sleepskip feature might prevent monitoring of other threads

[MerX1030]

I enabled force-sleepskip option in running one sample that had a process monitoring thread and I observed in the logs that it remained looping in that thread without transferring to another one. So I tried disabling sleepskip and it successfully transferred to the other threads and logged everything.

Would it be better that, instead of doing a sleepskip, we just make a very minimal sleep?

Unfortunately, I need to find that sample again since I observed this last week and forgot to send. Will send the hashes once I find it.

[brad-sp]

Userland threads can't really prevent themselves from being rescheduled -- maybe it was just running too much in that single thread. I just committed a change that performs an empty sleep instead of skipping the sleep in the forced sleep-skipping case, which is enough to cause a reschedule from the kernel and give the behavior you want.

Note that it generally shouldn't be necessary to force sleep-skipping, as our version automatically enables a form of sleep-skipping that works in most cases.

https://github.com/brad-accuvant/cuckoomon-modified/commit/aff5da62760eb982aca1b64cb7f75b6490a79ce0

[MerX1030]

Thanks! I saw that there is an automatic enabling of sleep-skipping when certain conditions are met. Though in some cases like when a sample performs a loop like this:

for i in range(1,1000): DeleteFile(non-existent file) Sleep(1000)

force-sleepskipping might be needed.