fix 1

ai_anti_malware/ai_anti_malware.cpp

@@ -5,9 +5,7 @@
 
 auto getPeInfo(std::string inputFilePath) -> std::shared_ptr<BasicPeInfo> {
     auto sampleInfo = std::make_shared<BasicPeInfo>();
-    sampleInfo->inputFilePath =
+    sampleInfo->inputFilePath = inputFilePath;
-        "E:\\对战平台\\CrowAntiCheat\\CrowAntiCheat\\client\\Console_"
-        "Test\\Release\\Console_Test.exe";
 
     sampleInfo->peBuffer =
         peconv::load_pe_module((const char*)sampleInfo->inputFilePath.c_str(),
@@ -19,8 +17,9 @@ auto getPeInfo(std::string inputFilePath) -> std::shared_ptr<BasicPeInfo> {
         sampleInfo->isX64
             ? (DWORD64)sampleInfo->ntHead64->OptionalHeader.ImageBase
             : (DWORD)sampleInfo->ntHead32->OptionalHeader.ImageBase;
-    sampleInfo->isRelocated = peconv::relocate_module(
+    sampleInfo->isRelocated =
-        (BYTE*)sampleInfo->peBuffer, sampleInfo->peSize, sampleInfo->RecImageBase);
+        peconv::relocate_module((BYTE*)sampleInfo->peBuffer, sampleInfo->peSize,
+                                sampleInfo->RecImageBase);
 
     sampleInfo->entryPoint =
         sampleInfo->isX64

ai_anti_malware/native_struct.h

@@ -388,23 +388,19 @@ typedef struct X64PEB {
 };
 static_assert(sizeof(X64PEB) == 0x7c8, "X64PEB Size check");
 // 0x8 bytes (sizeof)
-struct _STRING32
+struct _STRING32 {
-{
     USHORT Length;         // 0x0
     USHORT MaximumLength;  // 0x2
     ULONG Buffer;          // 0x4
 };
 // 0x480 bytes (sizeof)
-struct X32PEB
+struct X32PEB {
-{
     UCHAR InheritedAddressSpace;     // 0x0
     UCHAR ReadImageFileExecOptions;  // 0x1
     UCHAR BeingDebugged;             // 0x2
-    union
+    union {
-    {
         UCHAR BitField;  // 0x3
-        struct
+        struct {
-        {
             UCHAR ImageUsesLargePages : 1;           // 0x3
             UCHAR IsProtectedProcess : 1;            // 0x3
             UCHAR IsImageDynamicallyRelocated : 1;   // 0x3
@@ -424,11 +420,9 @@ struct X32PEB
     ULONG FastPebLock;        // 0x1c
     ULONG AtlThunkSListPtr;   // 0x20
     ULONG IFEOKey;            // 0x24
-    union
+    union {
-    {
         ULONG CrossProcessFlags;  // 0x28
-        struct
+        struct {
-        {
             ULONG ProcessInJob : 1;                // 0x28
             ULONG ProcessInitializing : 1;         // 0x28
             ULONG ProcessUsingVEH : 1;             // 0x28
@@ -440,8 +434,7 @@ struct X32PEB
             ULONG ReservedBits0 : 24;              // 0x28
         };
     };
-    union
+    union {
-    {
         ULONG KernelCallbackTable;  // 0x2c
         ULONG UserSharedInfoPtr;    // 0x2c
     };
@@ -501,11 +494,9 @@ struct X32PEB
     ULONG WerShipAssertPtr;                       // 0x234
     ULONG pUnused;                                // 0x238
     ULONG pImageHeaderHash;                       // 0x23c
-    union
+    union {
-    {
         ULONG TracingFlags;  // 0x240
-        struct
+        struct {
-        {
             ULONG HeapTracingEnabled : 1;       // 0x240
             ULONG CritSecTracingEnabled : 1;    // 0x240
             ULONG LibLoaderTracingEnabled : 1;  // 0x240
@@ -522,11 +513,9 @@ struct X32PEB
     CHAR PlaceholderCompatibilityMode;             // 0x468
     CHAR PlaceholderCompatibilityModeReserved[7];  // 0x469
     ULONG LeapSecondData;                          // 0x470
-    union
+    union {
-    {
         ULONG LeapSecondFlags;  // 0x474
-        struct
+        struct {
-        {
             ULONG SixtySecondEnabled : 1;  // 0x474
             ULONG Reserved : 31;           // 0x474
         };
@@ -535,16 +524,14 @@ struct X32PEB
 };
 static_assert(sizeof(X32PEB) == 0x480, "X64PEB Size check");
 // 0x4e0 bytes (sizeof)
-struct _GDI_TEB_BATCH32
+struct _GDI_TEB_BATCH32 {
-{
     ULONG Offset : 31;              // 0x0
     ULONG HasRenderingCommand : 1;  // 0x0
     ULONG HDC;                      // 0x4
     ULONG Buffer[310];              // 0x8
 };
 // 0x18 bytes (sizeof)
-struct _ACTIVATION_CONTEXT_STACK32
+struct _ACTIVATION_CONTEXT_STACK32 {
-{
     ULONG ActiveFrame;                   // 0x0
     struct LIST_ENTRY32 FrameListCache;  // 0x4
     ULONG Flags;                         // 0xc
@@ -552,14 +539,12 @@ struct _ACTIVATION_CONTEXT_STACK32
     ULONG StackId;                       // 0x14
 };
 // 0x8 bytes (sizeof)
-struct _CLIENT_ID32
+struct _CLIENT_ID32 {
-{
     ULONG UniqueProcess;  // 0x0
     ULONG UniqueThread;   // 0x4
 };
 // 0x1000 bytes (sizeof)
-struct X32TEB
+struct X32TEB {
-{
     struct _NT_TIB32 NtTib;                               // 0x0
     ULONG EnvironmentPointer;                             // 0x1c
     struct _CLIENT_ID32 ClientId;                         // 0x20
@@ -623,12 +608,10 @@ struct X32TEB
     ULONG EtwTraceData;                                   // 0xf68
     ULONG WinSockData;                                    // 0xf6c
     ULONG GdiBatchCount;                                  // 0xf70
-    union
+    union {
-    {
         struct _PROCESSOR_NUMBER CurrentIdealProcessor;  // 0xf74
         ULONG IdealProcessorValue;                       // 0xf74
-        struct
+        struct {
-        {
             UCHAR ReservedPad0;    // 0xf74
             UCHAR ReservedPad1;    // 0xf75
             UCHAR ReservedPad2;    // 0xf76
@@ -655,16 +638,13 @@ struct X32TEB
     ULONG UserPrefLanguages;         // 0xfbc
     ULONG MergedPrefLanguages;       // 0xfc0
     ULONG MuiImpersonation;          // 0xfc4
-    union
+    union {
-    {
         volatile USHORT CrossTebFlags;  // 0xfc8
         USHORT SpareCrossTebBits : 16;  // 0xfc8
     };
-    union
+    union {
-    {
         USHORT SameTebFlags;  // 0xfca
-        struct
+        struct {
-        {
             USHORT SafeThunkCall : 1;         // 0xfca
             USHORT InDebugPrint : 1;          // 0xfca
             USHORT HasFiberData : 1;          // 0xfca
@@ -984,6 +964,7 @@ struct struct_moudle {
     uint64_t entry;
     uint64_t base;
     uint64_t size;
+    uint64_t real_base;
     std::vector<std::shared_ptr<moudle_import>> import_function;
     std::vector<std::shared_ptr<moudle_export>> export_function;
     std::vector<std::shared_ptr<moudle_section>> sections;

