admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix up

Browse Source
This commit is contained in:
huoji
2025-03-06 20:08:12 +08:00
parent 9a5ea0f919
commit ed5e7ae994
3 changed files with 47 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ai_anti_malware/sandbox.cpp
View File

@@ -487,6 +487,12 @@ auto Sandbox::SetupVirtualMachine() -> void {
msr.value = m_tebBase; msr.value = m_tebBase;
uc_reg_write(m_ucEngine, UC_X86_REG_MSR, &msr); uc_reg_write(m_ucEngine, UC_X86_REG_MSR, &msr);
} }
for (DWORD i = 0; i < 64; i++) {
GetTeb64()->TlsSlots[i] = (void*)0x1337ffffff;
}
for (DWORD i = 0; i < 64; i++) {
GetTeb32()->TlsSlots[i] = 0x1337;
}
} }
auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void { auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void {
m_peInfo = peInfo; m_peInfo = peInfo;

16
ai_anti_malware/sandbox_api_emu.cpp
View File

@@ -264,8 +264,8 @@ auto Api_TlsAlloc(void* sandbox, uc_engine* uc, uint64_t address) -> void {
auto teb = context->GetTeb64(); auto teb = context->GetTeb64();
// 在TLS槽中查找第一个可用的位置 // 在TLS槽中查找第一个可用的位置
for (DWORD i = 0; i < 64; i++) { // TEB中TlsSlots数组大小为64 for (DWORD i = 0; i < 64; i++) { // TEB中TlsSlots数组大小为64
if (teb->TlsSlots[i] == nullptr) { if (teb->TlsSlots[i] == (void*)0x1337ffffff) {
teb->TlsSlots[i] = (void*)1; // 标记为已使用 teb->TlsSlots[i] = (void*)0; // 标记为已使用
tls_index = i; tls_index = i;
break; break;
} }
@@ -274,8 +274,8 @@ auto Api_TlsAlloc(void* sandbox, uc_engine* uc, uint64_t address) -> void {
auto teb = context->GetTeb32(); auto teb = context->GetTeb32();
// 在TLS槽中查找第一个可用的位置 // 在TLS槽中查找第一个可用的位置
for (DWORD i = 0; i < 64; i++) { // TEB中TlsSlots数组大小为64 for (DWORD i = 0; i < 64; i++) { // TEB中TlsSlots数组大小为64
if (teb->TlsSlots[i] == 0) { if (teb->TlsSlots[i] == 0x1337) {
teb->TlsSlots[i] = 1; // 标记为已使用 teb->TlsSlots[i] = 0; // 标记为已使用
tls_index = i; tls_index = i;
break; break;
} }
@@ -329,14 +329,14 @@ auto Api_TlsSetValue(void* sandbox, uc_engine* uc, uint64_t address) -> void {
if (context->GetPeInfo()->isX64) { if (context->GetPeInfo()->isX64) {
auto teb = context->GetTeb64(); auto teb = context->GetTeb64();
// 检查槽是否已分配不为nullptr // 检查槽是否已分配不为nullptr
if (teb->TlsSlots[dwTlsIndex] != nullptr) { if (teb->TlsSlots[dwTlsIndex] != (void*)0x1337ffffff) {
teb->TlsSlots[dwTlsIndex] = (void*)lpTlsValue; teb->TlsSlots[dwTlsIndex] = (void*)lpTlsValue;
success = TRUE; success = TRUE;
} }
} else { } else {
auto teb = context->GetTeb32(); auto teb = context->GetTeb32();
// 检查槽是否已分配不为0 // 检查槽是否已分配不为0
if (teb->TlsSlots[dwTlsIndex] != 0) { if (teb->TlsSlots[dwTlsIndex] != 0x1337) {
teb->TlsSlots[dwTlsIndex] = static_cast<uint32_t>(lpTlsValue); teb->TlsSlots[dwTlsIndex] = static_cast<uint32_t>(lpTlsValue);
success = TRUE; success = TRUE;
} }
@@ -699,7 +699,7 @@ auto Api_TlsGetValue(void* sandbox, uc_engine* uc, uint64_t address) -> void {
if (context->GetPeInfo()->isX64) { if (context->GetPeInfo()->isX64) {
auto teb = context->GetTeb64(); auto teb = context->GetTeb64();
// 检查槽是否已分配不为nullptr // 检查槽是否已分配不为nullptr
if (teb->TlsSlots[dwTlsIndex] != nullptr) { if (teb->TlsSlots[dwTlsIndex] != (void*)0x1337ffffff) {
return_value = return_value =
reinterpret_cast<uint64_t>(teb->TlsSlots[dwTlsIndex]); reinterpret_cast<uint64_t>(teb->TlsSlots[dwTlsIndex]);
} else { } else {
@@ -710,7 +710,7 @@ auto Api_TlsGetValue(void* sandbox, uc_engine* uc, uint64_t address) -> void {
} else { } else {
auto teb = context->GetTeb32(); auto teb = context->GetTeb32();
// 检查槽是否已分配不为0 // 检查槽是否已分配不为0
if (teb->TlsSlots[dwTlsIndex] != 0) { if (teb->TlsSlots[dwTlsIndex] != 0x1337) {
return_value = teb->TlsSlots[dwTlsIndex]; return_value = teb->TlsSlots[dwTlsIndex];
} else { } else {
// 槽未分配设置LastError // 槽未分配设置LastError

39
ai_anti_malware/sandbox_callbacks.cpp
View File

@@ -72,17 +72,44 @@ void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address,
address, size, regRax, regRip, readError, readAddress); address, size, regRax, regRip, readError, readAddress);
} }
} }
void dumpVmenv(uc_engine* uc, void* userData) {
auto* sandbox = static_cast<Sandbox*>(userData);
uint64_t Rip = 0;
uint64_t Rax = 0;
uint64_t Rsp = 0;
uint64_t Rbp = 0;
uint64_t Rcx = 0;
uint64_t Rdx = 0;
uc_reg_read(uc,
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP,
&Rip);
uc_reg_read(uc,
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&Rax);
uc_reg_read(uc,
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RSP : UC_X86_REG_ESP,
&Rsp);
uc_reg_read(uc,
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RBP : UC_X86_REG_EBP,
&Rbp);
uc_reg_read(uc,
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RCX : UC_X86_REG_ECX,
&Rcx);
uc_reg_read(uc,
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RDX : UC_X86_REG_EDX,
&Rdx);
printf("[dumpVmenv] Rip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p\n", Rip,
Rax, Rsp, Rbp, Rcx, Rdx);
}
void handleMemoryUnmapRead(uc_engine* uc, uc_mem_type type, uint64_t address, void handleMemoryUnmapRead(uc_engine* uc, uc_mem_type type, uint64_t address,
int size, int64_t value, void* userData) { int size, int64_t value, void* userData) {
// 待实现 // 待实现
auto* sandbox = static_cast<Sandbox*>(userData); auto* sandbox = static_cast<Sandbox*>(userData);
uint64_t Rip = 0;
uc_reg_read(uc, printf("[handleMemoryUnmapRead] Address: %p Size: %p Value: %p\n", address,
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP, size, value);
&Rip); dumpVmenv(uc, userData);
printf("[handleMemoryUnmapRead] Address: %p Size: %p Value: %p Rip: %p\n",
address, size, value, Rip);
} }
void handleMemoryWrite(uc_engine* uc, uc_mem_type type, uint64_t address, void handleMemoryWrite(uc_engine* uc, uc_mem_type type, uint64_t address,