awesome_anti_virus_engine/ai_anti_malware/sandbox.cpp

#include "sandbox.h"
#include "sandbox_callbacks.h"
#include "sandbox_api_com.h"
// 在文件开头添加AllocateMemory函数的声明
auto Sandbox::AllocateMemory(size_t size) -> uint64_t {
    // 使用一个简单的内存分配策略
    static uint64_t next_address = 0x60000000;  // 起始地址
    uint64_t allocated_address = next_address;

    // 对齐到4KB
    size = (size + 0xFFF) & ~0xFFF;

    // 分配内存
    uc_err err = uc_mem_map(m_ucEngine, allocated_address, size, UC_PROT_ALL);
    if (err != UC_ERR_OK) {
        printf("[!] Failed to allocate memory at 0x%llx: %u\n",
               allocated_address, err);
        return 0;
    }

    // 更新下一个可用地址
    next_address += size + 0x1000;  // 添加一个页面的间隔
    return allocated_address;
}

class ImportResolver : public peconv::t_function_resolver {
public:
    explicit ImportResolver(std::map<std::string, uint64_t> context)
        : _functionMap(std::move(context)) {}

    FARPROC resolve_func(LPSTR libName, LPSTR funcName) override {
        return reinterpret_cast<FARPROC>(_functionMap[std::string(funcName)]);
    }

private:
    std::map<std::string, uint64_t> _functionMap;
};

class cListImportNames : public peconv::ImportThunksCallback {
public:
    cListImportNames(
        BYTE* _modulePtr, size_t _moduleSize,
        std::vector<std::shared_ptr<moudle_import>>& name_to_addr,
        std::vector<std::shared_ptr<moudle_import_ordinal>>& name_to_ordinal)
        : ImportThunksCallback(_modulePtr, _moduleSize),
        nameToAddr(name_to_addr),
        ordinalImportFunc(name_to_ordinal) {}

    virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr,
        ULONG_PTR firstThunkPtr) {
        if (this->is64b) {
            IMAGE_THUNK_DATA64* desc =
                reinterpret_cast<IMAGE_THUNK_DATA64*>(origFirstThunkPtr);
            ULONGLONG* call_via = reinterpret_cast<ULONGLONG*>(firstThunkPtr);
            return processThunks_tpl<ULONGLONG, IMAGE_THUNK_DATA64>(
                lib_name, desc, call_via, IMAGE_ORDINAL_FLAG64);
        }
        IMAGE_THUNK_DATA32* desc =
            reinterpret_cast<IMAGE_THUNK_DATA32*>(origFirstThunkPtr);
        DWORD* call_via = reinterpret_cast<DWORD*>(firstThunkPtr);
        return processThunks_tpl<DWORD, IMAGE_THUNK_DATA32>(
            lib_name, desc, call_via, IMAGE_ORDINAL_FLAG32);
    }

protected:
    template <typename T_FIELD, typename T_IMAGE_THUNK_DATA>
    bool processThunks_tpl(LPSTR lib_name, T_IMAGE_THUNK_DATA* desc,
        T_FIELD* call_via, T_FIELD ordinal_flag) {
        DWORD call_via_rva = static_cast<DWORD>((ULONG_PTR)call_via -
            (ULONG_PTR)this->modulePtr);
        LPSTR func_name = NULL;
        if ((desc->u1.Ordinal & ordinal_flag) == 0) {
            PIMAGE_IMPORT_BY_NAME by_name =
                (PIMAGE_IMPORT_BY_NAME)((ULONGLONG)modulePtr +
                    desc->u1.AddressOfData);
            func_name = reinterpret_cast<LPSTR>(by_name->Name);
            std::string fuck_up_api_ms = lib_name;
            if (fuck_up_api_ms.find("api-ms-") != std::string::npos) {
                fuck_up_api_ms = getDllNameFromApiSetMap(fuck_up_api_ms);
                if (fuck_up_api_ms.size() <= 1) __debugbreak();
            }
            auto import_data = std::make_shared<moudle_import>();
            memcpy(import_data->name, func_name, strlen(func_name));
            memcpy(import_data->dll_name, fuck_up_api_ms.c_str(),
                fuck_up_api_ms.size());
            import_data->function_address = call_via_rva;
            import_data->is_delayed_import = false;
            nameToAddr.push_back(import_data);
        }
        else {
            auto importFunc = std::make_shared<moudle_import_ordinal>();
            T_FIELD raw_ordinal = desc->u1.Ordinal & (~ordinal_flag);
            importFunc->dll_name = lib_name;
            importFunc->function_address = call_via_rva;
            importFunc->ordinal = raw_ordinal;
            ordinalImportFunc.push_back(importFunc);
        }
        return true;
    }

