From 84e8e86b9495ef646b80313caa1af3b598396cfd Mon Sep 17 00:00:00 2001
From: momo5502 <mauriceheumann@gmail.com>
Date: Wed, 4 Jun 2025 19:28:50 +0200
Subject: [PATCH] Extract sus activity logging

---
 src/analyzer/analysis.cpp                 | 38 +++++++++++++----------
 src/windows-emulator/syscalls/system.cpp  |  2 +-
 src/windows-emulator/syscalls/thread.cpp  |  6 ++--
 src/windows-emulator/windows_emulator.cpp |  8 ++---
 src/windows-emulator/windows_emulator.hpp |  1 +
 5 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/src/analyzer/analysis.cpp b/src/analyzer/analysis.cpp
index de307274..b663f456 100644
--- a/src/analyzer/analysis.cpp
+++ b/src/analyzer/analysis.cpp
@@ -1,8 +1,25 @@
 #include "analysis.hpp"
 #include "windows_emulator.hpp"
 
+#define STR_VIEW_VA(str) static_cast<int>((str).size()), (str).data()
+
 namespace
 {
+    template <typename Return, typename... Args>
+    std::function<Return(Args...)> make_callback(windows_emulator& win_emu,
+                                                 Return (*callback)(windows_emulator&, Args...))
+    {
+        return [&win_emu, callback](Args... args) {
+            return callback(win_emu, std::forward<Args>(args)...); //
+        };
+    }
+
+    void handle_suspicious_activity(windows_emulator& win_emu, const std::string_view details)
+    {
+        const auto rip = win_emu.emu().read_instruction_pointer();
+        win_emu.log.print(color::pink, "Suspicious: %.*s (0x" PRIX64 ")\n", STR_VIEW_VA(details), rip);
+    }
+
     emulator_callbacks::continuation handle_syscall(windows_emulator& win_emu, const uint32_t syscall_id,
                                                     const std::string_view syscall_name)
     {
@@ -15,8 +32,7 @@ namespace
         if (is_sus_module)
         {
             win_emu.log.print(color::blue, "Executing inline syscall: %.*s (0x%X) at 0x%" PRIx64 " (%s)\n",
-                              static_cast<int>(syscall_name.size()), syscall_name.data(), syscall_id, address,
-                              mod ? mod->name.c_str() : "<N/A>");
+                              STR_VIEW_VA(syscall_name), syscall_id, address, mod ? mod->name.c_str() : "<N/A>");
         }
         else if (mod->is_within(win_emu.process.previous_ip))
         {
@@ -29,8 +45,7 @@ namespace
 
             win_emu.log.print(color::dark_gray,
                               "Executing syscall: %.*s (0x%X) at 0x%" PRIx64 " via 0x%" PRIx64 " (%s)\n",
-                              static_cast<int>(syscall_name.size()), syscall_name.data(), syscall_id, address,
-                              return_address, caller_mod_name);
+                              STR_VIEW_VA(syscall_name), syscall_id, address, return_address, caller_mod_name);
         }
         else
         {
@@ -38,22 +53,12 @@ namespace
 
             win_emu.log.print(color::blue,
                               "Crafted out-of-line syscall: %.*s (0x%X) at 0x%" PRIx64 " (%s) via 0x%" PRIx64 " (%s)\n",
-                              static_cast<int>(syscall_name.size()), syscall_name.data(), syscall_id, address,
-                              mod ? mod->name.c_str() : "<N/A>", win_emu.process.previous_ip,
-                              previous_mod ? previous_mod->name.c_str() : "<N/A>");
+                              STR_VIEW_VA(syscall_name), syscall_id, address, mod ? mod->name.c_str() : "<N/A>",
+                              win_emu.process.previous_ip, previous_mod ? previous_mod->name.c_str() : "<N/A>");
         }
 
         return instruction_hook_continuation::run_instruction;
     }
-
-    template <typename Return, typename... Args>
-    std::function<Return(Args...)> make_callback(windows_emulator& win_emu,
-                                                 Return (*callback)(windows_emulator&, Args...))
-    {
-        return [&win_emu, callback](Args... args) {
-            return callback(win_emu, std::forward<Args>(args)...); //
-        };
-    }
 }
 
 void register_analysis_callbacks(windows_emulator& win_emu)
@@ -61,4 +66,5 @@ void register_analysis_callbacks(windows_emulator& win_emu)
     auto& cb = win_emu.callbacks;
 
