From 802e295bccc51748247a9cd5c6c8e5abf7c4eec5 Mon Sep 17 00:00:00 2001 From: momo5502 Date: Sat, 7 Jun 2025 07:29:30 +0200 Subject: [PATCH] Adapt more printing --- src/analyzer/analysis.cpp | 31 ++++++++++++++++++++++- src/windows-emulator/process_context.cpp | 2 +- src/windows-emulator/process_context.hpp | 3 ++- src/windows-emulator/syscalls/memory.cpp | 13 +++------- src/windows-emulator/syscalls/thread.cpp | 3 +-- src/windows-emulator/windows_emulator.hpp | 19 +++++++++----- 6 files changed, 49 insertions(+), 22 deletions(-) diff --git a/src/analyzer/analysis.cpp b/src/analyzer/analysis.cpp index eb9ecc06..cfcf1fcf 100644 --- a/src/analyzer/analysis.cpp +++ b/src/analyzer/analysis.cpp @@ -45,6 +45,23 @@ namespace c.win_emu->log.print(color::dark_gray, "--> %.*s: %s\n", STR_VIEW_VA(type), u16_to_u8(name).c_str()); // } + void handle_memory_allocate(const analysis_context& c, const uint64_t address, const uint64_t length, + const memory_permission permission, const bool commit) + { + const auto* action = commit ? "Committed" : "Allocated"; + + c.win_emu->log.print(is_executable(permission) ? color::gray : color::dark_gray, + "--> %s 0x%" PRIx64 " - 0x%" PRIx64 " (%s)\n", action, address, address + length, + get_permission_string(permission).c_str()); + } + + void handle_memory_protect(const analysis_context& c, const uint64_t address, const uint64_t length, + const memory_permission permission) + { + c.win_emu->log.print(color::dark_gray, "--> Changing protection at 0x%" PRIx64 "-0x%" PRIx64 " to %s\n", + address, address + length, get_permission_string(permission).c_str()); + } + void handle_ioctrl(const analysis_context& c, const io_device&, const std::u16string_view device_name, const ULONG code) { @@ -52,6 +69,11 @@ namespace static_cast(code)); } + void handle_thread_set_name(const analysis_context& c, const emulator_thread& t) + { + c.win_emu->log.print(color::blue, "Setting thread (%d) name: %s\n", t.id, u16_to_u8(t.name).c_str()); + } + void handle_thread_switch(const analysis_context& c, const emulator_thread& current_thread, const emulator_thread& new_thread) { @@ -211,10 +233,17 @@ void register_analysis_callbacks(analysis_context& c) cb.on_stdout = make_callback(c, handle_stdout); cb.on_syscall = make_callback(c, handle_syscall); cb.on_ioctrl = make_callback(c, handle_ioctrl); + + cb.on_memory_protect = make_callback(c, handle_memory_protect); + cb.on_memory_allocate = make_callback(c, handle_memory_allocate); + cb.on_module_load = make_callback(c, handle_module_load); cb.on_module_unload = make_callback(c, handle_module_unload); - cb.on_instruction = make_callback(c, handle_instruction); + cb.on_thread_switch = make_callback(c, handle_thread_switch); + cb.on_thread_set_name = make_callback(c, handle_thread_set_name); + + cb.on_instruction = make_callback(c, handle_instruction); cb.on_generic_access = make_callback(c, handle_generic_access); cb.on_generic_activity = make_callback(c, handle_generic_activity); cb.on_suspicious_activity = make_callback(c, handle_suspicious_activity); diff --git a/src/windows-emulator/process_context.cpp b/src/windows-emulator/process_context.cpp index 936ec373..c479ce8e 100644 --- a/src/windows-emulator/process_context.cpp +++ b/src/windows-emulator/process_context.cpp @@ -361,7 +361,7 @@ handle process_context::create_thread(memory_manager& memory, const uint64_t sta { emulator_thread t{memory, *this, start_address, argument, stack_size, suspended, ++this->spawned_thread_count}; auto [h, thr] = this->threads.store_and_get(std::move(t)); - this->callbacks_->on_create_thread(h, *thr); + this->callbacks_->on_thread_create(h, *thr); return h; } diff --git a/src/windows-emulator/process_context.hpp