    std::vector<std::shared_ptr<moudle_import>>& nameToAddr;
    std::vector<std::shared_ptr<moudle_import_ordinal>>& ordinalImportFunc;
};
class cFixImprot : public peconv::t_function_resolver {
public:
    // 构造函数接收Sandbox实例的引用
    explicit cFixImprot(Sandbox* sandbox) : m_sandbox(sandbox) {}

    // 实现导入函数解析
    virtual FARPROC resolve_func(LPSTR lib_name, LPSTR func_name) override {
        // 遍历所有已加载的模块
        for (const auto& module : m_sandbox->m_moduleList) {
            // 检查模块名是否匹配

            if (module->name == std::string(lib_name) == 0) {
                // 遍历该模块的导出函数
                for (const auto& exp : module->export_function) {
                    // 检查函数名是否匹配
                    if (strcmp(exp->name, func_name) == 0) {
                        auto newBase = reinterpret_cast<FARPROC>(
                            module->base + exp->function_address);
#ifdef LOG_LEVEL > 2
                        printf("fix import: %s => %llx \n", func_name, newBase);
                        // 返回在模拟器中的虚拟地址
#endif
                        return newBase;
                    }
                }
            }
        }

        // 如果没有找到精确匹配的模块名，尝试在所有模块中查找该函数
        for (const auto& module : m_sandbox->m_moduleList) {
            for (const auto& exp : module->export_function) {
                auto newBase = reinterpret_cast<FARPROC>(
                    module->base + exp->function_address);
                // 检查函数名是否匹配
                if (strcmp(exp->name, func_name) == 0) {
#ifdef LOG_LEVEL > 1
                    printf("fix import (fallback): %s found in %s => %llx \n",
                        func_name, module->name, newBase);
                    // 返回在模拟器中的虚拟地址
#endif
                    return newBase;
                }
                //序号导出,非常癌症的修复.

                if (std::string(lib_name) == module->name) {
                    int ordinalNum = std::atoi(func_name);
                    if (exp->ordinal == ordinalNum) {
                        auto newBase = reinterpret_cast<FARPROC>(
                            module->base + exp->function_address);
#ifdef LOG_LEVEL > 1
                        printf("fix import (ordianal): %s found in [%s]%s => %llx \n",
                            func_name, module->name, exp->name, newBase);
                        // 返回在模拟器中的虚拟地址
#endif // LOG_LEVEL > 1
                        return newBase;
                    }
                }

            }
        }

        printf("Warning: Could not resolve import: %s from library: %s\n",
            func_name, lib_name);
        //__debugbreak();
        return nullptr;
    }

private:
    Sandbox* m_sandbox;  // Sandbox实例的指针
};
Sandbox::Sandbox() {
    m_ucEngine = nullptr;
    m_peInfo = nullptr;
    m_nextWfpEngineHandle = (HANDLE)0x1000;  // 初始化WFP引擎句柄
    m_lastImpRead = {0, 0};
}

Sandbox::~Sandbox() {
    // 清理WFP引擎资源
    for (auto& pair : m_wfpEngines) {
        delete pair.second;
    }
    m_wfpEngines.clear();

    // 1. 先清理高层资源
    m_crossSectionExecution.clear();
    envStrings.clear();
    api_map.clear();
    m_moduleList.clear();
    m_impFuncDict.clear();
    m_exportFuncDict.clear();

    // 2. 清理内存映射
    if (m_ucEngine) {
        uc_close(m_ucEngine);
        m_ucEngine = nullptr;
    }

