diff --git a/src/analyzer/main.cpp b/src/analyzer/main.cpp index 8396bf73..5e3539d1 100644 --- a/src/analyzer/main.cpp +++ b/src/analyzer/main.cpp @@ -46,7 +46,7 @@ namespace if (options.use_gdb) { const auto* address = "127.0.0.1:28960"; - win_emu.logger.print(color::pink, "Waiting for GDB connection on %s...\n", address); + win_emu.log.print(color::pink, "Waiting for GDB connection on %s...\n", address); win_x64_gdb_stub_handler handler{win_emu}; run_gdb_stub(handler, "i386:x86-64", gdb_registers.size(), address); @@ -58,24 +58,24 @@ namespace } catch (const std::exception& e) { - win_emu.logger.print(color::red, "Emulation failed at: 0x%llX - %s\n", + win_emu.log.print(color::red, "Emulation failed at: 0x%llX - %s\n", win_emu.emu().read_instruction_pointer(), e.what()); throw; } catch (...) { - win_emu.logger.print(color::red, "Emulation failed at: 0x%llX\n", win_emu.emu().read_instruction_pointer()); + win_emu.log.print(color::red, "Emulation failed at: 0x%llX\n", win_emu.emu().read_instruction_pointer()); throw; } const auto exit_status = win_emu.process().exit_status; if (exit_status.has_value()) { - win_emu.logger.print(color::red, "Emulation terminated with status: %X\n", *exit_status); + win_emu.log.print(color::red, "Emulation terminated with status: %X\n", *exit_status); } else { - win_emu.logger.print(color::red, "Emulation terminated without status!\n"); + win_emu.log.print(color::red, "Emulation terminated without status!\n"); } } @@ -127,7 +127,7 @@ namespace auto read_handler = [&, section, concise_logging](const uint64_t address, size_t, uint64_t) { const auto rip = win_emu.emu().read_instruction_pointer(); - if (win_emu.process().module_manager.find_by_address(rip) != win_emu.process().executable) + if (win_emu.process().mod_manager.find_by_address(rip) != win_emu.process().executable) { return; } @@ -139,7 +139,7 @@ namespace if (count > 100 && count % 10000 != 0) return; } - win_emu.logger.print( + win_emu.log.print( color::green, "Reading from executable section %s at 0x%llX via 0x%llX\n", section.name.c_str(), address, rip); @@ -148,7 +148,7 @@ namespace const auto write_handler = [&, section, concise_logging](const uint64_t address, size_t, uint64_t) { const auto rip = win_emu.emu().read_instruction_pointer(); - if (win_emu.process().module_manager.find_by_address(rip) != win_emu.process().executable) + if (win_emu.process().mod_manager.find_by_address(rip) != win_emu.process().executable) { return; } @@ -160,7 +160,7 @@ namespace if (count > 100 && count % 10000 != 0) return; } - win_emu.logger.print( + win_emu.log.print( color::blue, "Writing to executable section %s at 0x%llX via 0x%llX\n", section.name.c_str(), address, rip); diff --git a/src/analyzer/object_watching.hpp b/src/analyzer/object_watching.hpp index 4ebb62b8..25bfcdcc 100644 --- a/src/analyzer/object_watching.hpp +++ b/src/analyzer/object_watching.hpp @@ -12,7 +12,7 @@ emulator_hook* watch_object(windows_emulator& emu, emulator_object object, co const uint64_t address, size_t, uint64_t) { const auto rip = emu.emu().read_instruction_pointer(); - const auto* mod = emu.process().module_manager.find_by_address(rip); + const auto* mod = emu.process().mod_manager.find_by_address(rip); const auto is_main_access = mod == emu.process().executable; if (!emu.verbose_calls && !is_main_access) @@ -30,7 +30,7 @@ emulator_hook* watch_object(windows_emulator& emu, emulator_object object, co } const auto offset = address - object.value(); - emu.logger.print(is_main_access ? color::green : color::dark_gray, + emu.log.print(is_main_access ? color::green : color::dark_gray, "Object access: %s - 0x%llX (%s) at 0x%llX (%s)\n", i.get_type_name().c_str(), offset, diff --git a/src/fuzzer/main.cpp b/src/fuzzer/main.cpp index 4cc4bc5d..3167db1a 100644 --- a/src/fuzzer/main.cpp +++ b/src/fuzzer/main.cpp @@ -13,7 +13,7 @@ namespace { try { - win_emu.logger.disable_output(true); + win_emu.log.disable_output(true); win_emu.start(); if (win_emu.process().exception_rip.has_value()) @@ -23,12 +23,12 @@ namespace } catch (...) { - win_emu.logger.disable_output(false); - win_emu.logger.print(color::red, "Emulation failed at: 0x%llX\n", win_emu.emu().read_instruction_pointer()); + win_emu.log.disable_output(false); + win_emu.log.print(color::red, "Emulation failed at: 0x%llX\n", win_emu.emu().read_instruction_pointer()); throw; } - win_emu.logger.disable_output(false); + win_emu.log.disable_output(false); } void forward_emulator(windows_emulator& win_emu) diff --git a/src/windows-emulator-test/serialization_test.cpp b/src/windows-emulator-test/serialization_test.cpp index e8305cda..2dba1a19 100644 --- a/src/windows-emulator-test/serialization_test.cpp +++ b/src/windows-emulator-test/serialization_test.cpp @@ -58,7 +58,7 @@ namespace test utils::buffer_deserializer deserializer{serializer.get_buffer()}; windows_emulator new_emu{}; - new_emu.logger.disable_output(true); + new_emu.log.disable_output(true); new_emu.deserialize(deserializer); new_emu.start(); diff --git a/src/windows-emulator/devices/afd_endpoint.cpp b/src/windows-emulator/devices/afd_endpoint.cpp index 1723dfb7..b3f902d5 100644 --- a/src/windows-emulator/devices/afd_endpoint.cpp +++ b/src/windows-emulator/devices/afd_endpoint.cpp @@ -315,11 +315,11 @@ namespace { if (_AFD_BASE(c.io_control_code) != FSCTL_AFD_BASE) { - win_emu.logger.print(color::cyan, "Bad AFD IOCTL: %X\n", c.io_control_code); + win_emu.log.print(color::cyan, "Bad AFD IOCTL: %X\n", c.io_control_code); return STATUS_NOT_SUPPORTED; } - win_emu.logger.print(color::cyan, "AFD IOCTL: %X\n", c.io_control_code); + win_emu.log.print(color::cyan, "AFD IOCTL: %X\n", c.io_control_code); const auto request = _AFD_REQUEST(c.io_control_code); @@ -337,7 +337,7 @@ namespace case AFD_GET_INFORMATION: return STATUS_SUCCESS; default: - win_emu.logger.print(color::gray, "Unsupported AFD IOCTL: %X\n", c.io_control_code); + win_emu.log.print(color::gray, "Unsupported AFD IOCTL: %X\n", c.io_control_code); return STATUS_NOT_SUPPORTED; } } diff --git a/src/windows-emulator/process_context.hpp b/src/windows-emulator/process_context.hpp index 9e553d60..eb6cbbe2 100644 --- a/src/windows-emulator/process_context.hpp +++ b/src/windows-emulator/process_context.hpp @@ -507,7 +507,7 @@ struct process_context , peb(emu) , process_params(emu) , kusd(emu, *this) - , module_manager(emu) + , mod_manager(emu) { } @@ -526,7 +526,7 @@ struct process_context emulator_object process_params; kusd_mmio kusd; - module_manager module_manager; + module_manager mod_manager; mapped_module* executable{}; mapped_module* ntdll{}; @@ -564,7 +564,7 @@ struct process_context buffer.write(this->peb); buffer.write(this->process_params); buffer.write(this->kusd); - buffer.write(this->module_manager); + buffer.write(this->mod_manager); buffer.write(this->executable->image_base); buffer.write(this->ntdll->image_base); @@ -603,15 +603,15 @@ struct process_context buffer.read(this->peb); buffer.read(this->process_params); buffer.read(this->kusd); - buffer.read(this->module_manager); + buffer.read(this->mod_manager); const auto executable_base = buffer.read(); const auto ntdll_base = buffer.read(); const auto win32u_base = buffer.read(); - this->executable = this->module_manager.find_by_address(executable_base); - this->ntdll = this->module_manager.find_by_address(ntdll_base); - this->win32u = this->module_manager.find_by_address(win32u_base); + this->executable = this->mod_manager.find_by_address(executable_base); + this->ntdll = this->mod_manager.find_by_address(ntdll_base); + this->win32u = this->mod_manager.find_by_address(win32u_base); buffer.read(this->ldr_initialize_thunk); buffer.read(this->rtl_user_thread_start); diff --git a/src/windows-emulator/syscall_dispatcher.cpp b/src/windows-emulator/syscall_dispatcher.cpp index 1cb0a9bf..e5661617 100644 --- a/src/windows-emulator/syscall_dispatcher.cpp +++ b/src/windows-emulator/syscall_dispatcher.cpp @@ -90,10 +90,10 @@ void syscall_dispatcher::dispatch(windows_emulator& win_emu) return; } - const auto* mod = context.module_manager.find_by_address(address); + const auto* mod = context.mod_manager.find_by_address(address); if (mod != context.ntdll && mod != context.win32u) { - win_emu.logger.print(color::blue, "Executing inline syscall: %s (0x%X) at 0x%llX (%s)\n", + win_emu.log.print(color::blue, "Executing inline syscall: %s (0x%X) at 0x%llX (%s)\n", entry->second.name.c_str(), syscall_id, address, mod ? mod->name.c_str() : ""); @@ -104,16 +104,16 @@ void syscall_dispatcher::dispatch(windows_emulator& win_emu) { const auto rsp = c.emu.read_stack_pointer(); const auto return_address = c.emu.read_memory(rsp); - const auto* mod_name = context.module_manager.find_name(return_address); + const auto* mod_name = context.mod_manager.find_name(return_address); - win_emu.logger.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%llX via 0x%llX (%s) %lld\n", + win_emu.log.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%llX via 0x%llX (%s) %lld\n", entry->second.name.c_str(), syscall_id, address, return_address, mod_name, c.proc.executed_instructions); } else { - const auto* previous_mod = context.module_manager.find_by_address(context.previous_ip); - win_emu.logger.print(color::blue, + const auto* previous_mod = context.mod_manager.find_by_address(context.previous_ip); + win_emu.log.print(color::blue, "Crafted out-of-line syscall: %s (0x%X) at 0x%llX (%s) via 0x%llX (%s)\n", entry->second.name.c_str(), syscall_id, diff --git a/src/windows-emulator/syscalls.cpp b/src/windows-emulator/syscalls.cpp index 6a02a325..8ae5b82e 100644 --- a/src/windows-emulator/syscalls.cpp +++ b/src/windows-emulator/syscalls.cpp @@ -81,7 +81,7 @@ namespace key = full_path.u16string(); } - c.win_emu.logger.print(color::dark_gray, "--> Registry key: %S\n", key.c_str()); + c.win_emu.log.print(color::dark_gray, "--> Registry key: %S\n", key.c_str()); auto entry = c.proc.registry.get_key(key); if (!entry.has_value()) @@ -164,7 +164,7 @@ namespace return STATUS_SUCCESS; } - c.win_emu.logger.print(color::gray, "Unsupported registry class: %X\n", key_information_class); + c.win_emu.log.print(color::gray, "Unsupported registry class: %X\n", key_information_class); c.emu.stop(); return STATUS_NOT_SUPPORTED; } @@ -278,7 +278,7 @@ namespace return STATUS_SUCCESS; } - c.win_emu.logger.print(color::gray, "Unsupported registry value class: %X\n", key_value_information_class); + c.win_emu.log.print(color::gray, "Unsupported registry value class: %X\n", key_value_information_class); c.emu.stop(); return STATUS_NOT_SUPPORTED; } @@ -314,7 +314,7 @@ namespace if (info_class == ThreadHideFromDebugger) { - c.win_emu.logger.print(color::pink, "--> Hiding thread %X from debugger!\n", thread->id); + c.win_emu.log.print(color::pink, "--> Hiding thread %X from debugger!