admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix 1

Browse Source
This commit is contained in:
Huoji's
2025-03-06 04:28:34 +08:00
parent 2ca572e225
commit dbe2e6a92b
4 changed files with 293 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ai_anti_malware/ai_anti_malware.cpp
View File

@@ -5,9 +5,7 @@
auto getPeInfo(std::string inputFilePath) -> std::shared_ptr<BasicPeInfo> { auto getPeInfo(std::string inputFilePath) -> std::shared_ptr<BasicPeInfo> {
auto sampleInfo = std::make_shared<BasicPeInfo>(); auto sampleInfo = std::make_shared<BasicPeInfo>();
sampleInfo->inputFilePath = sampleInfo->inputFilePath = inputFilePath;
"E:\\对战平台\\CrowAntiCheat\\CrowAntiCheat\\client\\Console_"
"Test\\Release\\Console_Test.exe";
sampleInfo->peBuffer = sampleInfo->peBuffer =
peconv::load_pe_module((const char*)sampleInfo->inputFilePath.c_str(), peconv::load_pe_module((const char*)sampleInfo->inputFilePath.c_str(),
@@ -17,10 +15,11 @@ auto getPeInfo(std::string inputFilePath) -> std::shared_ptr<BasicPeInfo> {
sampleInfo->isX64 = peconv::is64bit((BYTE*)sampleInfo->peBuffer); sampleInfo->isX64 = peconv::is64bit((BYTE*)sampleInfo->peBuffer);
sampleInfo->RecImageBase = sampleInfo->RecImageBase =
sampleInfo->isX64 sampleInfo->isX64
? (DWORD64)sampleInfo->ntHead64->OptionalHeader.ImageBase ? (DWORD64)sampleInfo->ntHead64->OptionalHeader.ImageBase
: (DWORD)sampleInfo->ntHead32->OptionalHeader.ImageBase; : (DWORD)sampleInfo->ntHead32->OptionalHeader.ImageBase;
sampleInfo->isRelocated = peconv::relocate_module( sampleInfo->isRelocated =
(BYTE*)sampleInfo->peBuffer, sampleInfo->peSize, sampleInfo->RecImageBase); peconv::relocate_module((BYTE*)sampleInfo->peBuffer, sampleInfo->peSize,
sampleInfo->RecImageBase);
sampleInfo->entryPoint = sampleInfo->entryPoint =
sampleInfo->isX64 sampleInfo->isX64

551
ai_anti_malware/native_struct.h
View File

@@ -387,311 +387,291 @@ typedef struct X64PEB {
ULONG NtGlobalFlag2; // 0x7c4 ULONG NtGlobalFlag2; // 0x7c4
}; };
static_assert(sizeof(X64PEB) == 0x7c8, "X64PEB Size check"); static_assert(sizeof(X64PEB) == 0x7c8, "X64PEB Size check");
//0x8 bytes (sizeof) // 0x8 bytes (sizeof)
struct _STRING32 struct _STRING32 {
{ USHORT Length; // 0x0
USHORT Length; //0x0 USHORT MaximumLength; // 0x2
USHORT MaximumLength; //0x2 ULONG Buffer; // 0x4
ULONG Buffer; //0x4
}; };
//0x480 bytes (sizeof) // 0x480 bytes (sizeof)
struct X32PEB struct X32PEB {
{ UCHAR InheritedAddressSpace; // 0x0
UCHAR InheritedAddressSpace; //0x0 UCHAR ReadImageFileExecOptions; // 0x1
UCHAR ReadImageFileExecOptions; //0x1 UCHAR BeingDebugged; // 0x2
UCHAR BeingDebugged; //0x2 union {
union UCHAR BitField; // 0x3
{ struct {
UCHAR BitField; //0x3 UCHAR ImageUsesLargePages : 1; // 0x3
struct UCHAR IsProtectedProcess : 1; // 0x3
{ UCHAR IsImageDynamicallyRelocated : 1; // 0x3
UCHAR ImageUsesLargePages : 1; //0x3 UCHAR SkipPatchingUser32Forwarders : 1; // 0x3
UCHAR IsProtectedProcess : 1; //0x3 UCHAR IsPackagedProcess : 1; // 0x3
UCHAR IsImageDynamicallyRelocated : 1; //0x3 UCHAR IsAppContainer : 1; // 0x3
