Better import access tracking

2026-01-19 11:43:56 +00:00 · 2025-08-09 18:02:37 +02:00
parent 2abe1737f3
commit 3b9320fd62
2 changed files with 18 additions and 14 deletions
--- a/src/analyzer/analysis.cpp
+++ b/src/analyzer/analysis.cpp
@@ -172,19 +172,19 @@ namespace
            return;
        }

-        auto entry = c.accessed_imports.find(address);
-        if (entry != c.accessed_imports.end())
-        {
-            c.accessed_imports.erase(entry);
-        }
-
        const auto& t = c.win_emu->current_thread();
-        for (entry = c.accessed_imports.begin(); entry != c.accessed_imports.end();)
+        for (auto entry = c.accessed_imports.begin(); entry != c.accessed_imports.end();)
        {
-            auto& a = entry->second;
+            auto& a = *entry;
+            const auto is_same_thread = t.id == a.thread_id;
+
+            if (is_same_thread && address == a.address)
+            {
+                entry = c.accessed_imports.erase(entry);
+                continue;
+            }

            constexpr auto inst_delay = 100u;
-            const auto is_same_thread = t.id == a.thread_id;
            const auto execution_delay_reached =
                is_same_thread && a.access_inst_count + inst_delay <= t.executed_instructions;

@@ -273,8 +273,8 @@ namespace
            const auto* mod_name = win_emu.mod_manager.find_name(return_address);

            win_emu.log.print(is_interesting_call ? color::yellow : color::dark_gray,
-                              "Executing function: %s - %s (0x%" PRIx64 ") via (0x%" PRIx64 ") %s\n",
-                              binary->name.c_str(), export_entry->second.c_str(), address, return_address, mod_name);
+                              "Executing function: %s (%s) (0x%" PRIx64 ") via (0x%" PRIx64 ") %s\n",
+                              export_entry->second.c_str(), binary->name.c_str(), address, return_address, mod_name);

            if (is_interesting_call)
            {
@@ -385,9 +385,10 @@ namespace
                        continue;
                    }

-                    const auto function_address = c.win_emu->emu().read_memory<uint64_t>(address);
+                    accessed_import access{};
+
+                    access.address = c.win_emu->emu().read_memory<uint64_t>(address);

-                    auto& access = c.accessed_imports[function_address];
                    access.access_rip = c.win_emu->emu().read_instruction_pointer();
                    access.accessor_module = c.win_emu->mod_manager.find_name(access.access_rip);

@@ -398,6 +399,8 @@ namespace
                    access.thread_id = t.id;
                    access.access_inst_count = t.executed_instructions;

+                    c.accessed_imports.push_back(std::move(access));
+
                    return;
                }
            }
--- a/src/analyzer/analysis.hpp
+++ b/src/analyzer/analysis.hpp
@@ -22,6 +22,7 @@ struct analysis_settings

 struct accessed_import
 {
+    uint64_t address{};
    uint32_t thread_id{};
    uint64_t access_rip{};
    uint64_t access_inst_count{};
@@ -38,7 +39,7 @@ struct analysis_context
    std::string output{};
    bool has_reached_main{false};

-    std::map<uint64_t, accessed_import> accessed_imports{};
+    std::vector<accessed_import> accessed_imports{};
 };

 void register_analysis_callbacks(analysis_context& c);