admin/awesome_anti_virus_engine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

优化rip的速度

Browse Source
This commit is contained in:
Huoji's
2025-04-23 04:47:01 +08:00
parent 785f0da7fe
commit db31cd90b5
7 changed files with 276 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

217
ai_anti_malware/sandbox_api_emu.cpp
View File

@@ -66,140 +66,142 @@ auto Api_GetCurrentThread(void* sandbox, uc_engine* uc, uint64_t address)
printf("[*] GetCurrentThread called, returning pseudo-handle 0x%llx\n",
pseudo_handle);
}
auto Api_LoadLibraryA(void* sandbox, uc_engine* uc, uint64_t address) -> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t params_address = 0;
// 获取参数地址
if (context->GetPeInfo()->isX64) {
uc_reg_read(uc, UC_X86_REG_RCX, &params_address);
} else {
uint64_t ebp_address = 0;
uc_reg_read(uc, UC_X86_REG_ESP, &ebp_address);
ebp_address += 0x4;
uc_mem_read(uc, ebp_address, &params_address, 0x4);
}
uint64_t return_address = 0;
std::string module_name;
char buffer[MAX_PATH];
size_t i = 0;
// 读取模块名称
if (params_address != 0) {
do {
uint8_t byte;
uc_mem_read(uc, params_address + i, &byte, 1);
buffer[i] = byte;
i++;
} while (buffer[i - 1] != 0 && i < MAX_PATH);
if (i > 0 && i < MAX_PATH) {
module_name = std::string(buffer);
// 确保模块名以.dll结尾不区分大小写
if (module_name.length() > 4) {
std::string ext = module_name.substr(module_name.length() - 4);
if (_stricmp(ext.c_str(), ".dll") != 0) {
module_name += ".dll";
}
} else {
module_name += ".dll";
}
std::string fuck_up_api_ms = module_name;
if (fuck_up_api_ms.find("api-ms-") != std::string::npos) {
module_name = getDllNameFromApiSetMap(fuck_up_api_ms);
if (module_name.size() <= 1) __debugbreak();
}
// 从模块列表中查找对应模块
for (const auto& module : context->GetModuleList()) {
if ((*module).name == module_name.c_str()) {
return_address = (*module).base;
break;
}
}
}
}
printf("[*] LoadLibraryA: Module=%s, Base=0x%llx\n", module_name.c_str(),
return_address);
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&return_address);
}
auto Api_LoadLibraryExW(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
// 统一的LoadLibrary辅助函数
auto LoadLibraryHelper(void* sandbox, uc_engine* uc, uint64_t address,
bool isWideChar, bool isEx = false) -> void {
auto context = static_cast<Sandbox*>(sandbox);
uint64_t module_name_address = 0;
uint64_t flags = 0;
// 获取参数
if (context->GetPeInfo()->isX64) {
// x64: rcx = lpLibFileName, r8 = dwFlags
uc_reg_read(uc, UC_X86_REG_RCX, &module_name_address);
uc_reg_read(uc, UC_X86_REG_R8, &flags);
} else {
// x86: 从栈上读取参数
if (isEx) {
uc_reg_read(uc, UC_X86_REG_R8, &flags);
}
}
else {
uint64_t esp_address = 0;
uc_reg_read(uc, UC_X86_REG_ESP, &esp_address);
esp_address += 0x4; // 跳过返回地址
uc_mem_read(uc, esp_address, &module_name_address, 0x4);
esp_address += 0x8; // 跳过hFile参数
uc_mem_read(uc, esp_address, &flags, 0x4);
if (isEx) {
esp_address += 0x8; // 跳过hFile参数
uc_mem_read(uc, esp_address, &flags, 0x4);
}
}
uint64_t return_address = 0;
std::wstring module_name;
wchar_t buffer[MAX_PATH];
size_t i = 0;
std::string ansi_name;
bool isApiSetMapMeme = false;
// 读取宽字符模块名称
// 读取模块名称
if (module_name_address != 0) {
do {
uint16_t wchar;
uc_mem_read(uc, module_name_address + (i * 2), &wchar, 2);
buffer[i] = wchar;
i++;
} while (buffer[i - 1] != 0 && i < MAX_PATH);
if (isWideChar) {
// 读取宽字符串
std::wstring module_name;
wchar_t buffer[MAX_PATH];
size_t i = 0;
if (i > 0 && i < MAX_PATH) {
module_name = std::wstring(buffer);
std::string ansi_name(module_name.begin(), module_name.end());
do {
uint16_t wchar;
uc_mem_read(uc, module_name_address + (i * 2), &wchar, 2);
buffer[i] = wchar;
i++;
} while (buffer[i - 1] != 0 && i < MAX_PATH);
