Log rdtsc

2026-01-18 19:23:56 +00:00 · 2025-08-15 12:54:36 +02:00
parent 6584eaaff5
commit 127ed1b552
3 changed files with 42 additions and 0 deletions
--- a/src/analyzer/analysis.cpp
+++ b/src/analyzer/analysis.cpp
@@ -321,6 +321,40 @@ namespace
        }
    }

+    void handle_rdtsc(const analysis_context& c)
+    {
+        auto& win_emu = *c.win_emu;
+        auto& emu = win_emu.emu();
+
+        const auto rip = emu.read_instruction_pointer();
+        const auto mod = get_module_if_interesting(win_emu.mod_manager, c.settings->modules, rip);
+
+        if (!mod.has_value())
+        {
+            return;
+        }
+
+        win_emu.log.print(color::blue, "Executing RDTSC instruction at 0x%" PRIx64 " (%s)\n", rip,
+                          (*mod) ? (*mod)->name.c_str() : "<N/A>");
+    }
+
+    void handle_rdtscp(const analysis_context& c)
+    {
+        auto& win_emu = *c.win_emu;
+        auto& emu = win_emu.emu();
+
+        const auto rip = emu.read_instruction_pointer();
+        const auto mod = get_module_if_interesting(win_emu.mod_manager, c.settings->modules, rip);
+
+        if (!mod.has_value())
+        {
+            return;
+        }
+
+        win_emu.log.print(color::blue, "Executing RDTSCP instruction at 0x%" PRIx64 " (%s)\n", rip,
+                          (*mod) ? (*mod)->name.c_str() : "<N/A>");
+    }
+
    emulator_callbacks::continuation handle_syscall(const analysis_context& c, const uint32_t syscall_id,
                                                    const std::string_view syscall_name)
    {
@@ -447,6 +481,8 @@ void register_analysis_callbacks(analysis_context& c)

    cb.on_stdout = make_callback(c, handle_stdout);
    cb.on_syscall = make_callback(c, handle_syscall);
+    cb.on_rdtsc = make_callback(c, handle_rdtsc);
+    cb.on_rdtscp = make_callback(c, handle_rdtscp);
    cb.on_ioctrl = make_callback(c, handle_ioctrl);

    cb.on_memory_protect = make_callback(c, handle_memory_protect);
--- a/src/windows-emulator/windows_emulator.cpp
+++ b/src/windows-emulator/windows_emulator.cpp
@@ -437,6 +437,8 @@ void windows_emulator::setup_hooks()
    });

    this->emu().hook_instruction(x86_hookable_instructions::rdtscp, [&] {
+        this->callbacks.on_rdtscp();
+
        const auto ticks = this->clock_->timestamp_counter();
        this->emu().reg(x86_register::rax, ticks & 0xFFFFFFFF);
        this->emu().reg(x86_register::rdx, (ticks >> 32) & 0xFFFFFFFF);
@@ -449,6 +451,8 @@ void windows_emulator::setup_hooks()
    });

    this->emu().hook_instruction(x86_hookable_instructions::rdtsc, [&] {
+        this->callbacks.on_rdtsc();
+
        const auto ticks = this->clock_->timestamp_counter();
        this->emu().reg(x86_register::rax, ticks & 0xFFFFFFFF);
        this->emu().reg(x86_register::rdx, (ticks >> 32) & 0xFFFFFFFF);
--- a/src/windows-emulator/windows_emulator.hpp
+++ b/src/windows-emulator/windows_emulator.hpp
@@ -27,6 +27,8 @@ struct emulator_callbacks : module_manager::callbacks, process_context::callback
    opt_func<void(uint64_t address, uint64_t length, memory_permission, bool commit)> on_memory_allocate{};
    opt_func<void(uint64_t address, uint64_t length, memory_operation, memory_violation_type type)> on_memory_violate{};

+    opt_func<void()> on_rdtsc{};
+    opt_func<void()> on_rdtscp{};
    opt_func<continuation(uint32_t syscall_id, std::string_view syscall_name)> on_syscall{};
    opt_func<void(std::string_view data)> on_stdout{};
    opt_func<void(std::string_view type, std::u16string_view name)> on_generic_access{};