添加沙箱功能和API钩子支持

- 在沙箱中实现了新的功能，包括内存分配和API钩子初始化 - 更新了沙箱类，增加了对WFP引擎的支持 - 添加了多个API的实现，如GetLastError、InitializeCriticalSection等 - 修改了主函数以使用新的沙箱功能，替换了恶意软件扫描功能 - 更新了项目文件以包含新的源文件和API实现 - 改进了错误处理和日志记录功能
2025-03-18 20:49:18 +08:00
parent 4f3f4c7205
commit 534b6a84a6
15 changed files with 2443 additions and 754 deletions
--- a/ai_anti_malware/sandbox_api_wlan.cpp
+++ b/ai_anti_malware/sandbox_api_wlan.cpp
@@ -0,0 +1,286 @@
+#include "sandbox.h"
+#include "sandbox_callbacks.h"
+#include "sandbox_api_winhttp.h"
+#include <tlhelp32.h>
+
+// WLAN API 实现
+auto Api_WlanOpenHandle(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void {
+    auto context = static_cast<Sandbox*>(sandbox);
+    uint64_t dwClientVersion = 0;
+    uint64_t pReserved = 0;
+    uint64_t pdwNegotiatedVersion = 0;
+    uint64_t phClientHandle = 0;
+
+    // 获取参数
+    if (context->GetPeInfo()->isX64) {
+        uc_reg_read(uc, UC_X86_REG_RCX, &dwClientVersion);
+        uc_reg_read(uc, UC_X86_REG_RDX, &pReserved);
+        uc_reg_read(uc, UC_X86_REG_R8, &pdwNegotiatedVersion);
+        uc_reg_read(uc, UC_X86_REG_R9, &phClientHandle);
+    } else {
+        uint32_t esp;
+        uc_reg_read(uc, UC_X86_REG_ESP, &esp);
+        esp += 4;
+        uc_mem_read(uc, esp, &dwClientVersion, sizeof(uint32_t));
+        esp += 4;
+        uint32_t temp_reserved;
+        uc_mem_read(uc, esp, &temp_reserved, sizeof(uint32_t));
+        pReserved = temp_reserved;
+        esp += 4;
+        uint32_t temp_version;
+        uc_mem_read(uc, esp, &temp_version, sizeof(uint32_t));
+        pdwNegotiatedVersion = temp_version;
+        esp += 4;
+        uint32_t temp_handle;
+        uc_mem_read(uc, esp, &temp_handle, sizeof(uint32_t));
+        phClientHandle = temp_handle;
+    }
+
+    // 修改常量定义
+    uint32_t negotiatedVersion = 2;      // 返回请求的版本
+    uint64_t clientHandle = 0x13370000;  // 使用有效的十六进制常量
+
+    // 写入协商版本
+    if (pdwNegotiatedVersion != 0) {
+        uc_mem_write(uc, pdwNegotiatedVersion, &negotiatedVersion,
+                     sizeof(uint32_t));
+    }
+
+    // 写入客户端句柄
+    if (phClientHandle != 0) {
+        if (context->GetPeInfo()->isX64) {
+            uc_mem_write(uc, phClientHandle, &clientHandle, sizeof(uint64_t));
+        } else {
+            uint32_t handle32 = static_cast<uint32_t>(clientHandle);
+            uc_mem_write(uc, phClientHandle, &handle32, sizeof(uint32_t));
+        }
+    }
+
+    // 返回成功（0）
+    uint64_t result = 0;
+    uc_reg_write(uc,
+                 context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
+                 &result);
+
+    printf("[*] WlanOpenHandle: Version=%u, Handle=0x%llx\n", negotiatedVersion,
+           clientHandle);
+}
+
+auto Api_WlanEnumInterfaces(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void {
+    auto context = static_cast<Sandbox*>(sandbox);
+    uint64_t hClientHandle = 0;
+    uint64_t pReserved = 0;
+    uint64_t ppInterfaceList = 0;
+
+    // 获取参数
+    if (context->GetPeInfo()->isX64) {
+        uc_reg_read(uc, UC_X86_REG_RCX, &hClientHandle);
+        uc_reg_read(uc, UC_X86_REG_RDX, &pReserved);
+        uc_reg_read(uc, UC_X86_REG_R8, &ppInterfaceList);
+    } else {
+        uint32_t esp;
