Detailed CPUID logging

2026-01-21 04:33:56 +00:00 · 2025-07-08 18:50:40 +02:00
parent e9718e61cd
commit 965efadb51
3 changed files with 33 additions and 5 deletions
--- a/src/analyzer/analysis.cpp
+++ b/src/analyzer/analysis.cpp
@@ -292,3 +292,24 @@ void register_analysis_callbacks(analysis_context& c)
    cb.on_generic_activity = make_callback(c, handle_generic_activity);
    cb.on_suspicious_activity = make_callback(c, handle_suspicious_activity);
 }
+
+mapped_module* get_module_if_interesting(module_manager& manager, const string_set& modules, uint64_t address)
+{
+    if (manager.executable->is_within(address))
+    {
+        return manager.executable;
+    }
+
+    if (modules.empty())
+    {
+        return nullptr;
+    }
+
+    auto* mod = manager.find_by_address(address);
+    if (mod && modules.contains(mod->name))
+    {
+        return mod;
+    }
+
+    return nullptr;
+}
--- a/src/analyzer/analysis.hpp
+++ b/src/analyzer/analysis.hpp
@@ -3,8 +3,12 @@
 #include <set>
 #include <string>

+struct mapped_module;
+class module_manager;
 class windows_emulator;

+using string_set = std::set<std::string, std::less<>>;
+
 struct analysis_settings
 {
    bool concise_logging{false};
@@ -12,8 +16,8 @@ struct analysis_settings
    bool silent{false};
    bool buffer_stdout{false};

-    std::set<std::string, std::less<>> modules{};
-    std::set<std::string, std::less<>> ignored_functions{};
+    string_set modules{};
+    string_set ignored_functions{};
 };

 struct analysis_context
@@ -26,3 +30,4 @@ struct analysis_context
 };

 void register_analysis_callbacks(analysis_context& c);
+mapped_module* get_module_if_interesting(module_manager& manager, const string_set& modules, uint64_t address);
--- a/src/analyzer/main.cpp
+++ b/src/analyzer/main.cpp
@@ -305,11 +305,13 @@ namespace

        win_emu->emu().hook_instruction(x86_hookable_instructions::cpuid, [&] {
            const auto rip = win_emu->emu().read_instruction_pointer();
-            if (win_emu->mod_manager.executable->is_within(rip))
+            auto* mod = get_module_if_interesting(win_emu->mod_manager, options.modules, rip);
+
+            if (mod)
            {
                const auto leaf = win_emu->emu().reg<uint32_t>(x86_register::eax);
-                win_emu->log.print(color::blue, "Executing CPUID instruction at 0x%" PRIx64 " with leaf: 0x%X\n", rip,
-                                   leaf);
+                win_emu->log.print(color::blue, "Executing CPUID instruction with leaf 0x%X at 0x%" PRIx64 " (%s)\n",
+                                   leaf, rip, mod->name.c_str());
            }

            return instruction_hook_continuation::run_instruction;