Extract sus activity logging

2026-01-19 19:53:56 +00:00 · 2025-06-04 19:28:50 +02:00
parent 5609de9dde
commit 84e8e86b94
5 changed files with 31 additions and 24 deletions
--- a/src/analyzer/analysis.cpp
+++ b/src/analyzer/analysis.cpp
@@ -1,8 +1,25 @@
 #include "analysis.hpp"
 #include "windows_emulator.hpp"

+#define STR_VIEW_VA(str) static_cast<int>((str).size()), (str).data()
+
 namespace
 {
+    template <typename Return, typename... Args>
+    std::function<Return(Args...)> make_callback(windows_emulator& win_emu,
+                                                 Return (*callback)(windows_emulator&, Args...))
+    {
+        return [&win_emu, callback](Args... args) {
+            return callback(win_emu, std::forward<Args>(args)...); //
+        };
+    }
+
+    void handle_suspicious_activity(windows_emulator& win_emu, const std::string_view details)
+    {
+        const auto rip = win_emu.emu().read_instruction_pointer();
+        win_emu.log.print(color::pink, "Suspicious: %.*s (0x" PRIX64 ")\n", STR_VIEW_VA(details), rip);
+    }
+
    emulator_callbacks::continuation handle_syscall(windows_emulator& win_emu, const uint32_t syscall_id,
                                                    const std::string_view syscall_name)
    {
@@ -15,8 +32,7 @@ namespace
        if (is_sus_module)
        {
            win_emu.log.print(color::blue, "Executing inline syscall: %.*s (0x%X) at 0x%" PRIx64 " (%s)\n",
-                              static_cast<int>(syscall_name.size()), syscall_name.data(), syscall_id, address,
-                              mod ? mod->name.c_str() : "<N/A>");
+                              STR_VIEW_VA(syscall_name), syscall_id, address, mod ? mod->name.c_str() : "<N/A>");
        }
        else if (mod->is_within(win_emu.process.previous_ip))
        {
@@ -29,8 +45,7 @@ namespace

            win_emu.log.print(color::dark_gray,
                              "Executing syscall: %.*s (0x%X) at 0x%" PRIx64 " via 0x%" PRIx64 " (%s)\n",
-                              static_cast<int>(syscall_name.size()), syscall_name.data(), syscall_id, address,
-                              return_address, caller_mod_name);
+                              STR_VIEW_VA(syscall_name), syscall_id, address, return_address, caller_mod_name);
        }
        else
        {
@@ -38,22 +53,12 @@ namespace

            win_emu.log.print(color::blue,
                              "Crafted out-of-line syscall: %.*s (0x%X) at 0x%" PRIx64 " (%s) via 0x%" PRIx64 " (%s)\n",
-                              static_cast<int>(syscall_name.size()), syscall_name.data(), syscall_id, address,
-                              mod ? mod->name.c_str() : "<N/A>", win_emu.process.previous_ip,
-                              previous_mod ? previous_mod->name.c_str() : "<N/A>");
+                              STR_VIEW_VA(syscall_name), syscall_id, address, mod ? mod->name.c_str() : "<N/A>",
+                              win_emu.process.previous_ip, previous_mod ? previous_mod->name.c_str() : "<N/A>");
        }

        return instruction_hook_continuation::run_instruction;
    }
-
-    template <typename Return, typename... Args>
-    std::function<Return(Args...)> make_callback(windows_emulator& win_emu,
-                                                 Return (*callback)(windows_emulator&, Args...))
-    {
-        return [&win_emu, callback](Args... args) {
-            return callback(win_emu, std::forward<Args>(args)...); //
-        };
-    }
 }

 void register_analysis_callbacks(windows_emulator& win_emu)
@@ -61,4 +66,5 @@ void register_analysis_callbacks(windows_emulator& win_emu)
    auto& cb = win_emu.callbacks;