\n", thread->id); return STATUS_SUCCESS; } @@ -329,7 +329,7 @@ namespace const auto i = info.read(); thread->name = read_unicode_string(c.emu, i.ThreadName); - c.win_emu.logger.print(color::blue, "Setting thread (%d) name: %S\n", thread->id, thread->name.c_str()); + c.win_emu.log.print(color::blue, "Setting thread (%d) name: %S\n", thread->id, thread->name.c_str()); return STATUS_SUCCESS; } @@ -440,7 +440,7 @@ namespace { if (mutant_handle.value.type != handle_types::mutant) { - c.win_emu.logger.error("Bad handle type for NtReleaseMutant\n"); + c.win_emu.log.error("Bad handle type for NtReleaseMutant\n"); c.emu.stop(); return STATUS_NOT_SUPPORTED; } @@ -598,7 +598,7 @@ namespace const auto attributes = object_attributes.read(); auto filename = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); - c.win_emu.logger.print(color::dark_gray, "--> Opening section: %S\n", filename.c_str()); + c.win_emu.log.print(color::dark_gray, "--> Opening section: %S\n", filename.c_str()); if (filename == u"\\Windows\\SharedSection") { @@ -699,7 +699,7 @@ namespace if (section_entry->is_image()) { - const auto binary = c.proc.module_manager.map_module(section_entry->file_name, c.win_emu.logger); + const auto binary = c.proc.mod_manager.map_module(section_entry->file_name, c.win_emu.log); if (!binary) { return STATUS_FILE_INVALID; @@ -829,7 +829,7 @@ namespace return STATUS_BUFFER_OVERFLOW; } - const auto mod = c.proc.module_manager.find_by_address(base_address); + const auto mod = c.proc.mod_manager.find_by_address(base_address); if (!mod) { printf("Bad address for memory image request: 0x%zX\n", base_address); @@ -1837,7 +1837,7 @@ namespace const auto requested_protection = map_nt_to_emulator_protection(protection); - c.win_emu.logger.print(color::dark_gray, "--> Changing protection at 0x%llX-0x%llX to %s\n", aligned_start, + c.win_emu.log.print(color::dark_gray, "--> Changing protection at 0x%llX-0x%llX to %s\n", aligned_start, aligned_start + aligned_length, get_permission_string(requested_protection).c_str()); memory_permission old_protection_value{}; @@ -2030,7 +2030,7 @@ namespace const auto* file = c.proc.files.get(file_handle); if (file) { - c.win_emu.logger.print(color::dark_gray, "--> Section for file %S\n", file->name.c_str()); + c.win_emu.log.print(color::dark_gray, "--> Section for file %S\n", file->name.c_str()); s.file_name = file->name; } @@ -2040,7 +2040,7 @@ namespace if (attributes.ObjectName) { const auto name = read_unicode_string(c.emu, reinterpret_cast>*>(attributes.ObjectName)); - c.win_emu.logger.print(color::dark_gray, "--> Section with name %S\n", name.c_str()); + c.win_emu.log.print(color::dark_gray, "--> Section with name %S\n", name.c_str()); s.name = std::move(name); } } @@ -2074,7 +2074,7 @@ namespace const emulator_object connection_info_length) { auto port_name = read_unicode_string(c.emu, server_port_name); - c.win_emu.logger.print(color::dark_gray, "NtConnectPort: %S\n", port_name.c_str()); + c.win_emu.log.print(color::dark_gray, "NtConnectPort: %S\n", port_name.c_str()); port p{}; p.name = std::move(port_name); @@ -2690,7 +2690,7 @@ namespace } c.win_emu.on_stdout(temp_buffer); - c.win_emu.logger.info("%.*s", static_cast(temp_buffer.size()), temp_buffer.data()); + c.win_emu.log.info("%.