     cb.on_syscall = make_callback(win_emu, handle_syscall);
+    cb.on_suspicious_activity = make_callback(win_emu, handle_suspicious_activity);
 }
diff --git a/src/windows-emulator/syscalls/system.cpp b/src/windows-emulator/syscalls/system.cpp
index 2cee38e8..02b73402 100644
--- a/src/windows-emulator/syscalls/system.cpp
+++ b/src/windows-emulator/syscalls/system.cpp
@@ -109,7 +109,7 @@ namespace syscalls
             return STATUS_NOT_SUPPORTED;
 
         case SystemControlFlowTransition:
-            c.win_emu.log.print(color::pink, "Warbird control flow transition!\n");
+            c.win_emu.callbacks.on_suspicious_activity("Warbird control flow transition");
             return STATUS_NOT_SUPPORTED;
 
         case SystemTimeOfDayInformation:
diff --git a/src/windows-emulator/syscalls/thread.cpp b/src/windows-emulator/syscalls/thread.cpp
index d8c24a66..ebac1908 100644
--- a/src/windows-emulator/syscalls/thread.cpp
+++ b/src/windows-emulator/syscalls/thread.cpp
@@ -26,7 +26,7 @@ namespace syscalls
 
         if (info_class == ThreadHideFromDebugger)
         {
-            c.win_emu.log.print(color::pink, "--> Hiding thread %X from debugger!\n", thread->id);
+            c.win_emu.callbacks.on_suspicious_activity("Hiding thread from debugger");
             return STATUS_SUCCESS;
         }
 
@@ -470,7 +470,7 @@ namespace syscalls
         thread_context.access([&](CONTEXT64& context) {
             if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) == CONTEXT_DEBUG_REGISTERS_64)
             {
-                c.win_emu.log.print(color::pink, "--> Reading debug registers!\n");
+                c.win_emu.callbacks.on_suspicious_activity("Reading debug registers");
             }
 
             cpu_context::save(c.emu, context);
@@ -509,7 +509,7 @@ namespace syscalls
 
         if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) == CONTEXT_DEBUG_REGISTERS_64)
         {
-            c.win_emu.log.print(color::pink, "--> Setting debug registers!\n");
+            c.win_emu.callbacks.on_suspicious_activity("Setting debug registers");
         }
 
         return STATUS_SUCCESS;
diff --git a/src/windows-emulator/windows_emulator.cpp b/src/windows-emulator/windows_emulator.cpp
index 76cf20ba..d52896e3 100644
--- a/src/windows-emulator/windows_emulator.cpp
+++ b/src/windows-emulator/windows_emulator.cpp
@@ -550,24 +550,24 @@ void windows_emulator::setup_hooks()
         case 1:
             if ((eflags & 0x100) != 0)
             {
-                this->log.print(color::pink, "Singlestep (Trap Flag): 0x%" PRIx64 "\n", rip);
+                this->callbacks.on_suspicious_activity("Singlestep (Trap Flag)");
                 this->emu().reg(x86_register::eflags, eflags & ~0x100);
             }
             else
             {
-                this->log.print(color::pink, "Singlestep: 0x%" PRIx64 "\n", rip);
+                this->callbacks.on_suspicious_activity("Singlestep");
             }
             dispatch_single_step(this->emu(), this->process);
             return;
         case 3:
-            this->log.print(color::pink, "Breakpoint: 0x%" PRIx64 "\n", rip);
+            this->callbacks.on_suspicious_activity("Breakpoint");
             dispatch_breakpoint(this->emu(), this->process);
             return;
         case 6:
             dispatch_illegal_instruction_violation(this->emu(), this->process);
             return;
         case 45:
-            this->log.print(color::pink, "DbgPrint: 0x%" PRIx64 "\n", rip);
+            this->callbacks.on_suspicious_activity("DbgPrint");
             dispatch_breakpoint(this->emu(), this->process);
             return;
         default:
diff --git a/src/windows-emulator/windows_emulator.hpp b/src/windows-emulator/windows_emulator.hpp
index 34df864a..3f8eba65 100644
--- a/src/windows-emulator/windows_emulator.hpp
+++ b/src/windows-emulator/windows_emulator.hpp
@@ -19,6 +19,7 @@ struct emulator_callbacks : module_manager::callbacks, process_context::callback
 
     utils::optional_function<continuation(uint32_t syscall_id, std::string_view syscall_name)> on_syscall{};
     utils::optional_function<void(std::string_view data)> on_stdout{};
+    utils::optional_function<void(std::string_view description)> on_suspicious_activity{};
 };
 
 struct application_settings