初步增加32位支持(没加全)

2025-03-19 20:47:26 +08:00
parent 9b970ce8a2
commit 232a7abcba
9 changed files with 819 additions and 137 deletions
--- a/ai_anti_malware/sandbox_api_process.cpp
+++ b/ai_anti_malware/sandbox_api_process.cpp
@@ -270,23 +270,46 @@ auto Api_Process32FirstW(void* sandbox, uc_engine* uc, uint64_t address)
        // 读取结构体大小
        DWORD structSize = 0;
        if (uc_mem_read(uc, lppe, &structSize, sizeof(DWORD)) == UC_ERR_OK) {
-            if (structSize == sizeof(PROCESSENTRY32W)) {
-                // 获取第一个进程信息（在我们的实现中是DingTalk.exe）
-                PROCESSENTRY32W pe32 = {0};
-                pe32.dwSize = sizeof(PROCESSENTRY32W);
-                pe32.th32ProcessID = 1001;  // DingTalk的PID
-                pe32.cntThreads = 1;
-                pe32.th32ParentProcessID = 4;  // 父进程是System
-                pe32.pcPriClassBase = 8;       // 正常优先级
+            if (context->GetPeInfo()->isX64) {
+                if (structSize == sizeof(PROCESSENTRY32W)) {
+                    // 获取第一个进程信息（在我们的实现中是DingTalk.exe）
+                    PROCESSENTRY32W pe32 = { 0 };
+                    pe32.dwSize = sizeof(PROCESSENTRY32W);
+                    pe32.th32ProcessID = 1001;  // DingTalk的PID
+                    pe32.cntThreads = 1;
+                    pe32.th32ParentProcessID = 4;  // 父进程是System
+                    pe32.pcPriClassBase = 8;       // 正常优先级

-                // 设置进程名
-                std::wstring procName = L"DingTalk.exe";
-                wcscpy_s(pe32.szExeFile, procName.c_str());
+                    // 设置进程名
+                    std::wstring procName = L"DingTalk.exe";
+                    wcscpy_s(pe32.szExeFile, procName.c_str());

-                // 写入进程信息到用户提供的缓冲区
-                if (uc_mem_write(uc, lppe, &pe32, sizeof(PROCESSENTRY32W)) ==
-                    UC_ERR_OK) {
-                    success = true;
+                    // 写入进程信息到用户提供的缓冲区
+                    if (uc_mem_write(uc, lppe, &pe32, sizeof(PROCESSENTRY32W)) ==
+                        UC_ERR_OK) {
+                        success = true;
+                    }
+                }
+            }
+            else {
+                if (structSize == sizeof(PROCESSENTRY32W_32)) {
+                    // 获取第一个进程信息（在我们的实现中是DingTalk.exe）
+                    PROCESSENTRY32W_32 pe32 = { 0 };
+                    pe32.dwSize = sizeof(PROCESSENTRY32W_32);
+                    pe32.th32ProcessID = 1001;  // DingTalk的PID
+                    pe32.cntThreads = 1;
+                    pe32.th32ParentProcessID = 4;  // 父进程是System
+                    pe32.pcPriClassBase = 8;       // 正常优先级
+
+                    // 设置进程名
+                    std::wstring procName = L"DingTalk.exe";
+                    wcscpy_s(pe32.szExeFile, procName.c_str());
+
+                    // 写入进程信息到用户提供的缓冲区
+                    if (uc_mem_write(uc, lppe, &pe32, sizeof(PROCESSENTRY32W_32)) ==
+                        UC_ERR_OK) {
+                        success = true;
+                    }
                }
            }
        }
@@ -388,6 +411,36 @@ auto Api_Process32NextW(void* sandbox, uc_engine* uc, uint64_t address)
        hSnapshot = temp_handle;
        lppe = temp_lppe;
    }
+    // 获取当前进程索引
+    size_t currentIndex = 0;
+    auto it = context->process_enum_state.find(hSnapshot);
+    if (it != context->process_enum_state.end()) {
+        currentIndex = it->second;
+        currentIndex++;  // 移动到下一个进程
+    }
+
+    // 定义进程列表
+    struct ProcessInfo {
+        const wchar_t* name;
+        uint32_t pid;
+        uint32_t parentPid;
+    };
+
+    ProcessInfo processes[] = {
+        {L"DingTalk.exe", 1001, 4},   // 钉钉
+        {L"Lanxin.exe", 1002, 4},     // 蓝信
+        {L"QQ.exe", 1003, 4},         // QQ
+        {L"Feishu.exe", 1004, 4},     // 飞书
+        {L"explorer.exe", 1005, 4},   // Windows 资源管理器
+        {L"svchost.exe", 1006, 4},    // 系统服务宿主进程
+        {L"System", 4, 0},            // 系统进程
+        {L"smss.exe", 376, 4},        // 会话管理器
+        {L"csrss.exe", 648, 376},     // 客户端服务器运行时子系统
+        {L"winlogon.exe", 672, 376},  // Windows 登录进程
+    };
+
+    const size_t processCount =
+        sizeof(processes) / sizeof(processes[0]);

