60c4ef5f58
- Completely rewrite README.md with comprehensive project overview and technical details - Add detailed explanation of antivirus engine architecture and detection strategies - Implement multi-stage malware detection with machine learning, sandbox, and PE structure analysis - Update project configuration and add new source files for enhanced detection capabilities - Integrate XGBoost machine learning model with C++ export functionality - Improve sandbox environment with advanced module and LDR data table handling - Remove legacy Python prediction and training scripts in favor of C++ implementation
97 lines
3.3 KiB
C++
97 lines
3.3 KiB
C++
#include "sandbox.h"
|
|
#include <windows.h>
|
|
|
|
auto Sandbox::CheckMalwareActive_Registry(std::wstring registryPath) -> void {
|
|
// 定义敏感注册表路径列表
|
|
const std::vector<std::wstring> sensitiveRegistryPaths = {
|
|
L"SOFTWARE\\DingTalk", L"SOFTWARE\\Tencent",
|
|
L"SOFTWARE\\WOW6432Node\\DingTalk", L"SOFTWARE\\WOW6432Node\\Tencent"};
|
|
|
|
// 检查提供的注册表路径是否在敏感列表中
|
|
bool isSensitiveRegistry = false;
|
|
for (const auto& sensitivePath : sensitiveRegistryPaths) {
|
|
if (registryPath.find(sensitivePath) != std::wstring::npos) {
|
|
isSensitiveRegistry = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
// 如果是敏感注册表路径,尝试打开它检查是否可访问
|
|
if (isSensitiveRegistry) {
|
|
SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
|
|
|
|
// 记录日志 (如果有日志系统的话)
|
|
#if LOG_LEVEL >= 1
|
|
printf("[!!!] SensitiveRegistry Access %s\n", registryPath.c_str());
|
|
#endif
|
|
}
|
|
}
|
|
auto Sandbox::CheckMalwareActive_Sleep(uint32_t secToSleep) -> void {
|
|
if (secToSleep > 1000 * 30) {
|
|
SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
|
|
printf("[!!!] suspicious Sleep %d seconds\n", secToSleep);
|
|
}
|
|
}
|
|
auto Sandbox::CheckMalwareActive_GetProcAddress(std::string wantName) -> void {
|
|
const std::vector<std::string> sensitiveGetProcAddressNames = {
|
|
"ZwAllocateVirtualMemory",
|
|
"NtAllocateVirtualMemory",
|
|
"NtFreeVirtualMemory",
|
|
"NtProtectVirtualMemory",
|
|
"NtWriteVirtualMemory",
|
|
"NtReadVirtualMemory",
|
|
"NtCreateThreadEx",
|
|
"NtOpenThread",
|
|
"NtTerminateThread",
|
|
"NtResumeThread",
|
|
"NtSuspendThread",
|
|
"NtCreateThread",
|
|
"NtOpenThread",
|
|
"NtTerminateThread",
|
|
"NtResumeThread",
|
|
"NtSuspendThread"};
|
|
// more
|
|
if (std::find(sensitiveGetProcAddressNames.begin(),
|
|
sensitiveGetProcAddressNames.end(),
|
|
wantName) != sensitiveGetProcAddressNames.end()) {
|
|
SetMalwareAnalysisType(MalwareAnalysisType::kMalware);
|
|
printf("[!!!] suspicious GetProcAddress %s\n", wantName.c_str());
|
|
}
|
|
}
|
|
|
|
auto Sandbox::CheckMalwareActive_FilePath(std::wstring filePath) -> void {
|
|
// 定义敏感文件路径列表
|
|
const std::vector<std::wstring> sensitiveFilePaths = {
|
|
L"\\AppData\\",
|
|
L"\\Temp\\",
|
|
L"\\Windows\\System32\\",
|
|
L"\\Program Files\\",
|
|
L"\\Program Files (x86)\\",
|
|
L"\\Documents\\",
|
|
L"\\Downloads\\",
|
|
L"\\Desktop\\",
|
|
L"\\Users\\All Users\\",
|
|
L"\\ProgramData\\",
|
|
L"\\Microsoft\\Windows\\Start Menu\\",
|
|
L"\\Startup\\"};
|
|
|
|
// 检查提供的文件路径是否在敏感列表中
|
|
bool isSensitiveFilePath = false;
|
|
for (const auto& sensitivePath : sensitiveFilePaths) {
|
|
if (filePath.find(sensitivePath) != std::wstring::npos) {
|
|
isSensitiveFilePath = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
// 如果是敏感文件路径,将恶意软件分析类型设置为可疑
|
|
if (isSensitiveFilePath) {
|
|
SetMalwareAnalysisType(MalwareAnalysisType::kSuspicious);
|
|
|
|
// 记录日志
|
|
#if LOG_LEVEL >= 1
|
|
printf("[!!!] SensitiveFilePath Access: %ls\n", filePath.c_str());
|
|
#endif
|
|
}
|
|
}
|