UCHAR SkipPatchingUser32Forwarders : 1; //0x3 UCHAR IsProtectedProcessLight : 1; // 0x3
UCHAR IsPackagedProcess : 1; //0x3 UCHAR IsLongPathAwareProcess : 1; // 0x3
UCHAR IsAppContainer : 1; //0x3
UCHAR IsProtectedProcessLight : 1; //0x3
UCHAR IsLongPathAwareProcess : 1; //0x3
}; };
}; };
ULONG Mutant; //0x4 ULONG Mutant; // 0x4
ULONG ImageBaseAddress; //0x8 ULONG ImageBaseAddress; // 0x8
ULONG Ldr; //0xc ULONG Ldr; // 0xc
ULONG ProcessParameters; //0x10 ULONG ProcessParameters; // 0x10
ULONG SubSystemData; //0x14 ULONG SubSystemData; // 0x14
ULONG ProcessHeap; //0x18 ULONG ProcessHeap; // 0x18
ULONG FastPebLock; //0x1c ULONG FastPebLock; // 0x1c
ULONG AtlThunkSListPtr; //0x20 ULONG AtlThunkSListPtr; // 0x20
ULONG IFEOKey; //0x24 ULONG IFEOKey; // 0x24
union union {
{ ULONG CrossProcessFlags; // 0x28
ULONG CrossProcessFlags; //0x28 struct {
struct ULONG ProcessInJob : 1; // 0x28
{ ULONG ProcessInitializing : 1; // 0x28
ULONG ProcessInJob : 1; //0x28 ULONG ProcessUsingVEH : 1; // 0x28
ULONG ProcessInitializing : 1; //0x28 ULONG ProcessUsingVCH : 1; // 0x28
ULONG ProcessUsingVEH : 1; //0x28 ULONG ProcessUsingFTH : 1; // 0x28
ULONG ProcessUsingVCH : 1; //0x28 ULONG ProcessPreviouslyThrottled : 1; // 0x28
ULONG ProcessUsingFTH : 1; //0x28 ULONG ProcessCurrentlyThrottled : 1; // 0x28
ULONG ProcessPreviouslyThrottled : 1; //0x28 ULONG ProcessImagesHotPatched : 1; // 0x28
ULONG ProcessCurrentlyThrottled : 1; //0x28 ULONG ReservedBits0 : 24; // 0x28
ULONG ProcessImagesHotPatched : 1; //0x28
ULONG ReservedBits0 : 24; //0x28
}; };
}; };
union union {
{ ULONG KernelCallbackTable; // 0x2c
ULONG KernelCallbackTable; //0x2c ULONG UserSharedInfoPtr; // 0x2c
ULONG UserSharedInfoPtr; //0x2c
}; };
ULONG SystemReserved; //0x30 ULONG SystemReserved; // 0x30
ULONG AtlThunkSListPtr32; //0x34 ULONG AtlThunkSListPtr32; // 0x34
ULONG ApiSetMap; //0x38 ULONG ApiSetMap; // 0x38
ULONG TlsExpansionCounter; //0x3c ULONG TlsExpansionCounter; // 0x3c
ULONG TlsBitmap; //0x40 ULONG TlsBitmap; // 0x40
ULONG TlsBitmapBits[2]; //0x44 ULONG TlsBitmapBits[2]; // 0x44
ULONG ReadOnlySharedMemoryBase; //0x4c ULONG ReadOnlySharedMemoryBase; // 0x4c
ULONG SharedData; //0x50 ULONG SharedData; // 0x50
ULONG ReadOnlyStaticServerData; //0x54 ULONG ReadOnlyStaticServerData; // 0x54
ULONG AnsiCodePageData; //0x58 ULONG AnsiCodePageData; // 0x58
ULONG OemCodePageData; //0x5c ULONG OemCodePageData; // 0x5c
ULONG UnicodeCaseTableData; //0x60 ULONG UnicodeCaseTableData; // 0x60
ULONG NumberOfProcessors; //0x64 ULONG NumberOfProcessors; // 0x64
ULONG NtGlobalFlag; //0x68 ULONG NtGlobalFlag; // 0x68
union _LARGE_INTEGER CriticalSectionTimeout; //0x70 union _LARGE_INTEGER CriticalSectionTimeout; // 0x70
ULONG HeapSegmentReserve; //0x78 ULONG HeapSegmentReserve; // 0x78
ULONG HeapSegmentCommit; //0x7c ULONG HeapSegmentCommit; // 0x7c
ULONG HeapDeCommitTotalFreeThreshold; //0x80 ULONG HeapDeCommitTotalFreeThreshold; // 0x80
ULONG HeapDeCommitFreeBlockThreshold; //0x84 ULONG HeapDeCommitFreeBlockThreshold; // 0x84