    cb.on_syscall = make_callback(win_emu, handle_syscall);
+    cb.on_suspicious_activity = make_callback(win_emu, handle_suspicious_activity);
 }
--- a/src/windows-emulator/syscalls/system.cpp
+++ b/src/windows-emulator/syscalls/system.cpp
@@ -109,7 +109,7 @@ namespace syscalls
            return STATUS_NOT_SUPPORTED;

        case SystemControlFlowTransition:
-            c.win_emu.log.print(color::pink, "Warbird control flow transition!\n");
+            c.win_emu.callbacks.on_suspicious_activity("Warbird control flow transition");
            return STATUS_NOT_SUPPORTED;

        case SystemTimeOfDayInformation:
--- a/src/windows-emulator/syscalls/thread.cpp
+++ b/src/windows-emulator/syscalls/thread.cpp
@@ -26,7 +26,7 @@ namespace syscalls

        if (info_class == ThreadHideFromDebugger)
        {
-            c.win_emu.log.print(color::pink, "--> Hiding thread %X from debugger!\n", thread->id);
+            c.win_emu.callbacks.on_suspicious_activity("Hiding thread from debugger");
            return STATUS_SUCCESS;
        }

@@ -470,7 +470,7 @@ namespace syscalls
        thread_context.access([&](CONTEXT64& context) {
            if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) == CONTEXT_DEBUG_REGISTERS_64)
            {
-                c.win_emu.log.print(color::pink, "--> Reading debug registers!\n");
+                c.win_emu.callbacks.on_suspicious_activity("Reading debug registers");
            }

            cpu_context::save(c.emu, context);
@@ -509,7 +509,7 @@ namespace syscalls

        if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) == CONTEXT_DEBUG_REGISTERS_64)
        {
-            c.win_emu.log.print(color::pink, "--> Setting debug registers!\n");
+            c.win_emu.callbacks.on_suspicious_activity("Setting debug registers");
        }

        return STATUS_SUCCESS;
--- a/src/windows-emulator/windows_emulator.cpp
+++ b/src/windows-emulator/windows_emulator.cpp
@@ -550,24 +550,24 @@ void windows_emulator::setup_hooks()
        case 1:
            if ((eflags & 0x100) != 0)
            {
-                this->log.print(color::pink, "Singlestep (Trap Flag): 0x%" PRIx64 "\n", rip);
+                this->callbacks.on_suspicious_activity("Singlestep (Trap Flag)");
                this->emu().reg(x86_register::eflags, eflags & ~0x100);
            }
            else
            {
-                this->log.print(color::pink, "Singlestep: 0x%" PRIx64 "\n", rip);
+                this->callbacks.on_suspicious_activity("Singlestep");
            }
            dispatch_single_step(this->emu(), this->process);
            return;
        case 3:
-            this->log.print(color::pink, "Breakpoint: 0x%" PRIx64 "\n", rip);
+            this->callbacks.on_suspicious_activity("Breakpoint");
            dispatch_breakpoint(this->emu(), this->process);
            return;
        case 6:
            dispatch_illegal_instruction_violation(this->emu(), this->process);
            return;
        case 45:
-            this->log.print(color::pink, "DbgPrint: 0x%" PRIx64 "\n", rip);
+            this->callbacks.on_suspicious_activity("DbgPrint");
            dispatch_breakpoint(this->emu(), this->process);
            return;
        default:
--- a/src/windows-emulator/windows_emulator.hpp
+++ b/src/windows-emulator/windows_emulator.hpp
@@ -19,6 +19,7 @@ struct emulator_callbacks : module_manager::callbacks, process_context::callback

    utils::optional_function<continuation(uint32_t syscall_id, std::string_view syscall_name)> on_syscall{};
    utils::optional_function<void(std::string_view data)> on_stdout{};
+    utils::optional_function<void(std::string_view description)> on_suspicious_activity{};
 };

 struct application_settings