Analysis should not be done in the core. Not everyone using the emulator
needs the analysis.
Much of it was moved to the analyzer. Not all, but the rest will be done
in a follow up PR.
The event manager forms the basis for semantic logging.
The emulator transmits events and the manager can handle them.
This means to either print information to stdout, do nothing, etc...
This PR aims to:
- [Improve
NtQueryInformationToken](d7b8b78cef),
by handling more token types and also fixing TokenIntegrityLevel to
return a proper integrity SID.
- [Add new
pseudo-handles](ac804939d9).
- [Add the KsecDD device and support for devices in
NtQueryObject](ca61a7cd3b).
- [Add new
syscalls](4b6e0f088d),
to be more specific, the syscalls added were the following ones:
`NtRemoveIoCompletion`, `NtSetInformationWorkerFactory`,
`NtShutdownWorkerFactory`, `NtGetCurrentProcessorNumber`,
`NtCreateTimer`, `NtSetTimer`, `NtSetTimer2`, `NtCancelTimer`,
`NtAssociateWaitCompletionPacket`, `NtCancelWaitCompletionPacket`,
`NtSetWnfProcessNotificationEvent`, `NtQuerySecurityObject`.
Most of the changes in this PR were made to get BCryptGenRandom working
in the emulator. Even with the KsecDD device implemented,
BCryptGenRandom only works for subsequent calls if NtCreateWorkerFactory
returns STATUS_SUCCESS. Returning STATUS_SUCCESS from
NtCreateWorkerFactory causes most of the newly added syscalls to be
called, and most of them need to return STATUS_SUCCESS as well;
otherwise, the executable just fails to run. Fortunately, from my
testing, nothing seems to break from just returning STATUS_SUCCESS
without a proper implementation.