ULONG NumberOfHeaps; //0x88 ULONG NumberOfHeaps; // 0x88
ULONG MaximumNumberOfHeaps; //0x8c ULONG MaximumNumberOfHeaps; // 0x8c
ULONG ProcessHeaps; //0x90 ULONG ProcessHeaps; // 0x90
ULONG GdiSharedHandleTable; //0x94 ULONG GdiSharedHandleTable; // 0x94
ULONG ProcessStarterHelper; //0x98 ULONG ProcessStarterHelper; // 0x98
ULONG GdiDCAttributeList; //0x9c ULONG GdiDCAttributeList; // 0x9c
ULONG LoaderLock; //0xa0 ULONG LoaderLock; // 0xa0
ULONG OSMajorVersion; //0xa4 ULONG OSMajorVersion; // 0xa4
ULONG OSMinorVersion; //0xa8 ULONG OSMinorVersion; // 0xa8
USHORT OSBuildNumber; //0xac USHORT OSBuildNumber; // 0xac
USHORT OSCSDVersion; //0xae USHORT OSCSDVersion; // 0xae
ULONG OSPlatformId; //0xb0 ULONG OSPlatformId; // 0xb0
ULONG ImageSubsystem; //0xb4 ULONG ImageSubsystem; // 0xb4
ULONG ImageSubsystemMajorVersion; //0xb8 ULONG ImageSubsystemMajorVersion; // 0xb8
ULONG ImageSubsystemMinorVersion; //0xbc ULONG ImageSubsystemMinorVersion; // 0xbc
ULONG ActiveProcessAffinityMask; //0xc0 ULONG ActiveProcessAffinityMask; // 0xc0
ULONG GdiHandleBuffer[34]; //0xc4 ULONG GdiHandleBuffer[34]; // 0xc4
ULONG PostProcessInitRoutine; //0x14c ULONG PostProcessInitRoutine; // 0x14c
ULONG TlsExpansionBitmap; //0x150 ULONG TlsExpansionBitmap; // 0x150
ULONG TlsExpansionBitmapBits[32]; //0x154 ULONG TlsExpansionBitmapBits[32]; // 0x154
ULONG SessionId; //0x1d4 ULONG SessionId; // 0x1d4
union _ULARGE_INTEGER AppCompatFlags; //0x1d8 union _ULARGE_INTEGER AppCompatFlags; // 0x1d8
union _ULARGE_INTEGER AppCompatFlagsUser; //0x1e0 union _ULARGE_INTEGER AppCompatFlagsUser; // 0x1e0
ULONG pShimData; //0x1e8 ULONG pShimData; // 0x1e8
ULONG AppCompatInfo; //0x1ec ULONG AppCompatInfo; // 0x1ec
struct _STRING32 CSDVersion; //0x1f0 struct _STRING32 CSDVersion; // 0x1f0
ULONG ActivationContextData; //0x1f8 ULONG ActivationContextData; // 0x1f8
ULONG ProcessAssemblyStorageMap; //0x1fc ULONG ProcessAssemblyStorageMap; // 0x1fc
ULONG SystemDefaultActivationContextData; //0x200 ULONG SystemDefaultActivationContextData; // 0x200
ULONG SystemAssemblyStorageMap; //0x204 ULONG SystemAssemblyStorageMap; // 0x204
ULONG MinimumStackCommit; //0x208 ULONG MinimumStackCommit; // 0x208
ULONG SparePointers[4]; //0x20c ULONG SparePointers[4]; // 0x20c
ULONG SpareUlongs[5]; //0x21c ULONG SpareUlongs[5]; // 0x21c
ULONG WerRegistrationData; //0x230 ULONG WerRegistrationData; // 0x230
ULONG WerShipAssertPtr; //0x234 ULONG WerShipAssertPtr; // 0x234
ULONG pUnused; //0x238 ULONG pUnused; // 0x238
ULONG pImageHeaderHash; //0x23c ULONG pImageHeaderHash; // 0x23c
union union {
{ ULONG TracingFlags; // 0x240
ULONG TracingFlags; //0x240 struct {
struct ULONG HeapTracingEnabled : 1; // 0x240
{ ULONG CritSecTracingEnabled : 1; // 0x240
ULONG HeapTracingEnabled : 1; //0x240 ULONG LibLoaderTracingEnabled : 1; // 0x240
ULONG CritSecTracingEnabled : 1; //0x240 ULONG SpareTracingBits : 29; // 0x240
ULONG LibLoaderTracingEnabled : 1; //0x240
ULONG SpareTracingBits : 29; //0x240
}; };
}; };