    // 3. 清理堆内存
    for (auto& [address, segment] : m_heapSegments) {
        HeapBlock* current = segment->blocks;
        while (current) {
            HeapBlock* next = current->next;
            delete current;
            current = next;
        }
        delete segment;
    }
    m_heapSegments.clear();
    // 4. 清理模块
    for (auto module : m_moduleList) {
        //为0的是主程序.
        if (module->mapped_address != 0) {
            peconv::free_pe_buffer((peconv::ALIGNED_BUF)module.get()->mapped_address, module.get()->mapped_size);
        }
    }

    // 5. 最后清理底层资源
    if (m_csHandle) {
        cs_close(&m_csHandle);
    }
}

auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase, uint64_t mappedSize) -> void {
    for (auto module : m_moduleList) {
        if (module->real_base == moduleBase) {
            printf("skip module name: %s (already loaded)\n", module->name);
            return;
        }
    }
    if (m_usedModuleBase == 0) {
        m_usedModuleBase = DLL_MODULE_BASE;
    }
    // 创建新模块
    auto newModule =
        CreateModuleInfo(dllName, AlignSize(m_usedModuleBase, PAGE_SIZE),
                         moduleBase, moduleBase);

    m_usedModuleBase += PAGE_SIZE + newModule->size;
    m_moduleList.push_back(newModule);
    printf("push `%s` module to vm base: %llx vm size: %llx\n", newModule->name,
           newModule->base, newModule->size);
    if (uc_mem_map(m_ucEngine, newModule->base, newModule->size,
                   UC_PROT_READ | UC_PROT_EXEC) != UC_ERR_OK) {
        throw std::runtime_error("Failed to map module");
    }
    if (uc_mem_write(m_ucEngine, newModule->base, (void*)moduleBase,
                     newModule->size) != UC_ERR_OK) {
        throw std::runtime_error("Failed to write data to map module");
    }
    if (peconv::relocate_module((BYTE*)moduleBase, newModule->size,
                                newModule->base) == false) {
        throw std::runtime_error("Failed to relocate module");
    }
    newModule->mapped_address = moduleBase;
    newModule->mapped_size = mappedSize;

    // 将模块添加到LDR链表中
    if (m_peInfo->isX64) {
        AddModuleToLdr(newModule);
    }
}

auto Sandbox::CreateModuleInfo(std::string dllName, uint64_t moduleBase,
                               uint64_t realModuleBase, uint64_t bufferAddress)
    -> std::shared_ptr<struct_moudle> {
    // 解析PE头
    auto* dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(bufferAddress);
    auto* ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(
        reinterpret_cast<LPBYTE>(bufferAddress) + dosHeader->e_lfanew);

    // 获取区段对齐值
    DWORD sectionAlignment =
        (ntHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
            ? reinterpret_cast<PIMAGE_NT_HEADERS64>(ntHeaders)
                  ->OptionalHeader.SectionAlignment
            : ntHeaders->OptionalHeader.SectionAlignment;

    // 获取区段头
    auto* sectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>(
        reinterpret_cast<PUCHAR>(ntHeaders) + sizeof(ntHeaders->Signature) +
        sizeof(ntHeaders->FileHeader) +
        ntHeaders->FileHeader.SizeOfOptionalHeader);
    struct_moudle newModule{};
    newModule.name = dllName.c_str();
    newModule.base = moduleBase;
    newModule.real_base = realModuleBase;
    newModule.entry = ntHeaders->OptionalHeader.AddressOfEntryPoint;
    newModule.size = ntHeaders->OptionalHeader.SizeOfImage;
    // 处理区段
    for (WORD i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++) {
        const auto& section = sectionHeader[i];

        // if (!(section.Characteristics &
        //       (IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE))) {
        //     continue;
        // }

        // 设置区段保护属性
        int protection = UC_PROT_READ;
        if (section.Characteristics & IMAGE_SCN_MEM_EXECUTE)
            protection |= UC_PROT_EXEC;
        if (section.Characteristics & IMAGE_SCN_MEM_WRITE)
            protection |= UC_PROT_WRITE;