+        uc_reg_read(uc, UC_X86_REG_ESP, &esp);
+        esp += 4;
+        uint32_t temp_handle;
+        uc_mem_read(uc, esp, &temp_handle, sizeof(uint32_t));
+        hClientHandle = temp_handle;
+        esp += 4;
+        uint32_t temp_reserved;
+        uc_mem_read(uc, esp, &temp_reserved, sizeof(uint32_t));
+        pReserved = temp_reserved;
+        esp += 4;
+        uint32_t temp_list;
+        uc_mem_read(uc, esp, &temp_list, sizeof(uint32_t));
+        ppInterfaceList = temp_list;
+    }
+
+    // 修改句柄检查
+    if (hClientHandle != 0x13370000) {
+        uint64_t result = 1;  // ERROR_INVALID_HANDLE
+        uc_reg_write(
+            uc, context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
+            &result);
+        return;
+    }
+
+    // 分配内存用于接口列表
+    uint64_t interfaceListAddr = context->AllocateMemory(1024);  // 足够大的空间
+
+    // 创建一个模拟的WLAN接口列表
+    struct WLAN_INTERFACE_INFO {
+        GUID InterfaceGuid;
+        WCHAR strInterfaceDescription[256];
+        DWORD isState;
+    };
+
+    struct WLAN_INTERFACE_INFO_LIST {
+        DWORD dwNumberOfItems;
+        DWORD dwIndex;
+        WLAN_INTERFACE_INFO InterfaceInfo[1];
+    };
+
+    WLAN_INTERFACE_INFO_LIST interfaceList = {0};
+    interfaceList.dwNumberOfItems = 1;
+    interfaceList.dwIndex = 0;
+
+    // 创建一个假的GUID
+    GUID fakeGuid = {0x12345678,
+                     0x1234,
+                     0x1234,
+                     {0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF}};
+    interfaceList.InterfaceInfo[0].InterfaceGuid = fakeGuid;
+
+    // 设置接口描述
+    const wchar_t* description = L"Simulated Wi-Fi Adapter";
+    wcscpy_s(interfaceList.InterfaceInfo[0].strInterfaceDescription,
+             description);
+    interfaceList.InterfaceInfo[0].isState = 1;  // connected
+
+    // 写入接口列表
+    uc_mem_write(uc, interfaceListAddr, &interfaceList,
+                 sizeof(WLAN_INTERFACE_INFO_LIST));
+
+    // 写入接口列表指针
+    if (context->GetPeInfo()->isX64) {
+        uc_mem_write(uc, ppInterfaceList, &interfaceListAddr, sizeof(uint64_t));
+    } else {
+        uint32_t addr32 = static_cast<uint32_t>(interfaceListAddr);
+        uc_mem_write(uc, ppInterfaceList, &addr32, sizeof(uint32_t));
+    }
+
+    // 返回成功（0）
+    uint64_t result = 0;
+    uc_reg_write(uc,
+                 context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
+                 &result);
+
+    printf("[*] WlanEnumInterfaces: Handle=0x%llx, InterfaceList=0x%llx\n",
+           hClientHandle, interfaceListAddr);
+}
+
+auto Api_WlanGetProfileList(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void {
+    auto context = static_cast<Sandbox*>(sandbox);
+    uint64_t hClientHandle = 0;
+    uint64_t pInterfaceGuid = 0;
+    uint64_t pReserved = 0;
+    uint64_t ppProfileList = 0;
+
+    // 获取参数
+    if (context->GetPeInfo()->isX64) {
+        uc_reg_read(uc, UC_X86_REG_RCX, &hClientHandle);
+        uc_reg_read(uc, UC_X86_REG_RDX, &pInterfaceGuid);
+        uc_reg_read(uc, UC_X86_REG_R8, &pReserved);
+        uc_reg_read(uc, UC_X86_REG_R9, &ppProfileList);
+    } else {
+        uint32_t esp;
+        uc_reg_read(uc, UC_X86_REG_ESP, &esp);
+        esp += 4;
+        uint32_t temp_values[4];