ULONGLONG CsrServerReadOnlySharedMemoryBase; //0x248 ULONGLONG CsrServerReadOnlySharedMemoryBase; // 0x248
ULONG TppWorkerpListLock; //0x250 ULONG TppWorkerpListLock; // 0x250
struct LIST_ENTRY32 TppWorkerpList; //0x254 struct LIST_ENTRY32 TppWorkerpList; // 0x254
ULONG WaitOnAddressHashTable[128]; //0x25c ULONG WaitOnAddressHashTable[128]; // 0x25c
ULONG TelemetryCoverageHeader; //0x45c ULONG TelemetryCoverageHeader; // 0x45c
ULONG CloudFileFlags; //0x460 ULONG CloudFileFlags; // 0x460
ULONG CloudFileDiagFlags; //0x464 ULONG CloudFileDiagFlags; // 0x464
CHAR PlaceholderCompatibilityMode; //0x468 CHAR PlaceholderCompatibilityMode; // 0x468
CHAR PlaceholderCompatibilityModeReserved[7]; //0x469 CHAR PlaceholderCompatibilityModeReserved[7]; // 0x469
ULONG LeapSecondData; //0x470 ULONG LeapSecondData; // 0x470
union union {
{ ULONG LeapSecondFlags; // 0x474
ULONG LeapSecondFlags; //0x474 struct {
struct ULONG SixtySecondEnabled : 1; // 0x474
{ ULONG Reserved : 31; // 0x474
ULONG SixtySecondEnabled : 1; //0x474
ULONG Reserved : 31; //0x474
}; };
}; };
ULONG NtGlobalFlag2; //0x478 ULONG NtGlobalFlag2; // 0x478
}; };
static_assert(sizeof(X32PEB) == 0x480, "X64PEB Size check"); static_assert(sizeof(X32PEB) == 0x480, "X64PEB Size check");
//0x4e0 bytes (sizeof) // 0x4e0 bytes (sizeof)
struct _GDI_TEB_BATCH32 struct _GDI_TEB_BATCH32 {
{ ULONG Offset : 31; // 0x0
ULONG Offset : 31; //0x0 ULONG HasRenderingCommand : 1; // 0x0
ULONG HasRenderingCommand : 1; //0x0 ULONG HDC; // 0x4
ULONG HDC; //0x4 ULONG Buffer[310]; // 0x8
ULONG Buffer[310]; //0x8
}; };
//0x18 bytes (sizeof) // 0x18 bytes (sizeof)
struct _ACTIVATION_CONTEXT_STACK32 struct _ACTIVATION_CONTEXT_STACK32 {
{ ULONG ActiveFrame; // 0x0
ULONG ActiveFrame; //0x0 struct LIST_ENTRY32 FrameListCache; // 0x4
struct LIST_ENTRY32 FrameListCache; //0x4 ULONG Flags; // 0xc
ULONG Flags; //0xc ULONG NextCookieSequenceNumber; // 0x10
ULONG NextCookieSequenceNumber; //0x10 ULONG StackId; // 0x14
ULONG StackId; //0x14
}; };
//0x8 bytes (sizeof) // 0x8 bytes (sizeof)
struct _CLIENT_ID32 struct _CLIENT_ID32 {
{ ULONG UniqueProcess; // 0x0
ULONG UniqueProcess; //0x0 ULONG UniqueThread; // 0x4
ULONG UniqueThread; //0x4
}; };
//0x1000 bytes (sizeof) // 0x1000 bytes (sizeof)
struct X32TEB struct X32TEB {
{ struct _NT_TIB32 NtTib; // 0x0
struct _NT_TIB32 NtTib; //0x0 ULONG EnvironmentPointer; // 0x1c
ULONG EnvironmentPointer; //0x1c struct _CLIENT_ID32 ClientId; // 0x20
struct _CLIENT_ID32 ClientId; //0x20 ULONG ActiveRpcHandle; // 0x28
ULONG ActiveRpcHandle; //0x28 ULONG ThreadLocalStoragePointer; // 0x2c
ULONG ThreadLocalStoragePointer; //0x2c ULONG ProcessEnvironmentBlock; // 0x30
ULONG ProcessEnvironmentBlock; //0x30 ULONG LastErrorValue; // 0x34
ULONG LastErrorValue; //0x34 ULONG CountOfOwnedCriticalSections; // 0x38
ULONG CountOfOwnedCriticalSections; //0x38 ULONG CsrClientThread; // 0x3c
ULONG CsrClientThread; //0x3c ULONG Win32ThreadInfo; // 0x40
ULONG Win32ThreadInfo; //0x40 ULONG User32Reserved[26]; // 0x44
