From 965efadb5162155824ea11adf0fba0c0d4ad4d7e Mon Sep 17 00:00:00 2001
From: Maurice Heumann <mauriceheumann@gmail.com>
Date: Tue, 8 Jul 2025 18:50:40 +0200
Subject: [PATCH] Detailed CPUID logging

---
 src/analyzer/analysis.cpp | 21 +++++++++++++++++++++
 src/analyzer/analysis.hpp |  9 +++++++--
 src/analyzer/main.cpp     |  8 +++++---
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/src/analyzer/analysis.cpp b/src/analyzer/analysis.cpp
index 0b55e514..4b02f8c7 100644
--- a/src/analyzer/analysis.cpp
+++ b/src/analyzer/analysis.cpp
@@ -292,3 +292,24 @@ void register_analysis_callbacks(analysis_context& c)
     cb.on_generic_activity = make_callback(c, handle_generic_activity);
     cb.on_suspicious_activity = make_callback(c, handle_suspicious_activity);
 }
+
+mapped_module* get_module_if_interesting(module_manager& manager, const string_set& modules, uint64_t address)
+{
+    if (manager.executable->is_within(address))
+    {
+        return manager.executable;
+    }
+
+    if (modules.empty())
+    {
+        return nullptr;
+    }
+
+    auto* mod = manager.find_by_address(address);
+    if (mod && modules.contains(mod->name))
+    {
+        return mod;
+    }
+
+    return nullptr;
+}
\ No newline at end of file
diff --git a/src/analyzer/analysis.hpp b/src/analyzer/analysis.hpp
index 072e8503..1af666ba 100644
--- a/src/analyzer/analysis.hpp
+++ b/src/analyzer/analysis.hpp
@@ -3,8 +3,12 @@
 #include <set>
 #include <string>
 
+struct mapped_module;
+class module_manager;
 class windows_emulator;
 
+using string_set = std::set<std::string, std::less<>>;
+
 struct analysis_settings
 {
     bool concise_logging{false};
@@ -12,8 +16,8 @@ struct analysis_settings
     bool silent{false};
     bool buffer_stdout{false};
 
-    std::set<std::string, std::less<>> modules{};
-    std::set<std::string, std::less<>> ignored_functions{};
+    string_set modules{};
+    string_set ignored_functions{};
 };
 
 struct analysis_context
@@ -26,3 +30,4 @@ struct analysis_context
 };
 
 void register_analysis_callbacks(analysis_context& c);
+mapped_module* get_module_if_interesting(module_manager& manager, const string_set& modules, uint64_t address);
\ No newline at end of file
diff --git a/src/analyzer/main.cpp b/src/analyzer/main.cpp
index aae2f286..f47db0db 100644
--- a/src/analyzer/main.cpp
+++ b/src/analyzer/main.cpp
@@ -305,11 +305,13 @@ namespace
 
         win_emu->emu().hook_instruction(x86_hookable_instructions::cpuid, [&] {
             const auto rip = win_emu->emu().read_instruction_pointer();
-            if (win_emu->mod_manager.executable->is_within(rip))
+            auto* mod = get_module_if_interesting(win_emu->mod_manager, options.modules, rip);
+
+            if (mod)
             {
                 const auto leaf = win_emu->emu().reg<uint32_t>(x86_register::eax);
-                win_emu->log.print(color::blue, "Executing CPUID instruction at 0x%" PRIx64 " with leaf: 0x%X\n", rip,
-                                   leaf);
+                win_emu->log.print(color::blue, "Executing CPUID instruction with leaf 0x%X at 0x%" PRIx64 " (%s)\n",
+                                   leaf, rip, mod->name.c_str());
             }
 
             return instruction_hook_continuation::run_instruction;