[FEATURE] Added different modes of enabling/disabling cache

CMakeLists.txt

@@ -126,22 +126,22 @@ if(HH_BUILD_TESTING)
 	set_tests_properties(TestFalsePositives PROPERTIES PASS_REGULAR_EXPRESSION "\"suspicious_count\" : 0")
 
 	# 2) test scan with caching
-	add_test (TestCaching ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache)
+	add_test (TestCaching ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache E)
 	set_tests_properties(TestCaching PROPERTIES PASS_REGULAR_EXPRESSION "\"suspicious_count\" : 0")
 
 	# 3) test scan IAT with caching
-	add_test (TestIatScan ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache -iat 1)
+	add_test (TestIatScan ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache E -iat 1)
 	set_tests_properties(TestIatScan PROPERTIES PASS_REGULAR_EXPRESSION "\"suspicious_count\" : ")
 
 	# 4) test scan hooks with caching
-	add_test (TestHooksScan ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache -hooks)
+	add_test (TestHooksScan ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache E -hooks)
 	set_tests_properties(TestHooksScan PROPERTIES PASS_REGULAR_EXPRESSION "\"suspicious_count\" : ")
 
 	# 5) test scan threads with caching
-	add_test (TestThreadsScan ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache -threads)
+	add_test (TestThreadsScan ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache E -threads)
 	set_tests_properties(TestThreadsScan PROPERTIES PASS_REGULAR_EXPRESSION "\"suspicious_count\" : ")
 
 	# 6) test scan code patterns with caching
-	add_test (TestCodeScanNoDump ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache -shellc P -ofilter 2)
+	add_test (TestCodeScanNoDump ${CMAKE_INSTALL_PREFIX}/hollows_hunter -json -dir scan_out -cache E -shellc P -ofilter 2)
 	set_tests_properties(TestCodeScanNoDump PROPERTIES PASS_REGULAR_EXPRESSION "\"suspicious_count\" : ")
 endif()

hh_params.cpp

@@ -7,7 +7,7 @@ void hh_params::init()
 
     //reset output path:
     out_dir = HH_DEFAULT_DIR;
-
+    cache_mode = CACHE_AUTO;
     pesieve_args.quiet = true;
     pesieve_args.no_hooks = true;
     pesieve_args.results_filter = pesieve::SHOW_SUSPICIOUS;

hh_params.h

@@ -7,6 +7,14 @@
 #define TIME_UNDEFINED LONGLONG(-1)
 #define HH_DEFAULT_DIR "hollows_hunter.dumps"
 
+
+typedef enum {
+    CACHE_DISABLED = 0,  ///< cache always disabled
+    CACHE_AUTO,          ///< autodetect if cache should be enabled
+    CACHE_ENABLED,       ///< cache always enabled
+    CACHE_MODES_COUNT
+} t_cache_mode;
+
 //HollowsHunter's parameters:
 typedef struct hh_params
 {
@@ -21,6 +29,7 @@ typedef struct hh_params
     bool log;
     bool json_output;
     LONGLONG ptimes;
+    t_cache_mode cache_mode;
     std::set<std::wstring> names_list;
     std::set<long> pids_list;
     std::set<std::wstring> ignored_names_list;

params_info/params.h

@@ -88,6 +88,32 @@ std::wstring to_wstring(const std::string& stringToConvert)
     return wideString;
 }
 
+std::string cache_mode_to_id(const t_cache_mode mode)
+{
+    switch (mode) {
+    case CACHE_DISABLED:
+        return "D";
+    case CACHE_AUTO:
+        return "A";
+    case CACHE_ENABLED:
+        return "E";
+    }
+    return "";
+}
+
+std::string translate_cache_mode(const t_cache_mode mode)
+{
+    switch (mode) {
+    case CACHE_DISABLED:
+        return "cache always disabled";
+    case CACHE_AUTO:
+        return "automatically enable cache in continuous scanning mode (default)";
+    case CACHE_ENABLED:
+        return "cache always enabled";
+    }
+    return "";
+}
+
 class HHParams : public Params
 {
 public:
@@ -249,8 +275,15 @@ class HHParams : public Params
         this->setInfo(PARAM_REFLECTION, "Make a process reflection before scan.", "\t   This allows i.e. to force-read inaccessible pages.");
 
         //PARAM_CACHE
-        this->addParam(new BoolParam(PARAM_CACHE, false));
-        this->setInfo(PARAM_CACHE, "Use modules caching.", "\t   This can speed up the scan (on the cost of memory consumption).");
+        enumParam = new EnumParam(PARAM_CACHE, "cache_mode", false);
+        if (enumParam) {
+            this->addParam(enumParam);
+            this->setInfo(PARAM_CACHE, "Use modules caching. This can speed up the scan (on the cost of memory consumption).\n");
+            for (size_t i = 0; i < CACHE_MODES_COUNT; i++) {
+                t_cache_mode mode = (t_cache_mode)(i);
+                enumParam->addEnumValue(mode, cache_mode_to_id(mode), translate_cache_mode(mode));
+            }
+        }
 
         //PARAM_IAT
         enumParam = new EnumParam(PARAM_IAT, "iat_scan_mode", false);
@@ -395,6 +428,7 @@ class HHParams : public Params
         copyVal<BoolParam>(PARAM_HOOKS, hooks);
         ps.pesieve_args.no_hooks = hooks ? false : true;
 
+        copyVal<EnumParam>(PARAM_CACHE, ps.cache_mode);
         copyVal<BoolParam>(PARAM_UNIQUE_DIR, ps.unique_dir);
         copyVal<BoolParam>(PARAM_SUSPEND, ps.suspend_suspicious);
         copyVal<BoolParam>(PARAM_KILL, ps.kill_suspicious);
@@ -429,6 +463,17 @@ class HHParams : public Params
         if (myIntParam && myIntParam->isSet()) {
             myIntParam->stripToIntElements(ps.pids_list);
         }
+
+        ps.pesieve_args.use_cache = false;
+        if (ps.cache_mode == CACHE_ENABLED) {
+            ps.pesieve_args.use_cache = true;
+        }
+        else if (ps.cache_mode == CACHE_AUTO) {
+            if (ps.loop_scanning || ps.etw_scan) {
+                //continuous scanning: enable cache
+                ps.pesieve_args.use_cache = true;
+            }
+        }
     }
 
     void freeStruct(t_hh_params& ps)
@@ -499,7 +544,6 @@ class HHParams : public Params
         copyVal<EnumParam>(PARAM_OBFUSCATED, ps.obfuscated);
         copyVal<BoolParam>(PARAM_THREADS, ps.threads);
         copyVal<BoolParam>(PARAM_REFLECTION, ps.make_reflection);
-        copyVal<BoolParam>(PARAM_CACHE, ps.use_cache);
 
         copyVal<EnumParam>(PARAM_IAT, ps.iat);
         copyVal<EnumParam>(PARAM_DOTNET_POLICY, ps.dotnet_policy);