ULONG User32Reserved[26]; //0x44 ULONG UserReserved[5]; // 0xac
ULONG UserReserved[5]; //0xac ULONG WOW32Reserved; // 0xc0
ULONG WOW32Reserved; //0xc0 ULONG CurrentLocale; // 0xc4
ULONG CurrentLocale; //0xc4 ULONG FpSoftwareStatusRegister; // 0xc8
ULONG FpSoftwareStatusRegister; //0xc8 ULONG ReservedForDebuggerInstrumentation[16]; // 0xcc
ULONG ReservedForDebuggerInstrumentation[16]; //0xcc ULONG SystemReserved1[26]; // 0x10c
ULONG SystemReserved1[26]; //0x10c CHAR PlaceholderCompatibilityMode; // 0x174
CHAR PlaceholderCompatibilityMode; //0x174 UCHAR PlaceholderHydrationAlwaysExplicit; // 0x175
UCHAR PlaceholderHydrationAlwaysExplicit; //0x175 CHAR PlaceholderReserved[10]; // 0x176
CHAR PlaceholderReserved[10]; //0x176 ULONG ProxiedProcessId; // 0x180
ULONG ProxiedProcessId; //0x180 struct _ACTIVATION_CONTEXT_STACK32 _ActivationStack; // 0x184
struct _ACTIVATION_CONTEXT_STACK32 _ActivationStack; //0x184 UCHAR WorkingOnBehalfTicket[8]; // 0x19c
UCHAR WorkingOnBehalfTicket[8]; //0x19c LONG ExceptionCode; // 0x1a4
LONG ExceptionCode; //0x1a4 ULONG ActivationContextStackPointer; // 0x1a8
ULONG ActivationContextStackPointer; //0x1a8 ULONG InstrumentationCallbackSp; // 0x1ac
ULONG InstrumentationCallbackSp; //0x1ac ULONG InstrumentationCallbackPreviousPc; // 0x1b0
ULONG InstrumentationCallbackPreviousPc; //0x1b0 ULONG InstrumentationCallbackPreviousSp; // 0x1b4
ULONG InstrumentationCallbackPreviousSp; //0x1b4 UCHAR InstrumentationCallbackDisabled; // 0x1b8
UCHAR InstrumentationCallbackDisabled; //0x1b8 UCHAR SpareBytes[23]; // 0x1b9
UCHAR SpareBytes[23]; //0x1b9 ULONG TxFsContext; // 0x1d0
ULONG TxFsContext; //0x1d0 struct _GDI_TEB_BATCH32 GdiTebBatch; // 0x1d4
struct _GDI_TEB_BATCH32 GdiTebBatch; //0x1d4 struct _CLIENT_ID32 RealClientId; // 0x6b4
struct _CLIENT_ID32 RealClientId; //0x6b4 ULONG GdiCachedProcessHandle; // 0x6bc
ULONG GdiCachedProcessHandle; //0x6bc ULONG GdiClientPID; // 0x6c0
ULONG GdiClientPID; //0x6c0 ULONG GdiClientTID; // 0x6c4
ULONG GdiClientTID; //0x6c4 ULONG GdiThreadLocalInfo; // 0x6c8
ULONG GdiThreadLocalInfo; //0x6c8 ULONG Win32ClientInfo[62]; // 0x6cc
ULONG Win32ClientInfo[62]; //0x6cc ULONG glDispatchTable[233]; // 0x7c4
ULONG glDispatchTable[233]; //0x7c4 ULONG glReserved1[29]; // 0xb68
ULONG glReserved1[29]; //0xb68 ULONG glReserved2; // 0xbdc
ULONG glReserved2; //0xbdc ULONG glSectionInfo; // 0xbe0
ULONG glSectionInfo; //0xbe0 ULONG glSection; // 0xbe4
ULONG glSection; //0xbe4 ULONG glTable; // 0xbe8
ULONG glTable; //0xbe8 ULONG glCurrentRC; // 0xbec
ULONG glCurrentRC; //0xbec ULONG glContext; // 0xbf0
ULONG glContext; //0xbf0 ULONG LastStatusValue; // 0xbf4
ULONG LastStatusValue; //0xbf4 struct _STRING32 StaticUnicodeString; // 0xbf8
struct _STRING32 StaticUnicodeString; //0xbf8 WCHAR StaticUnicodeBuffer[261]; // 0xc00
WCHAR StaticUnicodeBuffer[261]; //0xc00 ULONG DeallocationStack; // 0xe0c
ULONG DeallocationStack; //0xe0c ULONG TlsSlots[64]; // 0xe10
ULONG TlsSlots[64]; //0xe10 struct LIST_ENTRY32 TlsLinks; // 0xf10
