add new API
This commit is contained in:
huoji
@@ -858,7 +858,19 @@ auto Api_AdjustTokenPrivileges(void* sandbox, uc_engine* uc, uint64_t address)
|
||||
context->GetTeb32()->LastErrorValue = error;
|
||||
}
|
||||
}
|
||||
|
||||
auto Api_GetTickCount(void* sandbox, uc_engine* uc, uint64_t address) -> void {
|
||||
auto context = static_cast<Sandbox*>(sandbox);
|
||||
// 调用真实的 Windows API 获取当前系统启动以来的毫秒数
|
||||
DWORD tick_count = GetTickCount();
|
||||
// 将结果写入模拟器的返回值寄存器
|
||||
// GetTickCount 返回的是 DWORD (32位),因此无论 x64 还是 x86,都写入 EAX
|
||||
// 在 x64 架构中,EAX 是 RAX 的低 32 位
|
||||
uint32_t result = tick_count;
|
||||
uc_reg_write(uc,
|
||||
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
||||
&result);
|
||||
printf("[*] GetTickCount called, returning 0x%x (%u)\n", tick_count, tick_count);
|
||||
}
|
||||
auto Sandbox::InitApiHooks() -> void {
|
||||
auto FakeApi_GetSystemTimeAsFileTime =
|
||||
_fakeApi{.func = Api_GetSystemTimeAsFileTime, .paramCount = 1};
|
||||
@@ -903,6 +915,8 @@ auto Sandbox::InitApiHooks() -> void {
|
||||
_fakeApi{.func = Api_LeaveCriticalSection, .paramCount = 1};
|
||||
auto FakeApi_GetStartupInfoW =
|
||||
_fakeApi{.func = Api_GetStartupInfoW, .paramCount = 1};
|
||||
auto FakeApi_GetStartupInfoA =
|
||||
_fakeApi{ .func = Api_GetStartupInfoA, .paramCount = 1 };
|
||||
auto FakeApi_GetStdHandle =
|
||||
_fakeApi{.func = Api_GetStdHandle, .paramCount = 1};
|
||||
auto FakeApi_GetFileType =
|
||||
@@ -1038,13 +1052,15 @@ auto Sandbox::InitApiHooks() -> void {
|
||||
// *** 新增 LCMapStringEx ***
|
||||
auto FakeApi_LCMapStringEx =
|
||||
_fakeApi{.func = Api_LCMapStringEx, .paramCount = 9}; // LCMapStringEx 有 9 个参数
|
||||
|
||||
auto FakeApi_GetTickCount = _fakeApi{ .func = Api_GetTickCount, .paramCount = 0 }; // !!! 新增行 !!!
|
||||
|
||||
// 添加文件操作相关API
|
||||
auto FakeApi_CreateFileW = _fakeApi{.func = Api_CreateFileW, .paramCount = 7};
|
||||
auto FakeApi_ReadFileA = _fakeApi{.func = Api_ReadFileA, .paramCount = 5};
|
||||
auto FakeApi_ReadFileW = _fakeApi{.func = Api_ReadFileW, .paramCount = 5};
|
||||
auto FakeApi_CloseFile = _fakeApi{.func = Api_CloseFile, .paramCount = 1};
|
||||
|
||||
auto FakeApi__initterm =
|
||||
_fakeApi{ .func = Api__initterm, .paramCount = 2 }; // 新增行
|
||||
api_map = {
|
||||
{"GetSystemTimeAsFileTime",
|
||||
std::make_shared<_fakeApi>(FakeApi_GetSystemTimeAsFileTime)},
|
||||
@@ -1082,6 +1098,8 @@ auto Sandbox::InitApiHooks() -> void {
|
||||
std::make_shared<_fakeApi>(FakeApi_LeaveCriticalSection)},
|
||||
{"GetStartupInfoW",
|
||||
std::make_shared<_fakeApi>(FakeApi_GetStartupInfoW)},
|
||||
{"GetStartupInfoA",
|
||||
std::make_shared<_fakeApi>(FakeApi_GetStartupInfoA)},
|
||||
{"GetStdHandle", std::make_shared<_fakeApi>(FakeApi_GetStdHandle)},
|
||||
{"GetFileType", std::make_shared<_fakeApi>(FakeApi_GetFileType)},
|
||||
{"GetCommandLineA",
|
||||
@@ -1176,6 +1194,7 @@ auto Sandbox::InitApiHooks() -> void {
|
||||
{"TlsFree", std::make_shared<_fakeApi>(FakeApi_TlsFree)},
|
||||
{"FlsAlloc", std::make_shared<_fakeApi>(FakeApi_FlsAlloc)},
|
||||
{"FlsGetValue", std::make_shared<_fakeApi>(FakeApi_FlsGetValue)},
|
||||
{"_initterm", std::make_shared<_fakeApi>(FakeApi__initterm) }, // 新增行
|
||||
{"_initterm_e", std::make_shared<_fakeApi>(FakeApi__initterm_e)},
|
||||
{"GetStringTypeW", std::make_shared<_fakeApi>(FakeApi_GetStringTypeW)},
|
||||
{"LCMapStringW", std::make_shared<_fakeApi>(FakeApi_LCMapStringW)},
|
||||
@@ -1194,6 +1213,8 @@ auto Sandbox::InitApiHooks() -> void {
|
||||
{"ReadFileA", std::make_shared<_fakeApi>(FakeApi_ReadFileA)},
|
||||
{"ReadFileW", std::make_shared<_fakeApi>(FakeApi_ReadFileW)},
|
||||
{"CloseFile", std::make_shared<_fakeApi>(FakeApi_CloseFile)},
|
||||
{ "GetTickCount", std::make_shared<_fakeApi>(FakeApi_GetTickCount) }, // !!! 新增行 !!!
|
||||
|
||||
};
|
||||
}
|
||||
auto Sandbox::EmulateApi(uc_engine* uc, uint64_t address, uint64_t rip,
|
||||
|
||||
Reference in New Issue
Block a user