Log message for memory block tracking now more descriptive

nickcano · nickcano · commit e20b9c53c8bd · 2015-05-22T13:51:06.000-07:00
diff --git a/PackerAttackerHook/UnpackingEngine.cpp b/PackerAttackerHook/UnpackingEngine.cpp
@@ -198,7 +198,7 @@ DWORD UnpackingEngine::getProcessIdIfRemote(HANDLE process)
      return (pid == this->processID) ? 0 : pid;
 }
 
-ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULONG newProtection, ULONG oldProtection, bool considerOldProtection)
+ULONG UnpackingEngine::processMemoryBlockFromHook(const char* source, DWORD address, DWORD size, ULONG newProtection, ULONG oldProtection, bool considerOldProtection)
 {
     PVOID _address = (PVOID)address;
     DWORD _size = size;
@@ -219,7 +219,7 @@ ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULO
         /* this is a PE section being set to writeable, track it */
         this->origNtProtectVirtualMemory(GetCurrentProcess(), &_address, &_size, REMOVE_WRITEABLE_PROT(newProtection), &_oldProtection);
         this->writeablePEBlocks.startTracking(address, size, newProtection);
-        Logger::getInstance()->write("Placed write hook on PE section at 0x%08x", address);
+        Logger::getInstance()->write("[%s] Placed write hook on PE section at 0x%08x", source, address);
     }
     else if (IS_EXECUTABLE_PROT(newProtection))
     {
@@ -228,7 +228,7 @@ ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULO
         {
             this->executableBlocks.startTracking(address, size, (DWORD)newProtection);
             this->origNtProtectVirtualMemory(GetCurrentProcess(), &_address, &_size, REMOVE_EXECUTABLE_PROT(newProtection), &_oldProtection);
-            Logger::getInstance()->write("Placed execution hook on 0x%08x", address);
+            Logger::getInstance()->write("[%s] Placed execution hook on 0x%08x", source, address);
         }
     }
     else
@@ -238,7 +238,7 @@ ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULO
         if (it != this->executableBlocks.nullMarker())
         {
             this->executableBlocks.stopTracking(it);
-            Logger::getInstance()->write("Removed execution hook on 0x%08x", address);
+            Logger::getInstance()->write("[%s] Removed execution hook on 0x%08x", source, address);
         }
     }
 
@@ -263,7 +263,7 @@ NTSTATUS UnpackingEngine::onNtProtectVirtualMemory(HANDLE process, PVOID* baseAd
 
     if (ret == 0 && this->hooksReady && (process == INVALID_HANDLE_VALUE || GetProcessId(process) == this->processID))
     {
-        _oldProtection = this->processMemoryBlockFromHook((DWORD)*baseAddress, (DWORD)*numberOfBytes, newProtection, *OldProtection, true);
+        _oldProtection = this->processMemoryBlockFromHook("onNtProtectVirtualMemory", (DWORD)*baseAddress, (DWORD)*numberOfBytes, newProtection, *OldProtection, true);
         if (OldProtection)
             *OldProtection = _oldProtection;
     }
@@ -426,7 +426,7 @@ NTSTATUS WINAPI UnpackingEngine::onNtAllocateVirtualMemory(HANDLE ProcessHandle,
     this->inAllocationHook = false;
 
     if (ret == 0 && this->hooksReady && (ProcessHandle == INVALID_HANDLE_VALUE || GetProcessId(ProcessHandle) == this->processID))
-        this->processMemoryBlockFromHook((DWORD)*BaseAddress, (DWORD)*RegionSize, Protect, NULL, false);
+        this->processMemoryBlockFromHook("onNtAllocateVirtualMemory", (DWORD)*BaseAddress, (DWORD)*RegionSize, Protect, NULL, false);
 
     return ret;
 }
diff --git a/PackerAttackerHook/UnpackingEngine.h b/PackerAttackerHook/UnpackingEngine.h
@@ -80,7 +80,7 @@ class UnpackingEngine
     void dumpMemoryBlock(TrackedMemoryBlock block, DWORD ep);
     void dumpMemoryBlock(char* fileName, DWORD size, const unsigned char* data);
     DWORD getProcessIdIfRemote(HANDLE process);
-    ULONG processMemoryBlockFromHook(DWORD address, DWORD size, ULONG newProtection, ULONG oldProtection, bool considerOldProtection);
+    ULONG processMemoryBlockFromHook(const char* source, DWORD address, DWORD size, ULONG newProtection, ULONG oldProtection, bool considerOldProtection);
 
     /* NtProtectVirtualMemory hook */
     HOOK_DEFINE_5(NTSTATUS, NTAPI, NtProtectVirtualMemory, HANDLE, PVOID*, PULONG, ULONG, PULONG);

Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,7 @@ DWORD UnpackingEngine::getProcessIdIfRemote(HANDLE process)`
`198`	`198`	`return (pid == this->processID) ? 0 : pid;`
`199`	`199`	`}`
`200`	`200`
`201`		`-ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULONG newProtection, ULONG oldProtection, bool considerOldProtection)`
	`201`	`+ULONG UnpackingEngine::processMemoryBlockFromHook(const char* source, DWORD address, DWORD size, ULONG newProtection, ULONG oldProtection, bool considerOldProtection)`
`202`	`202`	`{`
`203`	`203`	`PVOID _address = (PVOID)address;`
`204`	`204`	`DWORD _size = size;`
`@@ -219,7 +219,7 @@ ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULO`
`219`	`219`	`/* this is a PE section being set to writeable, track it */`
`220`	`220`	`this->origNtProtectVirtualMemory(GetCurrentProcess(), &_address, &_size, REMOVE_WRITEABLE_PROT(newProtection), &_oldProtection);`
`221`	`221`	`this->writeablePEBlocks.startTracking(address, size, newProtection);`
`222`		`- Logger::getInstance()->write("Placed write hook on PE section at 0x%08x", address);`
	`222`	`+ Logger::getInstance()->write("[%s] Placed write hook on PE section at 0x%08x", source, address);`
`223`	`223`	`}`
`224`	`224`	`else if (IS_EXECUTABLE_PROT(newProtection))`
`225`	`225`	`{`
`@@ -228,7 +228,7 @@ ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULO`
`228`	`228`	`{`
`229`	`229`	`this->executableBlocks.startTracking(address, size, (DWORD)newProtection);`
`230`	`230`	`this->origNtProtectVirtualMemory(GetCurrentProcess(), &_address, &_size, REMOVE_EXECUTABLE_PROT(newProtection), &_oldProtection);`
`231`		`- Logger::getInstance()->write("Placed execution hook on 0x%08x", address);`
	`231`	`+ Logger::getInstance()->write("[%s] Placed execution hook on 0x%08x", source, address);`
`232`	`232`	`}`
`233`	`233`	`}`
`234`	`234`	`else`
`@@ -238,7 +238,7 @@ ULONG UnpackingEngine::processMemoryBlockFromHook(DWORD address, DWORD size, ULO`
`238`	`238`	`if (it != this->executableBlocks.nullMarker())`
`239`	`239`	`{`
`240`	`240`	`this->executableBlocks.stopTracking(it);`
`241`		`- Logger::getInstance()->write("Removed execution hook on 0x%08x", address);`
	`241`	`+ Logger::getInstance()->write("[%s] Removed execution hook on 0x%08x", source, address);`
`242`	`242`	`}`
`243`	`243`	`}`
`244`	`244`
`@@ -263,7 +263,7 @@ NTSTATUS UnpackingEngine::onNtProtectVirtualMemory(HANDLE process, PVOID* baseAd`
`263`	`263`
`264`	`264`	`if (ret == 0 && this->hooksReady && (process == INVALID_HANDLE_VALUE \|\| GetProcessId(process) == this->processID))`
`265`	`265`	`{`
`266`		`- _oldProtection = this->processMemoryBlockFromHook((DWORD)baseAddress, (DWORD)numberOfBytes, newProtection, *OldProtection, true);`
	`266`	`+ _oldProtection = this->processMemoryBlockFromHook("onNtProtectVirtualMemory", (DWORD)baseAddress, (DWORD)numberOfBytes, newProtection, *OldProtection, true);`
`267`	`267`	`if (OldProtection)`
`268`	`268`	`*OldProtection = _oldProtection;`
`269`	`269`	`}`
`@@ -426,7 +426,7 @@ NTSTATUS WINAPI UnpackingEngine::onNtAllocateVirtualMemory(HANDLE ProcessHandle,`
`426`	`426`	`this->inAllocationHook = false;`
`427`	`427`
`428`	`428`	`if (ret == 0 && this->hooksReady && (ProcessHandle == INVALID_HANDLE_VALUE \|\| GetProcessId(ProcessHandle) == this->processID))`
`429`		`- this->processMemoryBlockFromHook((DWORD)BaseAddress, (DWORD)RegionSize, Protect, NULL, false);`
	`429`	`+ this->processMemoryBlockFromHook("onNtAllocateVirtualMemory", (DWORD)BaseAddress, (DWORD)RegionSize, Protect, NULL, false);`
`430`	`430`
`431`	`431`	`return ret;`
`432`	`432`	`}`