From 6da3f27da6cd30f9061b501c3edb4b08766f76bc Mon Sep 17 00:00:00 2001
From: momo5502 <mauriceheumann@gmail.com>
Date: Fri, 3 Jan 2025 16:43:07 +0100
Subject: [PATCH 1/2] Fix .text logging

---
 src/analyzer/main.cpp | 44 ++++++++++++++++++++++---------------------
 1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/src/analyzer/main.cpp b/src/analyzer/main.cpp
index d6cdfb3e..d6d7e191 100644
--- a/src/analyzer/main.cpp
+++ b/src/analyzer/main.cpp
@@ -3,7 +3,7 @@
 #include <windows_emulator.hpp>
 #include <debugging/win_x64_gdb_stub_handler.hpp>
 
-//#define CONCISE_EMULATOR_OUTPUT
+#define CONCISE_EMULATOR_OUTPUT
 
 #include "object_watching.hpp"
 
@@ -124,39 +124,41 @@ namespace
 			auto read_handler = [&, section](const uint64_t address, size_t, uint64_t)
 			{
 				const auto rip = win_emu.emu().read_instruction_pointer();
-				if (rip >= section.region.start && rip < section.region.start + section.
-					region.length)
+				if (win_emu.process().module_manager.find_by_address(rip) != win_emu.process().executable)
 				{
+					return;
+				}
+
 #ifdef CONCISE_EMULATOR_OUTPUT
-					static uint64_t count{0};
-					++count;
-					if (count > 100 && count % 10000 != 0) return;
+				static uint64_t count{0};
+				++count;
+				if (count > 100 && count % 10000 != 0) return;
 #endif
 
-					win_emu.logger.print(
-						color::green,
-						"Reading from executable section %s: 0x%llX at 0x%llX\n",
-						section.name.c_str(), address, rip);
-				}
+				win_emu.logger.print(
+					color::green,
+					"Reading from executable section %s at 0x%llX via 0x%llX\n",
+					section.name.c_str(), address, rip);
 			};
 
 			const auto write_handler = [&, section](const uint64_t address, size_t, uint64_t)
 			{
 				const auto rip = win_emu.emu().read_instruction_pointer();
-				if (rip >= section.region.start && rip < section.region.start + section.
-					region.length)
+				if (win_emu.process().module_manager.find_by_address(rip) != win_emu.process().executable)
 				{
+					return;
+				}
+
 #ifdef CONCISE_EMULATOR_OUTPUT
-					static uint64_t count{0};
-					++count;
-					if (count > 100 && count % 10000 != 0) return;
+				static uint64_t count{0};
+				++count;
+				if (count > 100 && count % 10000 != 0) return;
 #endif
 
-					win_emu.logger.print(
-						color::cyan,
-						"Writing to executable section %s: 0x%llX at 0x%llX\n",
-						section.name.c_str(), address, rip);
-				}
+				win_emu.logger.print(
+					color::blue,
+					"Writing to executable section %s at 0x%llX via 0x%llX\n",
+					section.name.c_str(), address, rip);
 			};
 
 			win_emu.emu().hook_memory_read(section.region.start, section.region.length, std::move(read_handler));

From 912e9c93792accca56534da457acb6aba1e7e243 Mon Sep 17 00:00:00 2001
From: momo5502 <mauriceheumann@gmail.com>
Date: Fri, 3 Jan 2025 17:29:00 +0100
Subject: [PATCH 2/2] Log crafted out-of-line syscalls

---
 src/windows-emulator/syscall_dispatcher.cpp | 25 ++++++++++++++++-----
 src/windows-emulator/windows_emulator.cpp   |  2 +-
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/windows-emulator/syscall_dispatcher.cpp b/src/windows-emulator/syscall_dispatcher.cpp
index 30787315..e806720c 100644
--- a/src/windows-emulator/syscall_dispatcher.cpp
+++ b/src/windows-emulator/syscall_dispatcher.cpp
@@ -100,13 +100,26 @@ void syscall_dispatcher::dispatch(windows_emulator& win_emu)
 		}
 		else
 		{
-			const auto rsp = c.emu.read_stack_pointer();
-			const auto return_address = c.emu.read_memory<uint64_t>(rsp);
-			const auto* mod_name = context.module_manager.find_name(return_address);
+			const auto* previous_mod = context.module_manager.find_by_address(context.previous_ip);
+			if (previous_mod == mod)
+			{
+				const auto rsp = c.emu.read_stack_pointer();
+				const auto return_address = c.emu.read_memory<uint64_t>(rsp);
+				const auto* mod_name = context.module_manager.find_name(return_address);
 
-			win_emu.logger.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%llX via 0x%llX (%s)\n",
-			                     entry->second.name.c_str(),
-			                     syscall_id, address, return_address, mod_name);
+				win_emu.logger.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%llX via 0x%llX (%s) %lld\n",
+				                     entry->second.name.c_str(),
+				                     syscall_id, address, return_address, mod_name, c.proc.executed_instructions);
+			}
+			else
+			{
+				win_emu.logger.print(color::blue,
+				                     "Crafted out-of-line syscall: %s (0x%X) at 0x%llX (%s) via 0x%llX (%s)\n",
+				                     entry->second.name.c_str(),
+				                     syscall_id,
+				                     address, mod ? mod->name.c_str() : "<N/A>", context.previous_ip,
+				                     previous_mod ? previous_mod->name.c_str() : "<N/A>");
+			}
 		}
 
 		entry->second.handler(c);
diff --git a/src/windows-emulator/windows_emulator.cpp b/src/windows-emulator/windows_emulator.cpp
index 00499d32..1221a68e 100644
--- a/src/windows-emulator/windows_emulator.cpp
+++ b/src/windows-emulator/windows_emulator.cpp
@@ -820,7 +820,7 @@ void windows_emulator::setup_hooks()
 		const auto rip = this->emu().read_instruction_pointer();
 		printf("Interrupt: %i 0x%llX\n", interrupt, rip);
 
-		if (this->fuzzing)
+		if (this->fuzzing || true) // TODO: Fix
 		{
 			this->process().exception_rip = rip;
 			this->emu().stop();