer; // 0x1c + struct _CLIENT_ID32 ClientId; // 0x20 + ULONG ActiveRpcHandle; // 0x28 + ULONG ThreadLocalStoragePointer; // 0x2c + ULONG ProcessEnvironmentBlock; // 0x30 + ULONG LastErrorValue; // 0x34 + ULONG CountOfOwnedCriticalSections; // 0x38 + ULONG CsrClientThread; // 0x3c + ULONG Win32ThreadInfo; // 0x40 + ULONG User32Reserved[26]; // 0x44 + ULONG UserReserved[5]; // 0xac + ULONG WOW32Reserved; // 0xc0 + ULONG CurrentLocale; // 0xc4 + ULONG FpSoftwareStatusRegister; // 0xc8 + ULONG ReservedForDebuggerInstrumentation[16]; // 0xcc + ULONG SystemReserved1[26]; // 0x10c + CHAR PlaceholderCompatibilityMode; // 0x174 + UCHAR PlaceholderHydrationAlwaysExplicit; // 0x175 + CHAR PlaceholderReserved[10]; // 0x176 + ULONG ProxiedProcessId; // 0x180 + struct _ACTIVATION_CONTEXT_STACK32 _ActivationStack; // 0x184 + UCHAR WorkingOnBehalfTicket[8]; // 0x19c + LONG ExceptionCode; // 0x1a4 + ULONG ActivationContextStackPointer; // 0x1a8 + ULONG InstrumentationCallbackSp; // 0x1ac + ULONG InstrumentationCallbackPreviousPc; // 0x1b0 + ULONG InstrumentationCallbackPreviousSp; // 0x1b4 + UCHAR InstrumentationCallbackDisabled; // 0x1b8 + UCHAR SpareBytes[23]; // 0x1b9 + ULONG TxFsContext; // 0x1d0 + struct _GDI_TEB_BATCH32 GdiTebBatch; // 0x1d4 + struct _CLIENT_ID32 RealClientId; // 0x6b4 + ULONG GdiCachedProcessHandle; // 0x6bc + ULONG GdiClientPID; // 0x6c0 + ULONG GdiClientTID; // 0x6c4 + ULONG GdiThreadLocalInfo; // 0x6c8 + ULONG Win32ClientInfo[62]; // 0x6cc + ULONG glDispatchTable[233]; // 0x7c4 + ULONG glReserved1[29]; // 0xb68 + ULONG glReserved2; // 0xbdc + ULONG glSectionInfo; // 0xbe0 + ULONG glSection; // 0xbe4 + ULONG glTable; // 0xbe8 + ULONG glCurrentRC; // 0xbec + ULONG glContext; // 0xbf0 + ULONG LastStatusValue; // 0xbf4 + struct _STRING32 StaticUnicodeString; // 0xbf8 + WCHAR StaticUnicodeBuffer[261]; // 0xc00 + ULONG DeallocationStack; // 0xe0c + ULONG TlsSlots[64]; // 0xe10 + struct LIST_ENTRY32 TlsLinks; // 0xf10 + ULONG Vdm; // 0xf18 + ULONG ReservedForNtRpc; // 0xf1c + ULONG DbgSsReserved[2]; // 0xf20 + ULONG HardErrorMode; // 0xf28 + ULONG Instrumentation[9]; // 0xf2c + struct _GUID ActivityId; // 0xf50 + ULONG SubProcessTag; // 0xf60 + ULONG PerflibData; // 0xf64 + ULONG EtwTraceData; // 0xf68 + ULONG WinSockData; // 0xf6c + ULONG GdiBatchCount; // 0xf70 + union { + struct _PROCESSOR_NUMBER CurrentIdealProcessor; // 0xf74 + ULONG IdealProcessorValue; // 0xf74 + struct { + UCHAR ReservedPad0; // 0xf74 + UCHAR ReservedPad1; // 0xf75 + UCHAR ReservedPad2; // 0xf76 + UCHAR IdealProcessor; // 0xf77 }; }; - ULONG GuaranteedStackBytes; //0xf78 - ULONG ReservedForPerf; //0xf7c - ULONG ReservedForOle; //0xf80 - ULONG WaitingOnLoaderLock; //0xf84 - ULONG SavedPriorityState; //0xf88 - ULONG ReservedForCodeCoverage; //0xf8c - ULONG ThreadPoolData; //0xf90 - ULONG TlsExpansionSlots; //0xf94 - ULONG MuiGeneration; //0xf98 - ULONG IsImpersonating; //0xf9c - ULONG NlsCache; //0xfa0 - ULONG pShimData; //0xfa4 - ULONG HeapData; //0xfa8 - ULONG CurrentTransactionHandle; //0xfac - ULONG ActiveFrame; //0xfb0 - ULONG FlsData; //0xfb4 - ULONG PreferredLanguages; //0xfb8 - ULONG UserPrefLanguages; //0xfbc - ULONG MergedPrefLanguages; //0xfc0 - ULONG