[FEATURE] In syscall extractor: hidden debug strings. Skip syscall ch…

…eck if table not initialized
hasherezade · Sep 11, 2024 · b02469d · b02469d
1 parent df89282
commit b02469d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
@@ -171,7 +171,7 @@ std::string ThreadScanReport::translate_thread_state(DWORD thread_state)
 
 bool pesieve::ThreadScanner::checkReturnAddrIntegrity(IN const std::vector<ULONGLONG>& callStack)
 {
-	if (this->info.last_syscall == INVALID_SYSCALL || !symbols || !callStack.size() || !info.is_extended) {
+	if (this->info.last_syscall == INVALID_SYSCALL || !symbols || !callStack.size() || !info.is_extended || !g_SyscallTable.isReady()) {
 		return true; // skip the check
 	}
 	const std::string syscallFuncName = g_SyscallTable.getSyscallName(this->info.last_syscall);

diff --git a/utils/syscall_extractor.cpp b/utils/syscall_extractor.cpp
@@ -58,15 +58,19 @@ namespace pesieve {
 			BYTE* buffer = peconv::load_pe_module(path.c_str(), bufsize, false, false);
 
 			if (!buffer) {
+#ifdef _DEBUG
 				std::cerr << "Failed to load the PE: " << path << "\n";
+#endif
 				return 0;
 			}
 
 			size_t extracted_count = extract_syscalls(buffer, bufsize, syscallToName, startSyscallID);
 			peconv::free_pe_buffer(buffer);
 
 			if (!extracted_count) {
+#ifdef _DEBUG
 				std::cerr << "No syscalls extracted from: " << path << "\n";
+#endif
 			}
 			return extracted_count;
 		}
@@ -94,7 +98,9 @@ size_t pesieve::util::extract_syscall_table(OUT std::map<DWORD, std::string>& sy
 	pesieve::util::wow64_revert_fs_redirection(&old_val);
 
 	if (!extracted_count) {
+#ifdef _DEBUG
 		std::cerr << "Failed to extract syscalls.\n";
+#endif
 		return 0;
 	}
 	return syscallToName.size();