        // 计算区段大小
        auto sectionSize = AlignToSectionAlignment(
            max(section.Misc.VirtualSize, section.SizeOfRawData),
            sectionAlignment);

        // 创建区段信息
        moudle_section newSection{};
        strncpy(newSection.name, reinterpret_cast<const char*>(section.Name),
                8);
        newSection.base = section.VirtualAddress;
        newSection.size = sectionSize;
        newSection.protect_flag = protection;

        newModule.sections.push_back(
            std::make_shared<moudle_section>(newSection));
        std::cout << "[PE] " << dllName << " Section found: " << newSection.name
                  << '\n';
    }

    return std::make_shared<struct_moudle>(newModule);
}

auto Sandbox::ResolveExport(uint64_t moduleBase)
    -> std::vector<std::shared_ptr<moudle_export>> {
    std::vector<std::shared_ptr<moudle_export>> export_list;
    DWORD exportSize = 0;
    static RtlImageDirectoryEntryToDataFn fnRtlImageDirectoryEntryToData;
    if (fnRtlImageDirectoryEntryToData == nullptr) {
        fnRtlImageDirectoryEntryToData =
            reinterpret_cast<RtlImageDirectoryEntryToDataFn>(GetProcAddress(
                GetModuleHandleA("ntdll.dll"), "RtlImageDirectoryEntryToData"));
    }
    // 获取导出表
    PIMAGE_EXPORT_DIRECTORY exportDirectory =
        static_cast<PIMAGE_EXPORT_DIRECTORY>(fnRtlImageDirectoryEntryToData(
            reinterpret_cast<PUCHAR>(moduleBase), TRUE,
            IMAGE_DIRECTORY_ENTRY_EXPORT, &exportSize));

    if (exportDirectory) {
        const DWORD numberOfNames = exportDirectory->NumberOfNames;
        PDWORD addressOfFunctions =
            reinterpret_cast<PDWORD>(reinterpret_cast<PUCHAR>(moduleBase) +
                                     exportDirectory->AddressOfFunctions);
        PDWORD addressOfNames =
            reinterpret_cast<PDWORD>(reinterpret_cast<PUCHAR>(moduleBase) +
                                     exportDirectory->AddressOfNames);
        PWORD addressOfNameOrdinals =
            reinterpret_cast<PWORD>(reinterpret_cast<PUCHAR>(moduleBase) +
                                    exportDirectory->AddressOfNameOrdinals);

        // 遍历导出函数
        for (size_t i = 0; i < numberOfNames; i++) {
            PCHAR functionName = reinterpret_cast<PCHAR>(
                reinterpret_cast<PUCHAR>(moduleBase) + addressOfNames[i]);

            // 获取函数RVA
            const DWORD functionRva =
                addressOfFunctions[addressOfNameOrdinals[i]];

            // 创建导出数据结构
            moudle_export exportData{};
            memcpy(exportData.name, functionName, strlen(functionName));
            exportData.function_address = functionRva;
            exportData.ordinal = static_cast<WORD>(
                addressOfNameOrdinals[i] + exportDirectory->Base);  // 设置序号

            export_list.push_back(
                std::make_shared<moudle_export>(exportData));
        }
    }
    return export_list;
}
auto Sandbox::ResolveImportExports() -> void {
    for (auto module : m_moduleList) {
        if (module->base == m_peInfo->RecImageBase) {
            continue;
        }

        module->export_function = ResolveExport(module->real_base);
        for (const auto item : module->export_function) {
            if (LOG_LEVEL > 0) {
                printf("[ResolveImportExports] import export: [%s] %s => %llx\n", module->name,
                       item->name, item->function_address);
            }

            m_exportFuncDict.push_back(item);
        }
    }
}
auto Sandbox::mapSystemModuleToVmByName(std::string systemName) -> void {
    std::string tempMatchName = systemName;
    std::transform(tempMatchName.begin(), tempMatchName.end(), tempMatchName.begin(),
        [](unsigned char c) { return std::toupper(c); });

    for (auto module : m_moduleList) {
        std::string listModuleName = module->name;
        std::transform(listModuleName.begin(), listModuleName.end(), listModuleName.begin(),
            [](unsigned char c) { return std::toupper(c); });