*s", static_cast(temp_buffer.size()), temp_buffer.data()); return STATUS_SUCCESS; } @@ -2774,7 +2774,7 @@ namespace auto printer = utils::finally([&] { - c.win_emu.logger.print(color::dark_gray, "--> Opening file: %S\n", filename.c_str()); + c.win_emu.log.print(color::dark_gray, "--> Opening file: %S\n", filename.c_str()); }); constexpr std::u16string_view device_prefix = u"\\Device\\"; @@ -2820,7 +2820,7 @@ namespace if (f.name.ends_with(u"\\") || create_options & FILE_DIRECTORY_FILE) { - c.win_emu.logger.print(color::dark_gray, "--> Opening folder: %S\n", f.name.c_str()); + c.win_emu.log.print(color::dark_gray, "--> Opening folder: %S\n", f.name.c_str()); if (create_disposition & FILE_CREATE) { @@ -2843,7 +2843,7 @@ namespace return STATUS_SUCCESS; } - c.win_emu.logger.print(color::dark_gray, "--> Opening file: %S\n", f.name.c_str()); + c.win_emu.log.print(color::dark_gray, "--> Opening file: %S\n", f.name.c_str()); std::u16string mode = map_mode(desired_access, create_disposition); @@ -3124,7 +3124,7 @@ namespace return STATUS_NOT_SUPPORTED; } - const auto* mod = c.proc.module_manager.find_by_address(base_address); + const auto* mod = c.proc.mod_manager.find_by_address(base_address); if (!mod) { puts("Unmapping non-module section not supported!"); @@ -3132,7 +3132,7 @@ namespace return STATUS_NOT_SUPPORTED; } - if (c.proc.module_manager.unmap(base_address)) + if (c.proc.mod_manager.unmap(base_address)) { return STATUS_SUCCESS; } @@ -3222,7 +3222,7 @@ namespace { if (alertable) { - c.win_emu.logger.print(color::gray, "Alertable NtWaitForMultipleObjects not supported yet!\n"); + c.win_emu.log.print(color::gray, "Alertable NtWaitForMultipleObjects not supported yet!\n"); } if (wait_type != WaitAny && wait_type != WaitAll) @@ -3242,7 +3242,7 @@ namespace if (!is_awaitable_object_type(h)) { - c.win_emu.logger.print(color::gray, "Unsupported handle type for NtWaitForMultipleObjects: %d!\n", + c.win_emu.log.print(color::gray, "Unsupported handle type for NtWaitForMultipleObjects: %d!\n", h.value.type); return STATUS_NOT_SUPPORTED; } @@ -3263,12 +3263,12 @@ namespace { if (alertable) { - c.win_emu.logger.print(color::gray, "Alertable NtWaitForSingleObject not supported yet!\n"); + c.win_emu.log.print(color::gray, "Alertable NtWaitForSingleObject not supported yet!\n"); } if (!is_awaitable_object_type(h)) { - c.win_emu.logger.print(color::gray, + c.win_emu.log.print(color::gray, "Unsupported handle type for NtWaitForSingleObject: %d!\n", h.value.type); return STATUS_NOT_SUPPORTED; } @@ -3344,7 +3344,7 @@ namespace { if (lock.value()) { - c.win_emu.logger.print(color::gray, "NtAlertThreadByThreadIdEx with lock not supported yet!"); + c.win_emu.log.print(color::gray, "NtAlertThreadByThreadIdEx with lock not supported yet!"); //c.emu.stop(); //return STATUS_NOT_SUPPORTED; } @@ -3400,7 +3400,7 @@ namespace { if (context.ContextFlags & CONTEXT_DEBUG_REGISTERS) { - c.win_emu.logger.print(color::pink, "--> Reading debug registers!\n"); + c.win_emu.log.print(color::pink, "--> Reading debug registers!\n"); } context_frame::save(c.emu, context); diff --git a/src/windows-emulator/windows_emulator.cpp b/src/windows-emulator/windows_emulator.cpp index ba306f93..2be59a85 100644 --- a/src/windows-emulator/windows_emulator.cpp +++ b/src/windows-emulator/windows_emulator.cpp @@ -488,7 +488,7 @@ namespace if (active_thread) { - win_emu.logger.print(color::dark_gray, "Performing thread switch...\n"); + win_emu.log.print(color::dark_gray, "Performing thread switch...\n"); active_thread->save(emu); } @@ -749,7 +749,7 @@ windows_emulator::windows_emulator(emulator_settings settings, this->silent_until_main_ = settings.silent_until_main && !settings.disable_logging; this->stdout_callback_ = std::move(settings.stdout_callback); this->use_relative_time_ = settings.use_relative_time; - this->logger.disable_output(settings.disable_logging || this->silent_until_main_); + this->log.disable_output(settings.disable_logging || this->silent_until_main_); this->setup_process(settings); } @@ -765,19 +765,19 @@ void windows_emulator::setup_process(const