调不了了 终极大招了

ai_anti_malware/sandbox_callbacks.cpp

@@ -1,5 +1,5 @@
 #include "sandbox_callbacks.h"
-#define LOG_LEVEL 0
+#define LOG_LEVEL 1
 namespace sandboxCallbacks {
 void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
                    void* userData) {
@@ -46,6 +46,8 @@ void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
                    instruction[0].mnemonic, instruction[0].op_str);
         }
         cs_free(instruction, instructionCount);
+
+        dumpVmenv(uc, userData);
     }
 }
 
@@ -54,7 +56,10 @@ void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address,
     auto* sandbox = static_cast<Sandbox*>(userData);
     if (!sandbox) return;
 
-    uint64_t regRax, regRip;
+    uint64_t regRax, regRip, regRbp;
+    uc_reg_read(uc,
+                sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RBP : UC_X86_REG_EBP,
+                &regRbp);
     uc_reg_read(uc,
                 sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
                 &regRax);
@@ -68,8 +73,9 @@ void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address,
     if (LOG_LEVEL > 0) {
         printf(
             "[handleMemoryRead] Address: %p Size: %p Rax: %p Rip: %p Error: %d "
-            "ReadData: %p\n",
-            address, size, regRax, regRip, readError, readAddress);
+            "ReadData: %p Rbp: %p\n",
+            address, size, regRax, regRip, readError, readAddress, regRbp);
+        sandboxCallbacks::dumpVmenv(uc, sandbox);
     }
 }
 void dumpVmenv(uc_engine* uc, void* userData) {
@@ -81,6 +87,8 @@ void dumpVmenv(uc_engine* uc, void* userData) {
     uint64_t Rbp = 0;
     uint64_t Rcx = 0;
     uint64_t Rdx = 0;
+    uint64_t Eax = 0;
+    uint64_t Ecx = 0;
     uc_reg_read(uc,
                 sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP,
                 &Rip);
@@ -99,8 +107,94 @@ void dumpVmenv(uc_engine* uc, void* userData) {
     uc_reg_read(uc,
                 sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RDX : UC_X86_REG_EDX,
                 &Rdx);
-    printf("[dumpVmenv] Rip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p\n", Rip,
-           Rax, Rsp, Rbp, Rcx, Rdx);
+    uc_reg_read(uc,
+                sandbox->GetPeInfo()->isX64 ? UC_X86_REG_EAX : UC_X86_REG_EAX,
+                &Eax);
+    uc_reg_read(uc,
+                sandbox->GetPeInfo()->isX64 ? UC_X86_REG_ECX : UC_X86_REG_ECX,
+                &Ecx);
+    printf(
+        "[dumpVmenv] Rip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p Eax: "
+        "%08x Ecx: %08x\n",
+        Rip, Rax, Rsp, Rbp, Rcx, Rdx, Eax, Ecx);
+
+    // 打印16层栈内存
+    printf("\n[Stack Memory Dump (16 levels)]\n");
+    const int STACK_LEVELS = 16;
+    const int POINTER_SIZE = sandbox->GetPeInfo()->isX64 ? 8 : 4;
+
+    for (int i = 0; i < STACK_LEVELS; i++) {
+        uint64_t currentAddress = Rsp + (i * POINTER_SIZE);
+        uint64_t memValue = 0;
+
+        if (uc_mem_read(uc, currentAddress, &memValue, POINTER_SIZE) ==
+            UC_ERR_OK) {
+            printf("RSP+%02X [%p]: ", i * POINTER_SIZE, currentAddress);
+            // 按4字节分组显示十六进制
+            for (int j = 0; j < POINTER_SIZE; j += 4) {
+                uint32_t chunk;
+                size_t chunkSize = min(4, POINTER_SIZE - j);
+                if (uc_mem_read(uc, currentAddress + j, &chunk, chunkSize) ==
+                    UC_ERR_OK) {
+                    printf("%08X ", chunk);
+                } else {
+                    printf("???????? ");
+                }
+            }
+
+            // 显示ASCII字符
+            printf("| ");
+            for (int j = 0; j < POINTER_SIZE; j++) {
+                uint8_t byte;
+                if (uc_mem_read(uc, currentAddress + j, &byte, 1) ==
+                    UC_ERR_OK) {
+                    printf("%c", (byte >= 32 && byte <= 126) ? byte : '.');
+                } else {
+                    printf("?");
+                }
+            }
+            printf("\n");
+        } else {
+            printf("RSP+%02X [%p]: Unable to read memory\n", i * POINTER_SIZE,
+                   currentAddress);
+        }
+    }
+
+    printf("\n[Frame Pointer Stack (16 levels)]\n");
+    uint64_t currentBp = Rbp;
+    for (int i = 0; i < STACK_LEVELS && currentBp != 0; i++) {
+        uint64_t nextBp = 0;
+        if (uc_mem_read(uc, currentBp, &nextBp, POINTER_SIZE) == UC_ERR_OK) {
+            printf("Frame %02d [%p]: ", i, currentBp);
+            // 按4字节分组显示十六进制
+            for (int j = 0; j < POINTER_SIZE; j += 4) {
+                uint32_t chunk;
+                size_t chunkSize = min(4, POINTER_SIZE - j);
+                if (uc_mem_read(uc, currentBp + j, &chunk, chunkSize) ==
+                    UC_ERR_OK) {
+                    printf("%08X ", chunk);
+                } else {
+                    printf("???????? ");
+                }
+            }
+
+            // 显示ASCII字符
+            printf("| ");
+            for (int j = 0; j < POINTER_SIZE; j++) {
+                uint8_t byte;
+                if (uc_mem_read(uc, currentBp + j, &byte, 1) == UC_ERR_OK) {
+                    printf("%c", (byte >= 32 && byte <= 126) ? byte : '.');
+                } else {
+                    printf("?");
+                }
+            }
+            printf("\n");
+            currentBp = nextBp;
+        } else {
+            printf("Frame %02d [%p]: Unable to read memory\n", i, currentBp);
+            break;
+        }
+    }
 }
 void handleMemoryUnmapRead(uc_engine* uc, uc_mem_type type, uint64_t address,
                            int size, int64_t value, void* userData) {