        if (tempMatchName == listModuleName) {
            if (LOG_LEVEL > 0) {
                printf("skip module name: %s (already loaded)\n", module->name);
            }
            return;
        }
    }
    // 构建模块路径
    const std::string systemDir =
        m_peInfo->isX64 ? "\\System32\\" : "\\SysWOW64\\";
    char windowsPath[MAX_PATH];
    if (!GetWindowsDirectoryA(windowsPath, sizeof(windowsPath))) {
        throw std::runtime_error("Failed to get Windows directory");
    }

    const std::string modulePath =
        std::string(windowsPath) + systemDir + systemName;

    // 加载PE模块
    size_t mappedPeSize = 0;
    const auto moduleBase = reinterpret_cast<uint64_t>(
        peconv::load_pe_module(modulePath.c_str(), mappedPeSize, false, false));

    if (!moduleBase) {
        return;
    }

    // 添加到虚拟机
    PushModuleToVM(systemName.c_str(), moduleBase, mappedPeSize);
}
auto Sandbox::processImportModule(const moudle_import* importModule) -> void {
    std::string impModule = importModule->dll_name;
    std::transform(impModule.begin(), impModule.end(), impModule.begin(),
        [](unsigned char c) { return std::toupper(c); });

    mapSystemModuleToVmByName(impModule);
}
auto Sandbox::ResoveImport() -> void {
    // 处理延迟导入
    peconv::load_delayed_imports(static_cast<BYTE*>(m_peInfo->peBuffer), 0);

    // 解析导入表
    cListImportNames importCallback(static_cast<BYTE*>(m_peInfo->peBuffer),
                                    m_peInfo->peSize, m_impFuncDict,
                                    m_impFuncOrdinalDict);

    if (!peconv::process_import_table(static_cast<BYTE*>(m_peInfo->peBuffer),
                                      m_peInfo->peSize, &importCallback)) {
        throw std::runtime_error("Failed to process import table");
    }

    // 处理每个导入模块
    for (const auto& importModule : m_impFuncDict) {
        processImportModule(importModule.get());
    }
    for (const auto& importModule : m_impFuncOrdinalDict) {
        mapSystemModuleToVmByName(importModule->dll_name);
    }
}

/*
// 在InitEnv函数之前添加这个函数
void Sandbox::RegisterComApis() {
    // 注册COM相关API
    _fakeApi coInitializeEx = {Api_CoInitializeEx, 2};  // pvReserved, dwCoInit
    _fakeApi coCreateInstance = {
        Api_CoCreateInstance, 5};  // rclsid, pUnkOuter, dwClsContext, riid, ppv
    _fakeApi variantInit = {Api_VariantInit, 1};        // pvarg
    _fakeApi variantClear = {Api_VariantClear, 1};      // pvarg
    _fakeApi sysAllocString = {Api_SysAllocString, 1};  // psz

    // 将API添加到映射表中
    m_apiMap["CoInitializeEx"] = coInitializeEx;
    m_apiMap["CoCreateInstance"] = coCreateInstance;
    m_apiMap["VariantInit"] = variantInit;
    m_apiMap["VariantClear"] = variantClear;
    m_apiMap["SysAllocString"] = sysAllocString;
}
*/
// 在InitEnv函数中调用RegisterComApis
auto Sandbox::InitEnv(std::shared_ptr<BasicPeInfo> peInfo) -> void {
    m_peInfo = peInfo;
    if (cs_open(CS_ARCH_X86, peInfo->isX64 ? CS_MODE_64 : CS_MODE_32,
                &m_csHandle) != CS_ERR_OK) {
        throw std::runtime_error("Failed to initialize Capstone");
    }
    if (uc_open(UC_ARCH_X86, peInfo->isX64 ? UC_MODE_64 : UC_MODE_32,
                &m_ucEngine) != UC_ERR_OK) {
        cs_close(&m_csHandle);  // 清理已分配的capstone资源
        throw std::runtime_error("Failed to initialize Unicorn");
    }
    SetupVirtualMachine();

