admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix 1

Browse Source
This commit is contained in:
Huoji's
2025-03-06 04:28:34 +08:00
parent 2ca572e225
commit dbe2e6a92b
4 changed files with 293 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
ai_anti_malware/sandbox.cpp
View File

@@ -134,20 +134,13 @@ Sandbox::Sandbox() {}
Sandbox::~Sandbox() {}
auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
uint32_t x32Base) -> void {
// 检查模块是否已加载
auto isModuleLoaded =
std::any_of(m_moduleList.begin(), m_moduleList.end(),
[moduleBase](std::shared_ptr<struct_moudle> module) {
return module->base == moduleBase;
});
if (isModuleLoaded) {
std::cout << "[PE] Skipping " << dllName << " (already loaded)\n";
return;
auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void {
for (auto module : m_moduleList) {
if (module->real_base == moduleBase) {
printf("skip module name: %s (already loaded)\n", module->name);
return;
}
}
// 解析PE头
auto* dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(moduleBase);
auto* ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(
@@ -169,7 +162,9 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
// 创建新模块
struct_moudle newModule{};
strncpy(newModule.name, dllName, strlen(dllName));
newModule.base = this->m_peInfo->isX64 ? moduleBase : x32Base;
newModule.base =
this->m_peInfo->isX64 ? moduleBase : static_cast<uint32_t>(moduleBase);
newModule.real_base = moduleBase;
newModule.entry = ntHeaders->OptionalHeader.AddressOfEntryPoint;
newModule.size = ntHeaders->OptionalHeader.SizeOfImage;
@@ -208,9 +203,11 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
<< '\n';
}
m_moduleList.push_back(std::make_shared<struct_moudle>(newModule));
uc_mem_map(m_ucEngine, moduleBase, newModule.size,
printf("push `%s` module to vm base: %llx vm size: %llx\n", newModule.name,
newModule.base, newModule.size);
uc_mem_map(m_ucEngine, newModule.base, newModule.size,
UC_PROT_READ | UC_PROT_EXEC);
uc_mem_write(m_ucEngine, moduleBase, (void*)moduleBase, newModule.size);
uc_mem_write(m_ucEngine, newModule.base, (void*)moduleBase, newModule.size);
}
auto Sandbox::ResolveExport() -> void {
@@ -260,6 +257,12 @@ auto Sandbox::ResolveExport() -> void {
}
auto Sandbox::processImportModule(const moudle_import* importModule) -> void {
for (auto module : m_moduleList) {
if (strcmp(module->name, importModule->dll_name) == 0) {
printf("skip module name: %s (already loaded)\n", module->name);
return;
}
}
// 构建模块路径
const std::string systemDir =
m_peInfo->isX64 ? "\\System32\\" : "\\SysWOW64\\";
@@ -281,8 +284,7 @@ auto Sandbox::processImportModule(const moudle_import* importModule) -> void {
}
// 添加到虚拟机
const auto moduleBase32 = static_cast<uint32_t>(moduleBase);
PushModuleToVM(importModule->dll_name, moduleBase, moduleBase32);
PushModuleToVM(importModule->dll_name, moduleBase);
}
auto Sandbox::ResoveImport() -> void {
// 处理延迟导入