+        uc_mem_read(uc, esp, temp_values, sizeof(uint32_t) * 4);
+        hClientHandle = temp_values[0];
+        pInterfaceGuid = temp_values[1];
+        pReserved = temp_values[2];
+        ppProfileList = temp_values[3];
+    }
+
+    // 分配内存用于配置文件列表
+    uint64_t profileListAddr = context->AllocateMemory(1024);
+
+    // 创建模拟的配置文件列表
+    struct WLAN_PROFILE_INFO {
+        WCHAR strProfileName[256];
+        DWORD dwFlags;
+    };
+
+    struct WLAN_PROFILE_INFO_LIST {
+        DWORD dwNumberOfItems;
+        DWORD dwIndex;
+        WLAN_PROFILE_INFO ProfileInfo[1];
+    };
+
+    WLAN_PROFILE_INFO_LIST profileList = {0};
+    profileList.dwNumberOfItems = 1;
+    profileList.dwIndex = 0;
+
+    // 设置一个模拟的配置文件
+    const wchar_t* profileName = L"Home Network";
+    wcscpy_s(profileList.ProfileInfo[0].strProfileName, profileName);
+    profileList.ProfileInfo[0].dwFlags = 1;
+
+    // 写入配置文件列表
+    uc_mem_write(uc, profileListAddr, &profileList,
+                 sizeof(WLAN_PROFILE_INFO_LIST));
+
+    // 写入配置文件列表指针
+    if (context->GetPeInfo()->isX64) {
+        uc_mem_write(uc, ppProfileList, &profileListAddr, sizeof(uint64_t));
+    } else {
+        uint32_t addr32 = static_cast<uint32_t>(profileListAddr);
+        uc_mem_write(uc, ppProfileList, &addr32, sizeof(uint32_t));
+    }
+
+    // 返回成功（0）
+    uint64_t result = 0;
+    uc_reg_write(uc,
+                 context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
+                 &result);
+
+    printf("[*] WlanGetProfileList: Handle=0x%llx, ProfileList=0x%llx\n",
+           hClientHandle, profileListAddr);
+}
+
+auto Api_WlanFreeMemory(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void {
+    auto context = static_cast<Sandbox*>(sandbox);
+    uint64_t pMemory = 0;
+
+    // 获取参数
+    if (context->GetPeInfo()->isX64) {
+        uc_reg_read(uc, UC_X86_REG_RCX, &pMemory);
+    } else {
+        uint32_t esp;
+        uc_reg_read(uc, UC_X86_REG_ESP, &esp);
+        esp += 4;
+        uint32_t temp_memory;
+        uc_mem_read(uc, esp, &temp_memory, sizeof(uint32_t));
+        pMemory = temp_memory;
+    }
+
+    // 实际上我们不需要释放内存，因为这是在模拟环境中
+    printf("[*] WlanFreeMemory: Memory=0x%llx\n", pMemory);
+}
+
+auto Api_WlanCloseHandle(void* sandbox, uc_engine* uc, uint64_t address)
+    -> void {
+    auto context = static_cast<Sandbox*>(sandbox);
+    uint64_t hClientHandle = 0;
+    uint64_t pReserved = 0;
+
+    // 获取参数
+    if (context->GetPeInfo()->isX64) {
+        uc_reg_read(uc, UC_X86_REG_RCX, &hClientHandle);
+        uc_reg_read(uc, UC_X86_REG_RDX, &pReserved);
+    } else {
+        uint32_t esp;
+        uc_reg_read(uc, UC_X86_REG_ESP, &esp);
+        esp += 4;
+        uint32_t temp_handle;
+        uc_mem_read(uc, esp, &temp_handle, sizeof(uint32_t));
+        hClientHandle = temp_handle;
+        esp += 4;
+        uint32_t temp_reserved;
+        uc_mem_read(uc, esp, &temp_reserved, sizeof(uint32_t));
+        pReserved = temp_reserved;
+    }
+
+    // 返回成功（0）
+    uint64_t result = 0;
+    uc_reg_write(uc,
+                 context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
+                 &result);
+
+    printf("[*] WlanCloseHandle: Handle=0x%llx\n", hClientHandle);
+}