struct LIST_ENTRY32 TlsLinks; //0xf10 ULONG Vdm; // 0xf18
ULONG Vdm; //0xf18 ULONG ReservedForNtRpc; // 0xf1c
ULONG ReservedForNtRpc; //0xf1c ULONG DbgSsReserved[2]; // 0xf20
ULONG DbgSsReserved[2]; //0xf20 ULONG HardErrorMode; // 0xf28
ULONG HardErrorMode; //0xf28 ULONG Instrumentation[9]; // 0xf2c
ULONG Instrumentation[9]; //0xf2c struct _GUID ActivityId; // 0xf50
struct _GUID ActivityId; //0xf50 ULONG SubProcessTag; // 0xf60
ULONG SubProcessTag; //0xf60 ULONG PerflibData; // 0xf64
ULONG PerflibData; //0xf64 ULONG EtwTraceData; // 0xf68
ULONG EtwTraceData; //0xf68 ULONG WinSockData; // 0xf6c
ULONG WinSockData; //0xf6c ULONG GdiBatchCount; // 0xf70
ULONG GdiBatchCount; //0xf70 union {
union struct _PROCESSOR_NUMBER CurrentIdealProcessor; // 0xf74
{ ULONG IdealProcessorValue; // 0xf74
struct _PROCESSOR_NUMBER CurrentIdealProcessor; //0xf74 struct {
ULONG IdealProcessorValue; //0xf74 UCHAR ReservedPad0; // 0xf74
struct UCHAR ReservedPad1; // 0xf75
{ UCHAR ReservedPad2; // 0xf76
UCHAR ReservedPad0; //0xf74 UCHAR IdealProcessor; // 0xf77
UCHAR ReservedPad1; //0xf75
UCHAR ReservedPad2; //0xf76
UCHAR IdealProcessor; //0xf77
}; };
}; };
ULONG GuaranteedStackBytes; //0xf78 ULONG GuaranteedStackBytes; // 0xf78
ULONG ReservedForPerf; //0xf7c ULONG ReservedForPerf; // 0xf7c
ULONG ReservedForOle; //0xf80 ULONG ReservedForOle; // 0xf80
ULONG WaitingOnLoaderLock; //0xf84 ULONG WaitingOnLoaderLock; // 0xf84
ULONG SavedPriorityState; //0xf88 ULONG SavedPriorityState; // 0xf88
ULONG ReservedForCodeCoverage; //0xf8c ULONG ReservedForCodeCoverage; // 0xf8c
ULONG ThreadPoolData; //0xf90 ULONG ThreadPoolData; // 0xf90
ULONG TlsExpansionSlots; //0xf94 ULONG TlsExpansionSlots; // 0xf94
ULONG MuiGeneration; //0xf98 ULONG MuiGeneration; // 0xf98
ULONG IsImpersonating; //0xf9c ULONG IsImpersonating; // 0xf9c
ULONG NlsCache; //0xfa0 ULONG NlsCache; // 0xfa0
ULONG pShimData; //0xfa4 ULONG pShimData; // 0xfa4
ULONG HeapData; //0xfa8 ULONG HeapData; // 0xfa8
ULONG CurrentTransactionHandle; //0xfac ULONG CurrentTransactionHandle; // 0xfac
ULONG ActiveFrame; //0xfb0 ULONG ActiveFrame; // 0xfb0
ULONG FlsData; //0xfb4 ULONG FlsData; // 0xfb4
ULONG PreferredLanguages; //0xfb8 ULONG PreferredLanguages; // 0xfb8
ULONG UserPrefLanguages; //0xfbc ULONG UserPrefLanguages; // 0xfbc
ULONG MergedPrefLanguages; //0xfc0 ULONG MergedPrefLanguages; // 0xfc0
ULONG MuiImpersonation; //0xfc4 ULONG MuiImpersonation; // 0xfc4
union union {
{ volatile USHORT CrossTebFlags; // 0xfc8
volatile USHORT CrossTebFlags; //0xfc8 USHORT SpareCrossTebBits : 16; // 0xfc8
USHORT SpareCrossTebBits : 16; //0xfc8
}; };
union union {
{ USHORT SameTebFlags; // 0xfca
USHORT SameTebFlags; //0xfca struct {
struct USHORT SafeThunkCall : 1; // 0xfca
{ USHORT InDebugPrint : 1; // 0xfca
USHORT SafeThunkCall : 1; //0xfca USHORT HasFiberData : 1; // 0xfca
USHORT InDebugPrint : 1; //0xfca USHORT SkipThreadAttach : 1; // 0xfca
USHORT HasFiberData : 1; //0xfca USHORT WerInShipAssertCode : 1; // 0xfca
USHORT SkipThreadAttach : 1; //0xfca USHORT RanProcessInit : 1; // 0xfca
