优化rip的速度

2025-04-23 04:47:01 +08:00
parent 785f0da7fe
commit db31cd90b5
7 changed files with 276 additions and 116 deletions
--- a/ai_anti_malware/sandbox_ldr.cpp
+++ b/ai_anti_malware/sandbox_ldr.cpp
@@ -283,7 +283,80 @@ auto Sandbox::TestLdrListTraversal() -> bool {
    }
    return true;
 }
+auto Sandbox::FinalizeLdrLinks() -> void {
+    if (!m_peInfo->isX64) {
+        return;
+    }

+    // <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7>ַ
+    uint64_t inLoadOrderListHead = m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InLoadOrderModuleList);
+    uint64_t inMemoryOrderListHead = m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InMemoryOrderModuleList);
+    uint64_t inInitOrderListHead = m_peb64.Ldr + offsetof(X64_PEB_LDR_DATA, InInitializationOrderModuleList);
+
+    // <20>պ<EFBFBD>InLoadOrderModuleList<73><74><EFBFBD><EFBFBD>
+    CloseLdrList(inLoadOrderListHead, offsetof(LDR_DATA_TABLE_ENTRY, InLoadOrderLinks));
+
+    // <20>պ<EFBFBD>InMemoryOrderModuleList<73><74><EFBFBD><EFBFBD>
+    CloseLdrList(inMemoryOrderListHead, offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks));
+
+    // <20>պ<EFBFBD>InInitializationOrderModuleList<73><74><EFBFBD><EFBFBD>
+    CloseLdrList(inInitOrderListHead, offsetof(LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks));
+}
+
+auto Sandbox::CloseLdrList(uint64_t listHeadAddr, size_t entryLinkOffset) -> void {
+    LIST_ENTRY listHead;
+    uc_mem_read(m_ucEngine, listHeadAddr, &listHead, sizeof(LIST_ENTRY));
+
+    // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD>գ<EFBFBD><D5A3><EFBFBD><EFBFBD>账<EFBFBD><E8B4A6>
+    if (listHead.Flink == (LIST_ENTRY*)listHeadAddr) {
+        return;
+    }
+
+    // <20>ҵ<EFBFBD><D2B5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>Ԫ<EFBFBD><D4AA>
+    uint64_t currentLink = (uint64_t)listHead.Flink;
+    uint64_t lastLink = 0;
+
+    while (currentLink != listHeadAddr && currentLink != 0) {
+        LIST_ENTRY currentEntry;
+        uc_mem_read(m_ucEngine, currentLink, &currentEntry, sizeof(LIST_ENTRY));
+
+        // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD>ջ<EFBFBD>ָ<EFBFBD><D6B8><EFBFBD>Լ<EFBFBD><D4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǰ<EFBFBD>ڵ<EFBFBD><DAB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>Ч<EFBFBD>ڵ<EFBFBD>
+        if (currentEntry.Flink == nullptr ||
+            (uint64_t)currentEntry.Flink == currentLink ||
+            (uint64_t)currentEntry.Flink == 0) {
+            lastLink = currentLink;
+            break;
+        }
+
+        // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7>˵<EFBFBD><CBB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȷ<EFBFBD>պ<EFBFBD>
+        if ((uint64_t)currentEntry.Flink == listHeadAddr) {
+            return; // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȷ<EFBFBD>պϣ<D5BA><CFA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>޸<EFBFBD>
+        }
+
+        lastLink = currentLink;
+        currentLink = (uint64_t)currentEntry.Flink;
+    }
+
+    // <20><><EFBFBD><EFBFBD><EFBFBD>ҵ<EFBFBD><D2B5><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>Ԫ<EFBFBD>أ<EFBFBD><D8A3><EFBFBD><EFBFBD>޸<EFBFBD><DEB8><EFBFBD><EFBFBD><EFBFBD>
+    if (lastLink != 0) {
+        // <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>Ԫ<EFBFBD><D4AA>
+        LIST_ENTRY lastEntry;
+        uc_mem_read(m_ucEngine, lastLink, &lastEntry, sizeof(LIST_ENTRY));
+
+        // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>Ԫ<EFBFBD>ص<EFBFBD>Flinkָ<6B><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ
+        lastEntry.Flink = (LIST_ENTRY*)listHeadAddr;
+        uc_mem_write(m_ucEngine, lastLink, &lastEntry, sizeof(LIST_ENTRY));
+
+        // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7>Blinkָ<6B><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>Ԫ<EFBFBD><D4AA>
+        listHead.Blink = (LIST_ENTRY*)lastLink;
+        uc_mem_write(m_ucEngine, listHeadAddr, &listHead, sizeof(LIST_ENTRY));
+
+        if (LOG_LEVEL > 4) {
+            printf("<EFBFBD><EFBFBD><EFBFBD>޸<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͷ=0x%llx, <20><><EFBFBD><EFBFBD>Ԫ<EFBFBD><D4AA>=0x%llx\n",
+                listHeadAddr, lastLink);
+        }
+    }
+}
 // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ӡָ<D3A1><D6B8><EFBFBD><EFBFBD>LDR<44><52><EFBFBD><EFBFBD>
 auto Sandbox::DumpLdrList(const char* listName, uint64_t ldrDataBase, size_t listOffset, size_t entryLinkOffset) -> void {
    if (LOG_LEVEL > 4) {