    // 验证句柄
    bool success = false;
@@ -395,43 +448,37 @@ auto Api_Process32NextW(void* sandbox, uc_engine* uc, uint64_t address)
        // 读取结构体大小
        DWORD structSize = 0;
        if (uc_mem_read(uc, lppe, &structSize, sizeof(DWORD)) == UC_ERR_OK) {
-            if (structSize == sizeof(PROCESSENTRY32W)) {
-                // 获取当前进程索引
-                size_t currentIndex = 0;
-                auto it = context->process_enum_state.find(hSnapshot);
-                if (it != context->process_enum_state.end()) {
-                    currentIndex = it->second;
-                    currentIndex++;  // 移动到下一个进程
+            if (context->GetPeInfo()->isX64) {
+                if (structSize == sizeof(PROCESSENTRY32W)) {
+                    // 检查是否还有更多进程
+                    if (currentIndex < processCount) {
+                        // 填充进程信息
+                        PROCESSENTRY32W pe32 = { 0 };
+                        pe32.dwSize = sizeof(PROCESSENTRY32W);
+                        pe32.th32ProcessID = processes[currentIndex].pid;
+                        pe32.th32ParentProcessID =
+                            processes[currentIndex].parentPid;
+                        pe32.cntThreads = 1;
+                        pe32.pcPriClassBase = 8;  // 正常优先级
+
+                        // 设置进程名
+                        wcscpy_s(pe32.szExeFile, processes[currentIndex].name);
+
+                        // 写入进程信息到用户提供的缓冲区
+                        if (uc_mem_write(uc, lppe, &pe32,
+                            sizeof(PROCESSENTRY32W)) == UC_ERR_OK) {
+                            success = true;
+                            // 更新进程索引
+                            context->process_enum_state[hSnapshot] = currentIndex;
+                        }
+                    }
                }
-
-                // 定义进程列表
-                struct ProcessInfo {
-                    const wchar_t* name;
-                    uint32_t pid;
-                    uint32_t parentPid;
-                };
-
-                ProcessInfo processes[] = {
-                    {L"DingTalk.exe", 1001, 4},   // 钉钉
-                    {L"Lanxin.exe", 1002, 4},     // 蓝信
-                    {L"QQ.exe", 1003, 4},         // QQ
-                    {L"Feishu.exe", 1004, 4},     // 飞书
-                    {L"explorer.exe", 1005, 4},   // Windows 资源管理器
-                    {L"svchost.exe", 1006, 4},    // 系统服务宿主进程
-                    {L"System", 4, 0},            // 系统进程
-                    {L"smss.exe", 376, 4},        // 会话管理器
-                    {L"csrss.exe", 648, 376},     // 客户端服务器运行时子系统
-                    {L"winlogon.exe", 672, 376},  // Windows 登录进程
-                };
-
-                const size_t processCount =
-                    sizeof(processes) / sizeof(processes[0]);
-
-                // 检查是否还有更多进程
+            }
+            else {
                if (currentIndex < processCount) {
                    // 填充进程信息
-                    PROCESSENTRY32W pe32 = {0};
-                    pe32.dwSize = sizeof(PROCESSENTRY32W);
+                    PROCESSENTRY32W_32 pe32 = { 0 };
+                    pe32.dwSize = sizeof(PROCESSENTRY32W_32);
                    pe32.th32ProcessID = processes[currentIndex].pid;
                    pe32.th32ParentProcessID =
                        processes[currentIndex].parentPid;
@@ -443,7 +490,7 @@ auto Api_Process32NextW(void* sandbox, uc_engine* uc, uint64_t address)

                    // 写入进程信息到用户提供的缓冲区
                    if (uc_mem_write(uc, lppe, &pe32,
-                                     sizeof(PROCESSENTRY32W)) == UC_ERR_OK) {
+                        sizeof(PROCESSENTRY32W_32)) == UC_ERR_OK) {
                        success = true;
                        // 更新进程索引
                        context->process_enum_state[hSnapshot] = currentIndex;