admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2f08a0264ae7fe880852b64501b52b02ba75e6ad
awesome_anti_virus_engine/ai_anti_malware/sandbox_api_wlan.cpp
huoji 534b6a84a6 添加沙箱功能和API钩子支持 
- 在沙箱中实现了新的功能,包括内存分配和API钩子初始化
- 更新了沙箱类,增加了对WFP引擎的支持
- 添加了多个API的实现,如GetLastError、InitializeCriticalSection等
- 修改了主函数以使用新的沙箱功能,替换了恶意软件扫描功能
- 更新了项目文件以包含新的源文件和API实现
- 改进了错误处理和日志记录功能
2025-03-18 20:49:18 +08:00

287 lines
9.2 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#include "sandbox.h"
#include "sandbox_callbacks.h"
#include "sandbox_api_winhttp.h"
#include <tlhelp32.h>
// WLAN API 实现
auto Api_WlanOpenHandle(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t dwClientVersion = 0;
uint64_t pReserved = 0;
uint64_t pdwNegotiatedVersion = 0;
uint64_t phClientHandle = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &dwClientVersion);
uc_reg_read(uc, UC_X86_REG_RDX, &pReserved);
uc_reg_read(uc, UC_X86_REG_R8, &pdwNegotiatedVersion);
uc_reg_read(uc, UC_X86_REG_R9, &phClientHandle);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uc_mem_read(uc, esp, &dwClientVersion, sizeof(uint32_t));
esp += 4;
uint32_t temp_reserved;
uc_mem_read(uc, esp, &temp_reserved, sizeof(uint32_t));
pReserved = temp_reserved;
esp += 4;
uint32_t temp_version;
uc_mem_read(uc, esp, &temp_version, sizeof(uint32_t));
pdwNegotiatedVersion = temp_version;
esp += 4;
uint32_t temp_handle;
uc_mem_read(uc, esp, &temp_handle, sizeof(uint32_t));
phClientHandle = temp_handle;
}
// 修改常量定义
uint32_t negotiatedVersion = 2; // 返回请求的版本
uint64_t clientHandle = 0x13370000; // 使用有效的十六进制常量
// 写入协商版本
if (pdwNegotiatedVersion != 0) {
uc_mem_write(uc, pdwNegotiatedVersion, &negotiatedVersion,
sizeof(uint32_t));
}
// 写入客户端句柄
if (phClientHandle != 0) {
if (context->GetPeInfo()->isX64) {
uc_mem_write(uc, phClientHandle, &clientHandle, sizeof(uint64_t));
} else {
uint32_t handle32 = static_cast<uint32_t>(clientHandle);
uc_mem_write(uc, phClientHandle, &handle32, sizeof(uint32_t));
}
}
// 返回成功0
uint64_t result = 0;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] WlanOpenHandle: Version=%u, Handle=0x%llx\n", negotiatedVersion,
clientHandle);
}
auto Api_WlanEnumInterfaces(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t hClientHandle = 0;
uint64_t pReserved = 0;
uint64_t ppInterfaceList = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &hClientHandle);
uc_reg_read(uc, UC_X86_REG_RDX, &pReserved);
uc_reg_read(uc, UC_X86_REG_R8, &ppInterfaceList);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uint32_t temp_handle;
uc_mem_read(uc, esp, &temp_handle, sizeof(uint32_t));
hClientHandle = temp_handle;
esp += 4;
uint32_t temp_reserved;
uc_mem_read(uc, esp, &temp_reserved, sizeof(uint32_t));
pReserved = temp_reserved;
esp += 4;
uint32_t temp_list;
uc_mem_read(uc, esp, &temp_list, sizeof(uint32_t));
ppInterfaceList = temp_list;
}
// 修改句柄检查
if (hClientHandle != 0x13370000) {
uint64_t result = 1; // ERROR_INVALID_HANDLE
uc_reg_write(
uc, context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
return;
}
// 分配内存用于接口列表
uint64_t interfaceListAddr = context->AllocateMemory(1024); // 足够大的空间
// 创建一个模拟的WLAN接口列表
struct WLAN_INTERFACE_INFO {
GUID InterfaceGuid;
WCHAR strInterfaceDescription[256];
DWORD isState;
};
struct WLAN_INTERFACE_INFO_LIST {
DWORD dwNumberOfItems;
DWORD dwIndex;
WLAN_INTERFACE_INFO InterfaceInfo[1];
};
WLAN_INTERFACE_INFO_LIST interfaceList = {0};
interfaceList.dwNumberOfItems = 1;
interfaceList.dwIndex = 0;
// 创建一个假的GUID
GUID fakeGuid = {0x12345678,
0x1234,
0x1234,
{0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF}};
