admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

添加沙箱功能和API钩子支持

Browse Source 
- 在沙箱中实现了新的功能,包括内存分配和API钩子初始化
- 更新了沙箱类,增加了对WFP引擎的支持
- 添加了多个API的实现,如GetLastError、InitializeCriticalSection等
- 修改了主函数以使用新的沙箱功能,替换了恶意软件扫描功能
- 更新了项目文件以包含新的源文件和API实现
- 改进了错误处理和日志记录功能
This commit is contained in:
huoji
2025-03-18 20:49:18 +08:00
parent 4f3f4c7205
commit 534b6a84a6
15 changed files with 2443 additions and 754 deletions
Download Patch File Download Diff File Expand all files Collapse all files

220
ai_anti_malware/sandbox_api_wfp.cpp Normal file
View File

@@ -0,0 +1,220 @@
#include "sandbox.h"
#include "sandbox_callbacks.h"
#include <fwpmu.h>
// FwpmEngineOpen0 API模拟
auto Api_FwpmEngineOpen0(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t serverName = 0;
uint64_t authnService = 0;
uint64_t authIdentity = 0;
uint64_t session = 0;
uint64_t engineHandle = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &serverName);
uc_reg_read(uc, UC_X86_REG_RDX, &authnService);
uc_reg_read(uc, UC_X86_REG_R8, &authIdentity);
uc_reg_read(uc, UC_X86_REG_R9, &session);
uint64_t rsp;
uc_reg_read(uc, UC_X86_REG_RSP, &rsp);
uc_mem_read(uc, rsp + 0x28, &engineHandle, sizeof(engineHandle));
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4; // 跳过返回地址
uint32_t temp;
uc_mem_read(uc, esp, &temp, sizeof(temp));
serverName = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
authnService = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
authIdentity = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
session = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
engineHandle = temp;
}
// 创建新的WFP引擎实例
auto engine = new Sandbox::FakeWFPEngine();
engine->isOpen = true;
HANDLE handle = context->GetNextWfpEngineHandle();
context->GetWfpEngines()[handle] = engine;
// 写回引擎句柄
if (context->GetPeInfo()->isX64) {
uc_mem_write(uc, engineHandle, &handle, sizeof(handle));
} else {
uint32_t handle32 = (uint32_t)(uint64_t)handle;
uc_mem_write(uc, engineHandle, &handle32, sizeof(handle32));
}
// 返回成功
uint64_t result = ERROR_SUCCESS;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] FwpmEngineOpen0: Handle=0x%llx\n", (uint64_t)handle);
}
// FwpmProviderAdd0 API模拟
auto Api_FwpmProviderAdd0(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t engineHandle = 0;
uint64_t provider = 0;
uint64_t sd = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &engineHandle);
uc_reg_read(uc, UC_X86_REG_RDX, &provider);
uc_reg_read(uc, UC_X86_REG_R8, &sd);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uint32_t temp;
uc_mem_read(uc, esp, &temp, sizeof(temp));
engineHandle = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
provider = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
sd = temp;
}
// 检查引擎句柄是否有效
auto& engines = context->GetWfpEngines();
auto it = engines.find((HANDLE)engineHandle);
if (it == engines.end()) {
uint64_t result = ERROR_INVALID_HANDLE;
uc_reg_write(
uc, context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
return;
}
// 添加提供者
FWPM_PROVIDER0 providerData;
uc_mem_read(uc, provider, &providerData, sizeof(FWPM_PROVIDER0));
it->second->providers.push_back(providerData);
// 返回成功
uint64_t result = ERROR_SUCCESS;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] FwpmProviderAdd0: Handle=0x%llx\n", engineHandle);
}
// FwpmFilterAdd0 API模拟
auto Api_FwpmFilterAdd0(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t engineHandle = 0;
uint64_t filter = 0;
uint64_t sd = 0;
uint64_t id = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &engineHandle);
uc_reg_read(uc, UC_X86_REG_RDX, &filter);
uc_reg_read(uc, UC_X86_REG_R8, &sd);
uc_reg_read(uc, UC_X86_REG_R9, &id);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uint32_t temp;
uc_mem_read(uc, esp, &temp, sizeof(temp));
engineHandle = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
filter = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
sd = temp;
esp += 4;
uc_mem_read(uc, esp, &temp, sizeof(temp));
id = temp;
}
// 检查引擎句柄是否有效
auto& engines = context->GetWfpEngines();
auto it = engines.find((HANDLE)engineHandle);
if (it == engines.end()) {
uint64_t result = ERROR_INVALID_HANDLE;
uc_reg_write(
uc, context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
return;
}
// 添加过滤器
FWPM_FILTER0 filterData;
uc_mem_read(uc, filter, &filterData, sizeof(FWPM_FILTER0));
it->second->filters.push_back(filterData);
// 生成并写回过滤器ID
static uint64_t nextFilterId = 1;
uint64_t filterId = nextFilterId++;
if (id != 0) {
uc_mem_write(uc, id, &filterId, sizeof(filterId));
}
// 返回成功
uint64_t result = ERROR_SUCCESS;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] FwpmFilterAdd0: Handle=0x%llx, FilterId=0x%llx\n", engineHandle,
filterId);
}
// FwpmEngineClose0 API模拟
auto Api_FwpmEngineClose0(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t engineHandle = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &engineHandle);
} else {
uint32_t esp;
uc_reg_read(uc, UC_X86_REG_ESP, &esp);
esp += 4;
uint32_t temp;
uc_mem_read(uc, esp, &temp, sizeof(temp));
engineHandle = temp;
}
// 检查并关闭引擎
auto& engines = context->GetWfpEngines();
auto it = engines.find((HANDLE)engineHandle);
if (it != engines.end()) {
delete it->second;
engines.erase(it);
}
// 返回成功
uint64_t result = ERROR_SUCCESS;
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&result);
printf("[*] FwpmEngineClose0: Handle=0x%llx\n", engineHandle);
}