USHORT WerInShipAssertCode : 1; //0xfca USHORT ClonedThread : 1; // 0xfca
USHORT RanProcessInit : 1; //0xfca USHORT SuppressDebugMsg : 1; // 0xfca
USHORT ClonedThread : 1; //0xfca USHORT DisableUserStackWalk : 1; // 0xfca
USHORT SuppressDebugMsg : 1; //0xfca USHORT RtlExceptionAttached : 1; // 0xfca
USHORT DisableUserStackWalk : 1; //0xfca USHORT InitialThread : 1; // 0xfca
USHORT RtlExceptionAttached : 1; //0xfca USHORT SessionAware : 1; // 0xfca
USHORT InitialThread : 1; //0xfca USHORT LoadOwner : 1; // 0xfca
USHORT SessionAware : 1; //0xfca USHORT LoaderWorker : 1; // 0xfca
USHORT LoadOwner : 1; //0xfca USHORT SkipLoaderInit : 1; // 0xfca
USHORT LoaderWorker : 1; //0xfca USHORT SpareSameTebBits : 1; // 0xfca
USHORT SkipLoaderInit : 1; //0xfca
USHORT SpareSameTebBits : 1; //0xfca
}; };
}; };
ULONG TxnScopeEnterCallback; //0xfcc ULONG TxnScopeEnterCallback; // 0xfcc
ULONG TxnScopeExitCallback; //0xfd0 ULONG TxnScopeExitCallback; // 0xfd0
ULONG TxnScopeContext; //0xfd4 ULONG TxnScopeContext; // 0xfd4
ULONG LockCount; //0xfd8 ULONG LockCount; // 0xfd8
LONG WowTebOffset; //0xfdc LONG WowTebOffset; // 0xfdc
ULONG ResourceRetValue; //0xfe0 ULONG ResourceRetValue; // 0xfe0
ULONG ReservedForWdf; //0xfe4 ULONG ReservedForWdf; // 0xfe4
ULONGLONG ReservedForCrt; //0xfe8 ULONGLONG ReservedForCrt; // 0xfe8
struct _GUID EffectiveContainerId; //0xff0 struct _GUID EffectiveContainerId; // 0xff0
}; };
static_assert(sizeof(X32TEB) == 0x1000, "X32TEB Size check"); static_assert(sizeof(X32TEB) == 0x1000, "X32TEB Size check");
@@ -984,6 +964,7 @@ struct struct_moudle {
uint64_t entry; uint64_t entry;
uint64_t base; uint64_t base;
uint64_t size; uint64_t size;
uint64_t real_base;
std::vector<std::shared_ptr<moudle_import>> import_function; std::vector<std::shared_ptr<moudle_import>> import_function;
std::vector<std::shared_ptr<moudle_export>> export_function; std::vector<std::shared_ptr<moudle_export>> export_function;
std::vector<std::shared_ptr<moudle_section>> sections; std::vector<std::shared_ptr<moudle_section>> sections;

38
ai_anti_malware/sandbox.cpp
View File

@@ -134,20 +134,13 @@ Sandbox::Sandbox() {}
Sandbox::~Sandbox() {} Sandbox::~Sandbox() {}
auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase, auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void {
uint32_t x32Base) -> void { for (auto module : m_moduleList) {
// 检查模块是否已加载 if (module->real_base == moduleBase) {
auto isModuleLoaded = printf("skip module name: %s (already loaded)\n", module->name);
std::any_of(m_moduleList.begin(), m_moduleList.end(), return;
[moduleBase](std::shared_ptr<struct_moudle> module) { }
return module->base == moduleBase;
});
if (isModuleLoaded) {
std::cout << "[PE] Skipping " << dllName << " (already loaded)\n";
return;
} }
// 解析PE头 // 解析PE头
auto* dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(moduleBase); auto* dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(moduleBase);
auto* ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>( auto* ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(
