Extract sus activity logging

src/windows-emulator/syscalls/system.cpp

@@ -109,7 +109,7 @@ namespace syscalls
             return STATUS_NOT_SUPPORTED;
 
         case SystemControlFlowTransition:
-            c.win_emu.log.print(color::pink, "Warbird control flow transition!\n");
+            c.win_emu.callbacks.on_suspicious_activity("Warbird control flow transition");
             return STATUS_NOT_SUPPORTED;
 
         case SystemTimeOfDayInformation:

src/windows-emulator/syscalls/thread.cpp

@@ -26,7 +26,7 @@ namespace syscalls
 
         if (info_class == ThreadHideFromDebugger)
         {
-            c.win_emu.log.print(color::pink, "--> Hiding thread %X from debugger!\n", thread->id);
+            c.win_emu.callbacks.on_suspicious_activity("Hiding thread from debugger");
             return STATUS_SUCCESS;
         }
 
@@ -470,7 +470,7 @@ namespace syscalls
         thread_context.access([&](CONTEXT64& context) {
             if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) == CONTEXT_DEBUG_REGISTERS_64)
             {
-                c.win_emu.log.print(color::pink, "--> Reading debug registers!\n");
+                c.win_emu.callbacks.on_suspicious_activity("Reading debug registers");
             }
 
             cpu_context::save(c.emu, context);
@@ -509,7 +509,7 @@ namespace syscalls
 
         if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) == CONTEXT_DEBUG_REGISTERS_64)
         {
-            c.win_emu.log.print(color::pink, "--> Setting debug registers!\n");
+            c.win_emu.callbacks.on_suspicious_activity("Setting debug registers");
         }
 
         return STATUS_SUCCESS;

src/windows-emulator/windows_emulator.cpp

@@ -550,24 +550,24 @@ void windows_emulator::setup_hooks()
         case 1:
             if ((eflags & 0x100) != 0)
             {
-                this->log.print(color::pink, "Singlestep (Trap Flag): 0x%" PRIx64 "\n", rip);
+                this->callbacks.on_suspicious_activity("Singlestep (Trap Flag)");
                 this->emu().reg(x86_register::eflags, eflags & ~0x100);
             }
             else
             {
-                this->log.print(color::pink, "Singlestep: 0x%" PRIx64 "\n", rip);
+                this->callbacks.on_suspicious_activity("Singlestep");
             }
             dispatch_single_step(this->emu(), this->process);
             return;
         case 3:
-            this->log.print(color::pink, "Breakpoint: 0x%" PRIx64 "\n", rip);
+            this->callbacks.on_suspicious_activity("Breakpoint");
             dispatch_breakpoint(this->emu(), this->process);
             return;
         case 6:
             dispatch_illegal_instruction_violation(this->emu(), this->process);
             return;
         case 45:
-            this->log.print(color::pink, "DbgPrint: 0x%" PRIx64 "\n", rip);
+            this->callbacks.on_suspicious_activity("DbgPrint");
             dispatch_breakpoint(this->emu(), this->process);
             return;
         default:

src/windows-emulator/windows_emulator.hpp

@@ -19,6 +19,7 @@ struct emulator_callbacks : module_manager::callbacks, process_context::callback
 
     utils::optional_function<continuation(uint32_t syscall_id, std::string_view syscall_name)> on_syscall{};
     utils::optional_function<void(std::string_view data)> on_stdout{};
+    utils::optional_function<void(std::string_view description)> on_suspicious_activity{};
 };
 
 struct application_settings