Analysis should not be done in the core. Not everyone using the emulator
needs the analysis.
Much of it was moved to the analyzer. Not all, but the rest will be done
in a follow up PR.
The event manager forms the basis for semantic logging.
The emulator transmits events and the manager can handle them.
This means to either print information to stdout, do nothing, etc...
This PR aims to:
- [Improve
NtQueryInformationToken](d7b8b78cef),
by handling more token types and also fixing TokenIntegrityLevel to
return a proper integrity SID.
- [Add new
pseudo-handles](ac804939d9).
- [Add the KsecDD device and support for devices in
NtQueryObject](ca61a7cd3b).
- [Add new
syscalls](4b6e0f088d),
to be more specific, the syscalls added were the following ones:
`NtRemoveIoCompletion`, `NtSetInformationWorkerFactory`,
`NtShutdownWorkerFactory`, `NtGetCurrentProcessorNumber`,
`NtCreateTimer`, `NtSetTimer`, `NtSetTimer2`, `NtCancelTimer`,
`NtAssociateWaitCompletionPacket`, `NtCancelWaitCompletionPacket`,
`NtSetWnfProcessNotificationEvent`, `NtQuerySecurityObject`.
Most of the changes in this PR were made to get BCryptGenRandom working
in the emulator. Even with the KsecDD device implemented,
BCryptGenRandom only works for subsequent calls if NtCreateWorkerFactory
returns STATUS_SUCCESS. Returning STATUS_SUCCESS from
NtCreateWorkerFactory causes most of the newly added syscalls to be
called, and most of them need to return STATUS_SUCCESS as well;
otherwise, the executable just fails to run. Fortunately, from my
testing, nothing seems to break from just returning STATUS_SUCCESS
without a proper implementation.
This PR aims to add support for get_address, event_select, and
enum_network_events to afd_endpoint. However, some bug fixes were also
implemented, such as properly mapping the AFD_CONNECT event. Substantial
changes were also made to `afd_endpoint::work` since polling is
necessary for the event_select functionality.