    // 一定要确保他是第一个.
    auto newModule = CreateModuleInfo(
        "huoji.exe", m_peInfo->RecImageBase, m_peInfo->RecImageBase,
        reinterpret_cast<uint64_t>(m_peInfo->peBuffer));

    _ASSERTE(m_moduleList.size() == 0);
    m_moduleList.push_back(newModule);

    // 将模块添加到LDR链表中
    if (m_peInfo->isX64) {
        AddModuleToLdr(newModule);
    }

    ResoveImport();
    ResolveImportExports();

    // 修复导入表
    cFixImprot importFixer(this);
    if (!peconv::load_imports(m_peInfo->peBuffer, &importFixer)) {
        throw std::runtime_error("Failed to fix imports");
    }
    //检查有没有ntdll
    bool isFoundNtdll = false;
    bool isFoundKernelBase = false;

    for (const auto& module : this->GetModuleList()) {
        //我tm也不知道为什么 有些病毒这玩意找小写....然后kernel32.dll找大写.wtf is that?
        if (module->name == "ntdll.dll") {
            isFoundNtdll = true;
        }
        //真的很懒了,这个是按TAB一键出来的
        if (module->name == "KERNELBASE.dll") {
            isFoundKernelBase = true;
        }
        if (isFoundKernelBase && isFoundNtdll) {
            break;
        }
    }
    if (isFoundNtdll == false) {
        if (LOG_LEVEL > 4) {
            printf("Not ntdll.dll Found, manual map it \n");
        }
        mapSystemModuleToVmByName("ntdll.dll");
    }
    if (isFoundKernelBase == false) {
        if (LOG_LEVEL > 4) {
            printf("Not kernelbase.dll Found, manual map it \n");
        }
        mapSystemModuleToVmByName("kernelbase.dll");
    }
    // 给所有导入表加c3
    for (const auto& module : this->GetModuleList()) {
        // 遍历导出函数查找对应名称
        for (const auto& exp : module->export_function) {
            auto inMemAddr = module->base + exp->function_address;
            uc_mem_write(m_ucEngine, inMemAddr, "\xCC", sizeof(char));
        }
    }
    uc_err ucErr = uc_mem_map(m_ucEngine, m_peInfo->RecImageBase,
                              m_peInfo->peSize, UC_PROT_ALL);
    if (ucErr != UC_ERR_OK) {
        throw std::runtime_error("Failed to map memory");
    }
    uc_mem_write(m_ucEngine, m_peInfo->RecImageBase, m_peInfo->peBuffer,
                 m_peInfo->peSize);
    printf("map file to vm file: %llx\n", m_peInfo->RecImageBase);
    printf("map file to vm size: %llx\n", m_peInfo->peSize);
    InitCommandLine(peInfo->inputFilePath);
}

auto Sandbox::Run(uint64_t address) -> void {
    // 初始化堆栈
    uc_err err = uc_mem_map(m_ucEngine, m_stackBase, m_stackSize,
                            UC_PROT_READ | UC_PROT_WRITE);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to map stack memory");
    }

    // 初始化堆
    err = uc_mem_map(m_ucEngine, m_heapBase, m_heapSize,
                     UC_PROT_READ | UC_PROT_WRITE);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to map heap memory");
    }

    // 设置寄存器
    uint64_t rsp = m_stackEnd - 256;
    err = uc_reg_write(m_ucEngine,
                       m_peInfo->isX64 ? UC_X86_REG_RSP : UC_X86_REG_ESP, &rsp);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to write stack pointer");
    }
    uint64_t rbp =
        rsp - (m_peInfo->isX64 ? sizeof(uint64_t) : sizeof(uint32_t));
    uc_reg_write(m_ucEngine, m_peInfo->isX64 ? UC_X86_REG_RBP : UC_X86_REG_EBP,
                 &rbp);

    // 设置入口点
    uint64_t entryPoint = (m_peInfo->RecImageBase + m_peInfo->entryPoint);

    // 添加钩子
    uc_hook hook_code, hook_mem, hook_mem_unmap, hook_mem_write, hook_syscall;

    // 代码执行钩子
    err = uc_hook_add(m_ucEngine, &hook_code, UC_HOOK_CODE,
                      reinterpret_cast<void*>(sandboxCallbacks::handleCodeRun),
                      this, 1, 0);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to add code hook");
    }

