Fix the case of analyzing DLLs, where the only access to the "file of…

… interest" would be an LdrLoadDll. Otherwise we won't get any logs.

Also add a new config option that we'll expand on later that will help debug problems like this.  If full-logs=1 is specified as an argument for analysis, then the "file/URL of interest" log reduction will be disabled.

config.c

@@ -118,15 +118,18 @@ int read_config(void)
             else if(!strcmp(key, "force-sleepskip")) {
                 g_config.force_sleepskip = value[0] == '1';
             }
+			else if (!strcmp(key, "full-logs")) {
+				g_config.full_logs = value[0] == '1';
+			}
 			else if (!strcmp(key, "terminate-event")) {
 				strncpy(g_config.terminate_event_name, value,
 					ARRAYSIZE(g_config.terminate_event_name));
 			}
         }
     }
 
-	/* don't suspend logging if this isn't the first process */
-	if (!g_config.first_process)
+	/* don't suspend logging if this isn't the first process or if we want all the logs */
+	if (!g_config.first_process || g_config.full_logs)
 		g_config.suspend_logging = FALSE;
 
 	fclose(fp);

config.h

@@ -49,6 +49,9 @@ struct _g_config {
     // is this the first process or not?
     int first_process;
 
+	// do we want to ignore "file of interest" and other forms of log reduction?
+	int full_logs;
+
     // how many milliseconds since startup
     unsigned int startup_time;
 

hook_special.c

@@ -54,6 +54,9 @@ HOOKDEF2(NTSTATUS, WINAPI, LdrLoadDll,
 	activity when there's not, so hide it
 	*/
 	if (!called_by_hook() && wcsncmp(library.Buffer, g_config.dllpath, wcslen(g_config.dllpath))) {
+		if (!wcsicmp(library.Buffer, g_config.file_of_interest))
+			g_config.suspend_logging = FALSE;
+
 		if (!wcsncmp(library.Buffer, L"\\??\\", 4) || library.Buffer[1] == L':')
 	        LOQspecial_ntstatus("system", "hFP", "Flags", Flags, "FileName", library.Buffer,
 		       "BaseAddress", ModuleHandle);