MuiImpersonation; //0xfc4 - union - { - volatile USHORT CrossTebFlags; //0xfc8 - USHORT SpareCrossTebBits : 16; //0xfc8 + ULONG GuaranteedStackBytes; // 0xf78 + ULONG ReservedForPerf; // 0xf7c + ULONG ReservedForOle; // 0xf80 + ULONG WaitingOnLoaderLock; // 0xf84 + ULONG SavedPriorityState; // 0xf88 + ULONG ReservedForCodeCoverage; // 0xf8c + ULONG ThreadPoolData; // 0xf90 + ULONG TlsExpansionSlots; // 0xf94 + ULONG MuiGeneration; // 0xf98 + ULONG IsImpersonating; // 0xf9c + ULONG NlsCache; // 0xfa0 + ULONG pShimData; // 0xfa4 + ULONG HeapData; // 0xfa8 + ULONG CurrentTransactionHandle; // 0xfac + ULONG ActiveFrame; // 0xfb0 + ULONG FlsData; // 0xfb4 + ULONG PreferredLanguages; // 0xfb8 + ULONG UserPrefLanguages; // 0xfbc + ULONG MergedPrefLanguages; // 0xfc0 + ULONG MuiImpersonation; // 0xfc4 + union { + volatile USHORT CrossTebFlags; // 0xfc8 + USHORT SpareCrossTebBits : 16; // 0xfc8 }; - union - { - USHORT SameTebFlags; //0xfca - struct - { - USHORT SafeThunkCall : 1; //0xfca - USHORT InDebugPrint : 1; //0xfca - USHORT HasFiberData : 1; //0xfca - USHORT SkipThreadAttach : 1; //0xfca - USHORT WerInShipAssertCode : 1; //0xfca - USHORT RanProcessInit : 1; //0xfca - USHORT ClonedThread : 1; //0xfca - USHORT SuppressDebugMsg : 1; //0xfca - USHORT DisableUserStackWalk : 1; //0xfca - USHORT RtlExceptionAttached : 1; //0xfca - USHORT InitialThread : 1; //0xfca - USHORT SessionAware : 1; //0xfca - USHORT LoadOwner : 1; //0xfca - USHORT LoaderWorker : 1; //0xfca - USHORT SkipLoaderInit : 1; //0xfca - USHORT SpareSameTebBits : 1; //0xfca + union { + USHORT SameTebFlags; // 0xfca + struct { + USHORT SafeThunkCall : 1; // 0xfca + USHORT InDebugPrint : 1; // 0xfca + USHORT HasFiberData : 1; // 0xfca + USHORT SkipThreadAttach : 1; // 0xfca + USHORT WerInShipAssertCode : 1; // 0xfca + USHORT RanProcessInit : 1; // 0xfca + USHORT ClonedThread : 1; // 0xfca + USHORT SuppressDebugMsg : 1; // 0xfca + USHORT DisableUserStackWalk : 1; // 0xfca + USHORT RtlExceptionAttached : 1; // 0xfca + USHORT InitialThread : 1; // 0xfca + USHORT SessionAware : 1; // 0xfca + USHORT LoadOwner : 1; // 0xfca + USHORT LoaderWorker : 1; // 0xfca + USHORT SkipLoaderInit : 1; // 0xfca + USHORT SpareSameTebBits : 1; // 0xfca }; }; - ULONG TxnScopeEnterCallback; //0xfcc - ULONG TxnScopeExitCallback; //0xfd0 - ULONG TxnScopeContext; //0xfd4 - ULONG LockCount; //0xfd8 - LONG WowTebOffset; //0xfdc - ULONG ResourceRetValue; //0xfe0 - ULONG ReservedForWdf; //0xfe4 - ULONGLONG ReservedForCrt; //0xfe8 - struct _GUID EffectiveContainerId; //0xff0 + ULONG TxnScopeEnterCallback; // 0xfcc + ULONG TxnScopeExitCallback; // 0xfd0 + ULONG TxnScopeContext; // 0xfd4 + ULONG LockCount; // 0xfd8 + LONG WowTebOffset; // 0xfdc + ULONG ResourceRetValue; // 0xfe0 + ULONG ReservedForWdf; // 0xfe4 + ULONGLONG ReservedForCrt; // 0xfe8 + struct _GUID EffectiveContainerId; // 0xff0 }; static_assert(sizeof(X32TEB) == 0x1000, "X32TEB Size check"); @@ -984,6 +964,7 @@ struct struct_moudle { uint64_t entry; uint64_t base; uint64_t size; + uint64_t real_base; std::vector> import_function; std::vector> export_function; std::vector> sections; diff --git a/ai_anti_malware/sandbox.cpp b/ai_anti_malware/sandbox.cpp