b/src/windows-emulator/process_context.hpp index 2a718257..04e604d6 100644 --- a/src/windows-emulator/process_context.hpp +++ b/src/windows-emulator/process_context.hpp @@ -32,9 +32,10 @@ struct process_context { struct callbacks { - utils::optional_function on_create_thread{}; + utils::optional_function on_thread_create{}; utils::optional_function on_thread_terminated{}; utils::optional_function on_thread_switch{}; + utils::optional_function on_thread_set_name{}; }; struct atom_entry diff --git a/src/windows-emulator/syscalls/memory.cpp b/src/windows-emulator/syscalls/memory.cpp index 5df89aef..efd5e2f2 100644 --- a/src/windows-emulator/syscalls/memory.cpp +++ b/src/windows-emulator/syscalls/memory.cpp @@ -146,9 +146,7 @@ namespace syscalls const auto requested_protection = map_nt_to_emulator_protection(protection); - c.win_emu.log.print(color::dark_gray, "--> Changing protection at 0x%" PRIx64 "-0x%" PRIx64 " to %s\n", - aligned_start, aligned_start + aligned_length, - get_permission_string(requested_protection).c_str()); + c.win_emu.callbacks.on_memory_protect(aligned_start, aligned_length, requested_protection); memory_permission old_protection_value{}; @@ -208,16 +206,11 @@ namespace syscalls if (commit && !reserve && c.win_emu.memory.commit_memory(potential_base, static_cast(allocation_bytes), protection)) { - c.win_emu.log.print(is_executable(protection) ? color::gray : color::dark_gray, - "--> Committed 0x%" PRIx64 " - 0x%" PRIx64 " (%s)\n", potential_base, - potential_base + allocation_bytes, get_permission_string(protection).c_str()); - + c.win_emu.callbacks.on_memory_allocate(potential_base, allocation_bytes, protection, true); return STATUS_SUCCESS; } - c.win_emu.log.print(is_executable(protection) ? color::gray : color::dark_gray, - "--> Allocated 0x%" PRIx64 " - 0x%" PRIx64 " (%s)\n", potential_base, - potential_base + allocation_bytes, get_permission_string(protection).c_str()); + c.win_emu.callbacks.on_memory_allocate(potential_base, allocation_bytes, protection, false); return c.win_emu.memory.allocate_memory(potential_base, static_cast(allocation_bytes), protection, !commit) diff --git a/src/windows-emulator/syscalls/thread.cpp b/src/windows-emulator/syscalls/thread.cpp index 322220e3..0210ec3e 100644 --- a/src/windows-emulator/syscalls/thread.cpp +++ b/src/windows-emulator/syscalls/thread.cpp @@ -41,8 +41,7 @@ namespace syscalls const auto i = info.read(); thread->name = read_unicode_string(c.emu, i.ThreadName); - c.win_emu.log.print(color::blue, "Setting thread (%d) name: %s\n", thread->id, - u16_to_u8(thread->name).c_str()); + c.win_emu.callbacks.on_thread_set_name(*thread); return STATUS_SUCCESS; } diff --git a/src/windows-emulator/windows_emulator.hpp b/src/windows-emulator/windows_emulator.hpp index d7373d40..12ab5a54 100644 --- a/src/windows-emulator/windows_emulator.hpp +++ b/src/windows-emulator/windows_emulator.hpp @@ -15,17 +15,22 @@ struct io_device; +#define opt_func utils::optional_function + struct emulator_callbacks : module_manager::callbacks, process_context::callbacks { using continuation = instruction_hook_continuation; - utils::optional_function on_syscall{}; - utils::optional_function on_stdout{}; - utils::optional_function on_generic_access{}; - utils::optional_function on_generic_activity{}; - utils::optional_function on_suspicious_activity{}; - utils::optional_function on_instruction{}; - utils::optional_function on_ioctrl{}; + opt_func on_memory_protect{}; + opt_func on_memory_allocate{}; + + opt_func on_syscall{}; + opt_func on_stdout{}; + opt_func on_generic_access{}; + opt_func on_generic_activity{}; + opt_func on_suspicious_activity{}; + opt_func on_instruction{}; + opt_func on_ioctrl{}; }; struct application_settings