From 127ed1b552eaf163fca5e0eeede3e80889b6bca7 Mon Sep 17 00:00:00 2001 From: momo5502 Date: Fri, 15 Aug 2025 12:54:36 +0200 Subject: [PATCH] Log rdtsc --- src/analyzer/analysis.cpp | 36 +++++++++++++++++++++++ src/windows-emulator/windows_emulator.cpp | 4 +++ src/windows-emulator/windows_emulator.hpp | 2 ++ 3 files changed, 42 insertions(+) diff --git a/src/analyzer/analysis.cpp b/src/analyzer/analysis.cpp index 0e5671dd..a0cc975d 100644 --- a/src/analyzer/analysis.cpp +++ b/src/analyzer/analysis.cpp @@ -321,6 +321,40 @@ namespace } } + void handle_rdtsc(const analysis_context& c) + { + auto& win_emu = *c.win_emu; + auto& emu = win_emu.emu(); + + const auto rip = emu.read_instruction_pointer(); + const auto mod = get_module_if_interesting(win_emu.mod_manager, c.settings->modules, rip); + + if (!mod.has_value()) + { + return; + } + + win_emu.log.print(color::blue, "Executing RDTSC instruction at 0x%" PRIx64 " (%s)\n", rip, + (*mod) ? (*mod)->name.c_str() : ""); + } + + void handle_rdtscp(const analysis_context& c) + { + auto& win_emu = *c.win_emu; + auto& emu = win_emu.emu(); + + const auto rip = emu.read_instruction_pointer(); + const auto mod = get_module_if_interesting(win_emu.mod_manager, c.settings->modules, rip); + + if (!mod.has_value()) + { + return; + } + + win_emu.log.print(color::blue, "Executing RDTSCP instruction at 0x%" PRIx64 " (%s)\n", rip, + (*mod) ? (*mod)->name.c_str() : ""); + } + emulator_callbacks::continuation handle_syscall(const analysis_context& c, const uint32_t syscall_id, const std::string_view syscall_name) { @@ -447,6 +481,8 @@ void register_analysis_callbacks(analysis_context& c) cb.on_stdout = make_callback(c, handle_stdout); cb.on_syscall = make_callback(c, handle_syscall); + cb.on_rdtsc = make_callback(c, handle_rdtsc); + cb.on_rdtscp = make_callback(c, handle_rdtscp); cb.on_ioctrl = make_callback(c, handle_ioctrl); cb.on_memory_protect = make_callback(c, handle_memory_protect); diff --git a/src/windows-emulator/windows_emulator.cpp b/src/windows-emulator/windows_emulator.cpp index da3ddd09..915f5b84 100644 --- a/src/windows-emulator/windows_emulator.cpp +++ b/src/windows-emulator/windows_emulator.cpp @@ -437,6 +437,8 @@ void windows_emulator::setup_hooks() }); this->emu().hook_instruction(x86_hookable_instructions::rdtscp, [&] { + this->callbacks.on_rdtscp(); + const auto ticks = this->clock_->timestamp_counter(); this->emu().reg(x86_register::rax, ticks & 0xFFFFFFFF); this->emu().reg(x86_register::rdx, (ticks >> 32) & 0xFFFFFFFF); @@ -449,6 +451,8 @@ void windows_emulator::setup_hooks() }); this->emu().hook_instruction(x86_hookable_instructions::rdtsc, [&] { + this->callbacks.on_rdtsc(); + const auto ticks = this->clock_->timestamp_counter(); this->emu().reg(x86_register::rax, ticks & 0xFFFFFFFF); this->emu().reg(x86_register::rdx, (ticks >> 32) & 0xFFFFFFFF); diff --git a/src/windows-emulator/windows_emulator.hpp b/src/windows-emulator/windows_emulator.hpp index 982a1f82..6e871b28 100644 --- a/src/windows-emulator/windows_emulator.hpp +++ b/src/windows-emulator/windows_emulator.hpp @@ -27,6 +27,8 @@ struct emulator_callbacks : module_manager::callbacks, process_context::callback opt_func on_memory_allocate{}; opt_func on_memory_violate{}; + opt_func on_rdtsc{}; + opt_func on_rdtscp{}; opt_func on_syscall{}; opt_func on_stdout{}; opt_func on_generic_access{};