#include "sandbox.h"
#include <windows.h>

auto Sandbox::CheckMalwareActive_Registry(std::wstring registryPath) -> void {
    // 定义敏感注册表路径列表
    const std::vector<std::wstring> sensitiveRegistryPaths = {
        L"SOFTWARE\\DingTalk", L"SOFTWARE\\Tencent",
        L"SOFTWARE\\WOW6432Node\\DingTalk", L"SOFTWARE\\WOW6432Node\\Tencent"};

    // 检查提供的注册表路径是否在敏感列表中
    bool isSensitiveRegistry = false;
    for (const auto& sensitivePath : sensitiveRegistryPaths) {
        if (registryPath.find(sensitivePath) != std::wstring::npos) {
            isSensitiveRegistry = true;
            break;
        }
    }

    // 如果是敏感注册表路径，尝试打开它检查是否可访问
    if (isSensitiveRegistry) {
        SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);

// 记录日志 (如果有日志系统的话)
#if LOG_LEVEL >= 1
        printf("[!!!] SensitiveRegistry Access %s\n", registryPath.c_str());
#endif
    }
}
auto Sandbox::CheckMalwareActive_Sleep(uint32_t secToSleep) -> void {
    if (secToSleep > 1000 * 30) {
        SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
        printf("[!!!] suspicious Sleep %d seconds\n", secToSleep);
    }
}
auto Sandbox::CheckMalwareActive_GetProcAddress(std::string wantName) -> void {
    const std::vector<std::string> sensitiveGetProcAddressNames = {
        "ZwAllocateVirtualMemory",
        "NtAllocateVirtualMemory",
        "NtFreeVirtualMemory",
        "NtProtectVirtualMemory",
        "NtWriteVirtualMemory",
        "NtReadVirtualMemory",
        "NtCreateThreadEx",
        "NtOpenThread",
        "NtTerminateThread",
        "NtResumeThread",
        "NtSuspendThread",
        "NtCreateThread",
        "NtOpenThread",
        "NtTerminateThread",
        "NtResumeThread",
        "NtSuspendThread"};
    // more
    if (std::find(sensitiveGetProcAddressNames.begin(),
                  sensitiveGetProcAddressNames.end(),
                  wantName) != sensitiveGetProcAddressNames.end()) {
        SetMalwareAnalysisType(MalwareAnalysisType::kMalware);
        printf("[!!!] suspicious GetProcAddress %s\n", wantName.c_str());
    }
}

auto Sandbox::CheckMalwareActive_FilePath(std::wstring filePath) -> void {
    // 定义敏感文件路径列表
    const std::vector<std::wstring> sensitiveFilePaths = {
        L"\\AppData\\",
        L"\\Temp\\",
        L"\\Windows\\System32\\",
        L"\\Program Files\\",
        L"\\Program Files (x86)\\",
        L"\\Documents\\",
        L"\\Downloads\\",
        L"\\Desktop\\",
        L"\\Users\\All Users\\",
        L"\\ProgramData\\",
        L"\\Microsoft\\Windows\\Start Menu\\",
        L"\\Startup\\"};

    // 检查提供的文件路径是否在敏感列表中
    bool isSensitiveFilePath = false;
    for (const auto& sensitivePath : sensitiveFilePaths) {
        if (filePath.find(sensitivePath) != std::wstring::npos) {
            isSensitiveFilePath = true;
            break;
        }
    }

    // 如果是敏感文件路径，将恶意软件分析类型设置为可疑
    if (isSensitiveFilePath) {
        SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);

        // 记录日志
#if LOG_LEVEL >= 1
        printf("[!!!] SensitiveFilePath Access: %ls\n", filePath.c_str());
#endif
    }
}