    // 内存读取钩子
    err =
        uc_hook_add(m_ucEngine, &hook_mem, UC_HOOK_MEM_READ | UC_HOOK_MEM_FETCH,
                    reinterpret_cast<void*>(sandboxCallbacks::handleMemoryRead),
                    this, 1, 0);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to add memory read hook");
    }

    // 未映射内存访问钩子
    err = uc_hook_add(
        m_ucEngine, &hook_mem_unmap,
        UC_HOOK_MEM_FETCH_UNMAPPED | UC_HOOK_MEM_READ_UNMAPPED |
            UC_HOOK_MEM_WRITE_UNMAPPED | UC_HOOK_MEM_FETCH_PROT,
        reinterpret_cast<void*>(sandboxCallbacks::handleMemoryUnmapRead), this,
        1, 0);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to add unmapped memory hook");
    }

    // 内存写入钩子
    err = uc_hook_add(
        m_ucEngine, &hook_mem_write, UC_HOOK_MEM_WRITE | UC_HOOK_MEM_WRITE_PROT,
        reinterpret_cast<void*>(sandboxCallbacks::handleMemoryWrite), this, 1,
        0);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to add memory write hook");
    }

    // 系统调用钩子
    err = uc_hook_add(m_ucEngine, &hook_syscall, UC_HOOK_INTR | UC_HOOK_INSN,
                      reinterpret_cast<void*>(sandboxCallbacks::handleSyscall),
                      this, 1, 0, UC_X86_INS_SYSCALL);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to add syscall hook");
    }
    // 系统调用钩子
    err = uc_hook_add(m_ucEngine, &hook_syscall, UC_HOOK_INTR | UC_HOOK_INSN,
                      reinterpret_cast<void*>(sandboxCallbacks::handleSyscall),
                      this, 1, 0, UC_X86_INS_SYSCALL);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to add syscall hook");
    }
    auto customIP = address;
    // 设置EIP/RIP
    err = uc_reg_write(m_ucEngine,
                       m_peInfo->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP,
                       &entryPoint);
    if (err != UC_ERR_OK) {
        throw std::runtime_error("Failed to set entry point");
    }

    InitApiHooks();

    std::cout << "Starting execution at " << std::hex << entryPoint
              << std::endl;
    //uint64_t timeout = 2 * 60 * 1000 * 1000;
    uint64_t timeout = 0;
    // 1.入口点是必须跑的
    if (m_peInfo->isDll) {
        // 给rcx和rdx设置dll应该设置的
        auto dll_fdwReason = 1;  // DLL_PROCESS_ATTACH
        if (m_peInfo->isX64) {
            uc_reg_write(m_ucEngine, UC_X86_REG_RCX, &m_peInfo->RecImageBase);
            uc_reg_write(m_ucEngine, UC_X86_REG_RDX, &dll_fdwReason);
        } else {
            // 32位使用栈传参而不是寄存器传参
            uint32_t rsp;
            uc_reg_read(m_ucEngine, UC_X86_REG_ESP, &rsp);

            // 为参数腾出空间
            rsp -= 3 * 4;  // 三个参数：hinstDLL, fdwReason, lpvReserved
            uc_reg_write(m_ucEngine, UC_X86_REG_ESP, &rsp);

            // 按照从右到左的顺序压栈
            uint32_t lpvReserved = 0;         // 第三个参数为NULL
            uint32_t reason = dll_fdwReason;  // DLL_PROCESS_ATTACH
            uint32_t imageBase = static_cast<uint32_t>(m_peInfo->RecImageBase);

            // 按照从右到左的调用约定写入参数到栈上
            uc_mem_write(m_ucEngine, rsp, &lpvReserved,
                         sizeof(uint32_t));  // lpvReserved (最右侧参数最先入栈)
            uc_mem_write(m_ucEngine, rsp + 4, &reason,
                         sizeof(uint32_t));  // fdwReason (中间参数次之入栈)
            uc_mem_write(m_ucEngine, rsp + 8, &imageBase,
                         sizeof(uint32_t));  // hinstDLL (最左侧参数最后入栈)