@@ -169,7 +162,9 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
// 创建新模块 // 创建新模块
struct_moudle newModule{}; struct_moudle newModule{};
strncpy(newModule.name, dllName, strlen(dllName)); strncpy(newModule.name, dllName, strlen(dllName));
newModule.base = this->m_peInfo->isX64 ? moduleBase : x32Base; newModule.base =
this->m_peInfo->isX64 ? moduleBase : static_cast<uint32_t>(moduleBase);
newModule.real_base = moduleBase;
newModule.entry = ntHeaders->OptionalHeader.AddressOfEntryPoint; newModule.entry = ntHeaders->OptionalHeader.AddressOfEntryPoint;
newModule.size = ntHeaders->OptionalHeader.SizeOfImage; newModule.size = ntHeaders->OptionalHeader.SizeOfImage;
@@ -208,9 +203,11 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
<< '\n'; << '\n';
} }
m_moduleList.push_back(std::make_shared<struct_moudle>(newModule)); m_moduleList.push_back(std::make_shared<struct_moudle>(newModule));
uc_mem_map(m_ucEngine, moduleBase, newModule.size, printf("push `%s` module to vm base: %llx vm size: %llx\n", newModule.name,
newModule.base, newModule.size);
uc_mem_map(m_ucEngine, newModule.base, newModule.size,
UC_PROT_READ | UC_PROT_EXEC); UC_PROT_READ | UC_PROT_EXEC);
uc_mem_write(m_ucEngine, moduleBase, (void*)moduleBase, newModule.size); uc_mem_write(m_ucEngine, newModule.base, (void*)moduleBase, newModule.size);
} }
auto Sandbox::ResolveExport() -> void { auto Sandbox::ResolveExport() -> void {
@@ -260,6 +257,12 @@ auto Sandbox::ResolveExport() -> void {
} }
auto Sandbox::processImportModule(const moudle_import* importModule) -> void { auto Sandbox::processImportModule(const moudle_import* importModule) -> void {
for (auto module : m_moduleList) {
if (strcmp(module->name, importModule->dll_name) == 0) {
printf("skip module name: %s (already loaded)\n", module->name);
return;
}
}
// 构建模块路径 // 构建模块路径
const std::string systemDir = const std::string systemDir =
m_peInfo->isX64 ? "\\System32\\" : "\\SysWOW64\\"; m_peInfo->isX64 ? "\\System32\\" : "\\SysWOW64\\";
@@ -281,8 +284,7 @@ auto Sandbox::processImportModule(const moudle_import* importModule) -> void {
} }
// 添加到虚拟机 // 添加到虚拟机
const auto moduleBase32 = static_cast<uint32_t>(moduleBase); PushModuleToVM(importModule->dll_name, moduleBase);
PushModuleToVM(importModule->dll_name, moduleBase, moduleBase32);
} }
auto Sandbox::ResoveImport() -> void { auto Sandbox::ResoveImport() -> void {
// 处理延迟导入 // 处理延迟导入

3
ai_anti_malware/sandbox.h
View File

@@ -88,7 +88,6 @@ class Sandbox {
auto ResoveImport() -> void; auto ResoveImport() -> void;
auto SetupVirtualMachine() -> void; auto SetupVirtualMachine() -> void;
auto ResolveExport() -> void; auto ResolveExport() -> void;
auto PushModuleToVM(const char* dllName, uint64_t moduleBase, auto PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void;
uint32_t x32Base) -> void;
auto processImportModule(const moudle_import* importModule) -> void; auto processImportModule(const moudle_import* importModule) -> void;
}; };