interfaceList.InterfaceInfo[0].InterfaceGuid = fakeGuid;
// 设置接口描述
const wchar_t* description = L"Simulated Wi-Fi Adapter";
wcscpy_s(interfaceList.InterfaceInfo[0].strInterfaceDescription,
description);
interfaceList.InterfaceInfo[0].isState = 1; // connected
// 写入接口列表
uc_mem_write(uc, interfaceListAddr, &interfaceList,
sizeof(WLAN_INTERFACE_INFO_LIST));
// 写入接口列表指针
if (context->GetPeInfo()->isX64) {
uc_mem_write(uc, ppInterfaceList, &interfaceListAddr, sizeof(uint64_t));
} else {
uint32_t addr32 = static_cast<uint32_t>(interfaceListAddr);
uc_mem_write(uc, ppInterfaceList, &addr32, sizeof(uint32_t));
}
// 返回成功0
uint64_t result = 0;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] WlanEnumInterfaces: Handle=0x%llx, InterfaceList=0x%llx\n",
hClientHandle, interfaceListAddr);
}
auto Api_WlanGetProfileList(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t hClientHandle = 0;
uint64_t pInterfaceGuid = 0;
uint64_t pReserved = 0;
uint64_t ppProfileList = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &hClientHandle);
uc_reg_read(uc, UC_X86_REG_RDX, &pInterfaceGuid);
uc_reg_read(uc, UC_X86_REG_R8, &pReserved);
uc_reg_read(uc, UC_X86_REG_R9, &ppProfileList);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uint32_t temp_values[4];
uc_mem_read(uc, esp, temp_values, sizeof(uint32_t) * 4);
hClientHandle = temp_values[0];
pInterfaceGuid = temp_values[1];
pReserved = temp_values[2];
ppProfileList = temp_values[3];
}
// 分配内存用于配置文件列表
uint64_t profileListAddr = context->AllocateMemory(1024);
// 创建模拟的配置文件列表
struct WLAN_PROFILE_INFO {
WCHAR strProfileName[256];
DWORD dwFlags;
};
struct WLAN_PROFILE_INFO_LIST {
DWORD dwNumberOfItems;
DWORD dwIndex;
WLAN_PROFILE_INFO ProfileInfo[1];
};
WLAN_PROFILE_INFO_LIST profileList = {0};
profileList.dwNumberOfItems = 1;
profileList.dwIndex = 0;
// 设置一个模拟的配置文件
const wchar_t* profileName = L"Home Network";
wcscpy_s(profileList.ProfileInfo[0].strProfileName, profileName);
profileList.ProfileInfo[0].dwFlags = 1;
// 写入配置文件列表
uc_mem_write(uc, profileListAddr, &profileList,
sizeof(WLAN_PROFILE_INFO_LIST));
// 写入配置文件列表指针
if (context->GetPeInfo()->isX64) {
uc_mem_write(uc, ppProfileList, &profileListAddr, sizeof(uint64_t));
} else {
uint32_t addr32 = static_cast<uint32_t>(profileListAddr);
uc_mem_write(uc, ppProfileList, &addr32, sizeof(uint32_t));
}
// 返回成功0
uint64_t result = 0;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] WlanGetProfileList: Handle=0x%llx, ProfileList=0x%llx\n",
hClientHandle, profileListAddr);
}
auto Api_WlanFreeMemory(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t pMemory = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &pMemory);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uint32_t temp_memory;
uc_mem_read(uc, esp, &temp_memory, sizeof(uint32_t));
pMemory = temp_memory;
}
// 实际上我们不需要释放内存,因为这是在模拟环境中
printf("[*] WlanFreeMemory: Memory=0x%llx\n", pMemory);
}
auto Api_WlanCloseHandle(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t hClientHandle = 0;
uint64_t pReserved = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &hClientHandle);
uc_reg_read(uc, UC_X86_REG_RDX, &pReserved);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uint32_t temp_handle;
uc_mem_read(uc, esp, &temp_handle, sizeof(uint32_t));
hClientHandle = temp_handle;
esp += 4;
uint32_t temp_reserved;
uc_mem_read(uc, esp, &temp_reserved, sizeof(uint32_t));
pReserved = temp_reserved;
}
// 返回成功0
uint64_t result = 0;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] WlanCloseHandle: Handle=0x%llx\n", hClientHandle);
}
Reference in New Issue View Git Blame Copy Permalink