std::string fuck_up_api_ms = ansi_name;
if (ansi_name.length() > 4) {
std::string ext = ansi_name.substr(ansi_name.length() - 4);
if (_stricmp(ext.c_str(), ".dll") != 0) {
ansi_name += ".dll";
}
} else {
if (i > 0 && i < MAX_PATH) {
module_name = std::wstring(buffer);
ansi_name = std::string(module_name.begin(), module_name.end());
}
}
else {
// 读取ASCII字符串
char buffer[MAX_PATH];
size_t i = 0;
do {
uint8_t byte;
uc_mem_read(uc, module_name_address + i, &byte, 1);
buffer[i] = byte;
i++;
} while (buffer[i - 1] != 0 && i < MAX_PATH);
if (i > 0 && i < MAX_PATH) {
ansi_name = std::string(buffer);
}
}
// 确保模块名以.dll结尾
if (ansi_name.length() > 4) {
std::string ext = ansi_name.substr(ansi_name.length() - 4);
if (_stricmp(ext.c_str(), ".dll") != 0) {
ansi_name += ".dll";
}
if (ansi_name.find("api-ms-") != std::string::npos) {
ansi_name = getDllNameFromApiSetMap(ansi_name);
isApiSetMapMeme = true;
// if (ansi_name.size() <= 1) __debugbreak();
}
}
else {
ansi_name += ".dll";
}
// 从模块列表中查找对应模块
for (const auto& module : context->GetModuleList()) {
if ((*module).name == ansi_name.c_str()) {
return_address = (*module).base;
break;
}
// 处理api-ms-前缀
if (ansi_name.find("api-ms-") != std::string::npos) {
ansi_name = getDllNameFromApiSetMap(ansi_name);
isApiSetMapMeme = true;
if (!isEx && ansi_name.size() <= 1) __debugbreak();
}
// 从模块列表中查找对应模块
for (const auto& module : context->GetModuleList()) {
if ((*module).name == ansi_name.c_str()) {
return_address = (*module).base;
break;
}
}
}
printf("[*] LoadLibraryExW: Module=%ls, Flags=0x%llx, Base=0x%llx\n",
module_name.c_str(), flags, return_address);
if (return_address == 0 && isApiSetMapMeme) {
// 根据调用的函数输出日志
if (isEx) {
printf("[*] LoadLibraryExW: Module=%s, Flags=0x%llx, Base=0x%llx\n",
ansi_name.c_str(), flags, return_address);
}
else {
if (isWideChar) {
printf("[*] LoadLibraryW: Module=%s, Base=0x%llx\n",
ansi_name.c_str(), return_address);
}
else {
printf("[*] LoadLibraryA: Module=%s, Base=0x%llx\n",
ansi_name.c_str(), return_address);
}
}
// 处理API set映射失败的特殊情况
if (return_address == 0 && isApiSetMapMeme && isEx) {
// 找不到就不管他了,操
return_address = 0x1337;
}
// 设置返回值
uc_reg_write(uc,
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&return_address);
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
&return_address);
}
// LoadLibraryA函数包装器
auto Api_LoadLibraryA(void* sandbox, uc_engine* uc, uint64_t address) -> void {
LoadLibraryHelper(sandbox, uc, address, false);
}
// 新增的LoadLibraryW函数包装器
auto Api_LoadLibraryW(void* sandbox, uc_engine* uc, uint64_t address) -> void {
LoadLibraryHelper(sandbox, uc, address, true);
}
// LoadLibraryExW函数包装器
auto Api_LoadLibraryExW(void* sandbox, uc_engine* uc, uint64_t address) -> void {
LoadLibraryHelper(sandbox, uc, address, true, true);
}
auto Api_GetProcAddress(void* sandbox, uc_engine* uc, uint64_t address)
-> void {
@@ -1376,7 +1378,9 @@ auto Sandbox::InitApiHooks() -> void {
_fakeApi{.func = Api_VariantClear, .paramCount = 1};
auto FakeApi_SysAllocString =
_fakeApi{.func = Api_SysAllocString, .paramCount = 1};
auto FakeApi_LoadLibraryW =
_fakeApi{ .func = Api_LoadLibraryW, .paramCount = 1 };
api_map = {
{"GetSystemTimeAsFileTime",
std::make_shared<_fakeApi>(FakeApi_GetSystemTimeAsFileTime)},
@@ -1519,6 +1523,7 @@ auto Sandbox::InitApiHooks() -> void {
{"VariantInit", std::make_shared<_fakeApi>(FakeApi_VariantInit)},
{"VariantClear", std::make_shared<_fakeApi>(FakeApi_VariantClear)},
{"SysAllocString", std::make_shared<_fakeApi>(FakeApi_SysAllocString)},
{"LoadLibraryW", std::make_shared<_fakeApi>(FakeApi_LoadLibraryW)},
};
}
auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,