emulator_settings& settings) auto& emu = this->emu(); auto& context = this->process(); - context.module_manager = module_manager(emu); // TODO: Cleanup module manager + context.mod_manager = module_manager(emu); // TODO: Cleanup module manager setup_context(*this, settings); - context.executable = context.module_manager.map_module(settings.application, this->logger); + context.executable = context.mod_manager.map_module(settings.application, this->log); context.peb.access([&](PEB64& peb) { peb.ImageBaseAddress = reinterpret_cast(context.executable->image_base); }); - context.ntdll = context.module_manager.map_module(R"(C:\Windows\System32\ntdll.dll)", this->logger); - context.win32u = context.module_manager.map_module(R"(C:\Windows\System32\win32u.dll)", this->logger); + context.ntdll = context.mod_manager.map_module(R"(C:\Windows\System32\ntdll.dll)", this->log); + context.win32u = context.mod_manager.map_module(R"(C:\Windows\System32\win32u.dll)", this->log); const auto ntdll_data = emu.read_memory(context.ntdll->image_base, context.ntdll->size_of_image); const auto win32u_data = emu.read_memory(context.win32u->image_base, context.win32u->size_of_image); @@ -832,7 +832,7 @@ void windows_emulator::on_instruction_execution(uint64_t address) if (this->silent_until_main_ && is_main_exe) { this->silent_until_main_ = false; - this->logger.disable_output(false); + this->log.disable_output(false); } if (!this->verbose && !this->verbose_calls && !is_interesting_call) @@ -840,21 +840,21 @@ void windows_emulator::on_instruction_execution(uint64_t address) return; } - const auto* binary = this->process().module_manager.find_by_address(address); + const auto* binary = this->process().mod_manager.find_by_address(address); if (binary) { const auto export_entry = binary->address_names.find(address); if (export_entry != binary->address_names.end()) { - logger.print(is_interesting_call ? color::yellow : color::dark_gray, + log.print(is_interesting_call ? color::yellow : color::dark_gray, "Executing function: %s - %s (0x%llX)\n", binary->name.c_str(), export_entry->second.c_str(), address); } else if (address == binary->entry_point) { - logger.print(is_interesting_call ? color::yellow : color::gray, + log.print(is_interesting_call ? color::yellow : color::gray, "Executing entry point: %s (0x%llX)\n", binary->name.c_str(), address); @@ -935,17 +935,17 @@ void windows_emulator::setup_hooks() { const auto permission = get_permission_string(operation); const auto ip = this->emu().read_instruction_pointer(); - const char* name = this->process().module_manager.find_name(ip); + const char* name = this->process().mod_manager.find_name(ip); if (type == memory_violation_type::protection) { - this->logger.print(color::gray, "Protection violation: 0x%llX (%zX) - %s at 0x%llX (%s)\n", address, size, + this->log.print(color::gray, "Protection violation: 0x%llX (%zX) - %s at 0x%llX (%s)\n", address, size, permission.c_str(), ip, name); } else if (type == memory_violation_type::unmapped) { - this->logger.print(color::gray, "Mapping violation: 0x%llX (%zX) - %s at 0x%llX (%s)\n", address, size, + this->log.print(color::gray, "Mapping violation: 0x%llX (%zX) - %s at 0x%llX (%s)\n", address, size, permission.c_str(), ip, name); } diff --git a/src/windows-emulator/windows_emulator.hpp b/src/windows-emulator/windows_emulator.hpp index a1f9d3c5..6c46f5ec 100644 --- a/src/windows-emulator/windows_emulator.hpp +++ b/src/windows-emulator/windows_emulator.hpp @@ -97,7 +97,7 @@ public: } } - logger logger{}; + logger log{}; bool verbose{false}; bool verbose_calls{false}; bool buffer_stdout{false};