            // 在Windows下，DLL的返回地址也需要压栈
            uint32_t returnAddress = 0xABABABAB;  // 虚拟的返回地址
            rsp -= 4;                             // 为返回地址腾出空间
            uc_reg_write(m_ucEngine, UC_X86_REG_ESP, &rsp);
            uc_mem_write(m_ucEngine, rsp, &returnAddress, sizeof(uint32_t));
        }
    }
    err = uc_emu_start(m_ucEngine, entryPoint, m_peInfo->imageEnd, timeout, 0);
    // 2. 有自定义地址 再跑自定义地址
    std::cerr << "Entry Point Emulation error: " << uc_strerror(err)
              << std::endl;
    if (address != 0) {
        err = uc_emu_start(m_ucEngine, address + MAIN_MODULE_BASE, m_peInfo->imageEnd, timeout, 0);
        std::cerr << "Custom Emulation error: " << uc_strerror(err)
                  << std::endl;
    }
}

auto Sandbox::GetEnvString() -> std::vector<wchar_t> {
    std::vector<wchar_t> envBlock;
    // 添加一些基本的环境变量
    const std::wstring vars[] = {
        L"ALLUSERSPROFILE=C:\\ProgramData",
        L"APPDATA=C:\\Users\\User\\AppData\\Roaming",
        L"CommonProgramFiles=C:\\Program Files\\Common Files",
        L"COMPUTERNAME=DESKTOP",
        L"ComSpec=C:\\Windows\\system32\\cmd.exe",
        L"HOMEDRIVE=C:",
        L"HOMEPATH=\\Users\\User",
        L"LOCALAPPDATA=C:\\Users\\User\\AppData\\Local",
        L"NUMBER_OF_PROCESSORS=8",
        L"OS=Windows_NT",
        L"Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem",
        L"PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC",
        L"PROCESSOR_ARCHITECTURE=AMD64",
        L"ProgramData=C:\\ProgramData",
        L"ProgramFiles=C:\\Program Files",
        L"PROMPT=$P$G",
        L"SystemDrive=C:",
        L"SystemRoot=C:\\Windows",
        L"TEMP=C:\\Users\\huoji\\AppData\\Local\\Temp",
        L"TMP=C:\\Users\\huoji\\AppData\\Local\\Temp",
        L"USERDOMAIN=DESKTOP",
        L"USERNAME=User",
        L"USERPROFILE=C:\\Users\\User",
        L"windir=C:\\Windows"};

    // 将环境变量添加到块中
    for (const auto& var : vars) {
        envBlock.insert(envBlock.end(), var.begin(), var.end());
        envBlock.push_back(L'\0');  // 每个变量以null结尾
    }
    envBlock.push_back(L'\0');  // 环境块以额外的null结尾

    return envBlock;
}

auto Sandbox::GetEnvStringsSize() -> size_t {
    return GetEnvString().size() * sizeof(wchar_t);
}

auto Sandbox::getVirtualMemorySize(BYTE* peBuffer) -> size_t {
    if (!peBuffer) {
        return 0;
    }

    // 解析PE头
    auto* dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(peBuffer);
    if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
        return 0;
    }
    auto* ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(
        reinterpret_cast<LPBYTE>(peBuffer) + dosHeader->e_lfanew);
    // 获取区段头
    auto* sectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>(
        reinterpret_cast<PUCHAR>(ntHeaders) + sizeof(ntHeaders->Signature) +
        sizeof(ntHeaders->FileHeader) +
        ntHeaders->FileHeader.SizeOfOptionalHeader);

    DWORD minOffset = UINT_MAX;
    DWORD totalSize = 0;

    // 遍历所有区段
    for (WORD i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++) {
        const auto& section = sectionHeader[i];

        // 查找最小虚拟地址偏移
        if (section.VirtualAddress < minOffset) {
            minOffset = section.VirtualAddress;
        }

        // 累加虚拟大小
        totalSize += section.Misc.VirtualSize;
    }

    // 添加最小偏移到总大小
    totalSize += minOffset;

    return static_cast<size_t>(totalSize);
}