index 3bba904..f8fa875 100644 --- a/ai_anti_malware/sandbox.cpp +++ b/ai_anti_malware/sandbox.cpp @@ -134,20 +134,13 @@ Sandbox::Sandbox() {} Sandbox::~Sandbox() {} -auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase, - uint32_t x32Base) -> void { - // 检查模块是否已加载 - auto isModuleLoaded = - std::any_of(m_moduleList.begin(), m_moduleList.end(), - [moduleBase](std::shared_ptr module) { - return module->base == moduleBase; - }); - - if (isModuleLoaded) { - std::cout << "[PE] Skipping " << dllName << " (already loaded)\n"; - return; +auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void { + for (auto module : m_moduleList) { + if (module->real_base == moduleBase) { + printf("skip module name: %s (already loaded)\n", module->name); + return; + } } - // 解析PE头 auto* dosHeader = reinterpret_cast(moduleBase); auto* ntHeaders = reinterpret_cast( @@ -169,7 +162,9 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase, // 创建新模块 struct_moudle newModule{}; strncpy(newModule.name, dllName, strlen(dllName)); - newModule.base = this->m_peInfo->isX64 ? moduleBase : x32Base; + newModule.base = + this->m_peInfo->isX64 ? moduleBase : static_cast(moduleBase); + newModule.real_base = moduleBase; newModule.entry = ntHeaders->OptionalHeader.AddressOfEntryPoint; newModule.size = ntHeaders->OptionalHeader.SizeOfImage; @@ -208,9 +203,11 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase, << '\n'; } m_moduleList.push_back(std::make_shared(newModule)); - uc_mem_map(m_ucEngine, moduleBase, newModule.size, + printf("push `%s` module to vm base: %llx vm size: %llx\n", newModule.name, + newModule.base, newModule.size); + uc_mem_map(m_ucEngine, newModule.base, newModule.size, UC_PROT_READ | UC_PROT_EXEC); - uc_mem_write(m_ucEngine, moduleBase, (void*)moduleBase, newModule.size); + uc_mem_write(m_ucEngine, newModule.base, (void*)moduleBase, newModule.size); } auto Sandbox::ResolveExport() -> void { @@ -260,6 +257,12 @@ auto Sandbox::ResolveExport() -> void { } auto Sandbox::processImportModule(const moudle_import* importModule) -> void { + for (auto module : m_moduleList) { + if (strcmp(module->name, importModule->dll_name) == 0) { + printf("skip module name: %s (already loaded)\n", module->name); + return; + } + } // 构建模块路径 const std::string systemDir = m_peInfo->isX64 ? "\\System32\\" : "\\SysWOW64\\"; @@ -281,8 +284,7 @@ auto Sandbox::processImportModule(const moudle_import* importModule) -> void { } // 添加到虚拟机 - const auto moduleBase32 = static_cast(moduleBase); - PushModuleToVM(importModule->dll_name, moduleBase, moduleBase32); + PushModuleToVM(importModule->dll_name, moduleBase); } auto Sandbox::ResoveImport() -> void { // 处理延迟导入 diff --git a/ai_anti_malware/sandbox.h b/ai_anti_malware/sandbox.h index 823d3d0..04095e9 100644 --- a/ai_anti_malware/sandbox.h +++ b/ai_anti_malware/sandbox.h @@ -88,7 +88,6 @@ class Sandbox { auto ResoveImport() -> void; auto SetupVirtualMachine() -> void; auto ResolveExport() -> void; - auto PushModuleToVM(const char* dllName, uint64_t moduleBase, - uint32_t x32Base) -> void; + auto PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void; auto processImportModule(const moudle_import* importModule) -> void; };