实现 SetUnhandledExceptionFilter API 模拟
This commit is contained in:
huoji
@@ -2015,6 +2015,38 @@ auto Api_FreeEnvironmentStringsW(void* sandbox, uc_engine* uc, uint64_t address)
|
|||||||
&success);
|
&success);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// 实现 SetUnhandledExceptionFilter API
|
||||||
|
auto Api_SetUnhandledExceptionFilter(void* sandbox, uc_engine* uc,
|
||||||
|
uint64_t address) -> void {
|
||||||
|
auto context = static_cast<Sandbox*>(sandbox);
|
||||||
|
uint64_t lpTopLevelExceptionFilter = 0;
|
||||||
|
|
||||||
|
// 获取参数
|
||||||
|
if (context->GetPeInfo()->isX64) {
|
||||||
|
// x64: rcx = lpTopLevelExceptionFilter
|
||||||
|
uc_reg_read(uc, UC_X86_REG_RCX, &lpTopLevelExceptionFilter);
|
||||||
|
} else {
|
||||||
|
// x86: 从栈上读取参数
|
||||||
|
uint32_t esp_address = 0;
|
||||||
|
uint32_t temp_filter = 0;
|
||||||
|
uc_reg_read(uc, UC_X86_REG_ESP, &esp_address);
|
||||||
|
esp_address += 0x4; // 跳过返回地址
|
||||||
|
uc_mem_read(uc, esp_address, &temp_filter, sizeof(uint32_t));
|
||||||
|
lpTopLevelExceptionFilter = temp_filter;
|
||||||
|
}
|
||||||
|
|
||||||
|
// 简单实现:返回NULL表示没有之前的过滤器
|
||||||
|
uint64_t prev_filter = 0;
|
||||||
|
|
||||||
|
printf("[*] SetUnhandledExceptionFilter: Filter=0x%llx\n",
|
||||||
|
lpTopLevelExceptionFilter);
|
||||||
|
|
||||||
|
// 返回之前的过滤器(在这里始终返回NULL)
|
||||||
|
uc_reg_write(uc,
|
||||||
|
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
||||||
|
&prev_filter);
|
||||||
|
}
|
||||||
|
|
||||||
auto Sandbox::InitApiHooks() -> void {
|
auto Sandbox::InitApiHooks() -> void {
|
||||||
auto FakeApi_GetSystemTimeAsFileTime =
|
auto FakeApi_GetSystemTimeAsFileTime =
|
||||||
_fakeApi{.func = Api_GetSystemTimeAsFileTime, .paramCount = 1};
|
_fakeApi{.func = Api_GetSystemTimeAsFileTime, .paramCount = 1};
|
||||||
@@ -2079,6 +2111,8 @@ auto Sandbox::InitApiHooks() -> void {
|
|||||||
_fakeApi{.func = Api_GetEnvironmentStringsW, .paramCount = 0};
|
_fakeApi{.func = Api_GetEnvironmentStringsW, .paramCount = 0};
|
||||||
auto FakeApi_FreeEnvironmentStringsW =
|
auto FakeApi_FreeEnvironmentStringsW =
|
||||||
_fakeApi{.func = Api_FreeEnvironmentStringsW, .paramCount = 1};
|
_fakeApi{.func = Api_FreeEnvironmentStringsW, .paramCount = 1};
|
||||||
|
auto FakeApi_SetUnhandledExceptionFilter =
|
||||||
|
_fakeApi{.func = Api_SetUnhandledExceptionFilter, .paramCount = 1};
|
||||||
|
|
||||||
api_map = {
|
api_map = {
|
||||||
{"GetSystemTimeAsFileTime",
|
{"GetSystemTimeAsFileTime",
|
||||||
@@ -2135,6 +2169,8 @@ auto Sandbox::InitApiHooks() -> void {
|
|||||||
std::make_shared<_fakeApi>(FakeApi_GetEnvironmentStringsW)},
|
std::make_shared<_fakeApi>(FakeApi_GetEnvironmentStringsW)},
|
||||||
{"FreeEnvironmentStringsW",
|
{"FreeEnvironmentStringsW",
|
||||||
std::make_shared<_fakeApi>(FakeApi_FreeEnvironmentStringsW)},
|
std::make_shared<_fakeApi>(FakeApi_FreeEnvironmentStringsW)},
|
||||||
|
{"SetUnhandledExceptionFilter",
|
||||||
|
std::make_shared<_fakeApi>(FakeApi_SetUnhandledExceptionFilter)},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,
|
auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,
|
||||||
|
|||||||
Reference in New Issue
Block a user