Watch interesting system objects

src/analyzer/main.cpp

@@ -97,7 +97,7 @@ namespace
 		windows_emulator win_emu{settings};
 
 		(void)&watch_system_objects;
-		//watch_system_objects(win_emu);
+		watch_system_objects(win_emu);
 		win_emu.buffer_stdout = true;
 		//win_emu.verbose_calls = true;
 

src/analyzer/object_watching.hpp

@@ -8,14 +8,24 @@ emulator_hook* watch_object(windows_emulator& emu, emulator_object<T> object)
 	const reflect_type_info<T> info{};
 
 	return emu.emu().hook_memory_read(object.value(), object.size(),
-	                                  [i = std::move(info), object, &emu](const uint64_t address, size_t, uint64_t)
+	                                  [i = std::move(info), object, &emu](
+	                                  const uint64_t address, size_t, uint64_t)
 	                                  {
 		                                  const auto rip = emu.emu().read_instruction_pointer();
+		                                  const auto* mod = emu.process().module_manager.find_by_address(rip);
+		                                  const auto is_main_access = mod == emu.process().executable;
+
+		                                  if (!emu.verbose_calls && !is_main_access)
+		                                  {
+			                                  return;
+		                                  }
 
 		                                  const auto offset = address - object.value();
-		                                  emu.logger.log("Object access: %s - 0x%llX (%s) at 0x%llX (%s)\n", i.get_type_name().c_str(),
-		                                                 offset,
-		                                                 i.get_member_name(offset).c_str(), rip,
-		                                                 emu.process().module_manager.find_name(rip));
+		                                  emu.logger.print(is_main_access ? color::green : color::dark_gray,
+		                                                   "Object access: %s - 0x%llX (%s) at 0x%llX (%s)\n",
+		                                                   i.get_type_name().c_str(),
+		                                                   offset,
+		                                                   i.get_member_name(offset).c_str(), rip,
+		                                                   mod ? mod->name.c_str() : "<N/A>");
 	                                  });
 }

src/windows-emulator/syscalls.cpp

@@ -1431,6 +1431,32 @@ namespace
 			return STATUS_INVALID_HANDLE;
 		}
 
+		if (info_class == FileNameInformation)
+		{
+			const auto required_length = sizeof(FILE_NAME_INFORMATION) + (f->name.size() * 2);
+
+			if (io_status_block)
+			{
+				IO_STATUS_BLOCK block{};
+				block.Information = sizeof(FILE_NAME_INFORMATION) + required_length;
+				io_status_block.write(block);
+			}
+
+			if (length != required_length)
+			{
+				return STATUS_BUFFER_OVERFLOW;
+			}
+
+			c.emu.write_memory(file_information, FILE_NAME_INFORMATION{
+				                   .FileNameLength = static_cast<ULONG>(f->name.size() * 2),
+			                   });
+
+			c.emu.write_memory(file_information + offsetof(FILE_NAME_INFORMATION, FileName), f->name.c_str(),
+			                   (f->name.size() + 1) * 2);
+
+			return STATUS_SUCCESS;
+		}
+
 		if (info_class == FileStandardInformation)
 		{
 			if (io_status_block)
@@ -1618,6 +1644,11 @@ namespace
 		return STATUS_NOT_SUPPORTED;
 	}
 
+	NTSTATUS handle_NtSetInformationKey()
+	{
+		return STATUS_NOT_SUPPORTED;
+	}
+
 	NTSTATUS handle_NtApphelpCacheControl()
 	{
 		return STATUS_NOT_SUPPORTED;
@@ -3243,6 +3274,7 @@ void syscall_dispatcher::add_handlers(std::map<std::string, syscall_handler>& ha
 	add_handler(NtReleaseMutant);
 	add_handler(NtDuplicateToken);
 	add_handler(NtQueryTimerResolution);
+	add_handler(NtSetInformationKey);
 
 #undef add_handler
 }