ai_anti_malware/sandbox.cpp

@@ -134,20 +134,13 @@ Sandbox::Sandbox() {}
 
 Sandbox::~Sandbox() {}
 
-auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
+auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void {
-                             uint32_t x32Base) -> void {
+    for (auto module : m_moduleList) {
-    // 检查模块是否已加载
+        if (module->real_base == moduleBase) {
-    auto isModuleLoaded =
+            printf("skip module name: %s (already loaded)\n", module->name);
-        std::any_of(m_moduleList.begin(), m_moduleList.end(),
-                    [moduleBase](std::shared_ptr<struct_moudle> module) {
-                        return module->base == moduleBase;
-                    });
-
-    if (isModuleLoaded) {
-        std::cout << "[PE] Skipping " << dllName << " (already loaded)\n";
             return;
         }
-
+    }
     // 解析PE头
     auto* dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(moduleBase);
     auto* ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(
@@ -169,7 +162,9 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
     // 创建新模块
     struct_moudle newModule{};
     strncpy(newModule.name, dllName, strlen(dllName));
-    newModule.base = this->m_peInfo->isX64 ? moduleBase : x32Base;
+    newModule.base =
+        this->m_peInfo->isX64 ? moduleBase : static_cast<uint32_t>(moduleBase);
+    newModule.real_base = moduleBase;
     newModule.entry = ntHeaders->OptionalHeader.AddressOfEntryPoint;
     newModule.size = ntHeaders->OptionalHeader.SizeOfImage;
 
@@ -208,9 +203,11 @@ auto Sandbox::PushModuleToVM(const char* dllName, uint64_t moduleBase,
                   << '\n';
     }
     m_moduleList.push_back(std::make_shared<struct_moudle>(newModule));
-    uc_mem_map(m_ucEngine, moduleBase, newModule.size,
+    printf("push `%s` module to vm base: %llx vm size: %llx\n", newModule.name,
+           newModule.base, newModule.size);
+    uc_mem_map(m_ucEngine, newModule.base, newModule.size,
                UC_PROT_READ | UC_PROT_EXEC);
-    uc_mem_write(m_ucEngine, moduleBase, (void*)moduleBase, newModule.size);
+    uc_mem_write(m_ucEngine, newModule.base, (void*)moduleBase, newModule.size);
 }
 
 auto Sandbox::ResolveExport() -> void {
@@ -260,6 +257,12 @@ auto Sandbox::ResolveExport() -> void {
 }
 
 auto Sandbox::processImportModule(const moudle_import* importModule) -> void {
+    for (auto module : m_moduleList) {
+        if (strcmp(module->name, importModule->dll_name) == 0) {
+            printf("skip module name: %s (already loaded)\n", module->name);
+            return;
+        }
+    }
     // 构建模块路径
     const std::string systemDir =
         m_peInfo->isX64 ? "\\System32\\" : "\\SysWOW64\\";
@@ -281,8 +284,7 @@ auto Sandbox::processImportModule(const moudle_import* importModule) -> void {
     }
 
     // 添加到虚拟机
-    const auto moduleBase32 = static_cast<uint32_t>(moduleBase);
+    PushModuleToVM(importModule->dll_name, moduleBase);
-    PushModuleToVM(importModule->dll_name, moduleBase, moduleBase32);
 }
 auto Sandbox::ResoveImport() -> void {
     // 处理延迟导入

ai_anti_malware/sandbox.h

@@ -88,7 +88,6 @@ class Sandbox {
     auto ResoveImport() -> void;
     auto SetupVirtualMachine() -> void;
     auto ResolveExport() -> void;
-    auto PushModuleToVM(const char* dllName, uint64_t moduleBase,
+    auto PushModuleToVM(const char* dllName, uint64_t moduleBase) -> void;
-                        uint32_t x32Base) -> void;
     auto processImportModule(const moudle_import* importModule) -> void;
 };