This is an archive of the discontinued LLVM Phabricator instance.

Differential D109941

[compiler-rt] [windows] Add more assembly patterns for interception
ClosedPublic

Authored by toshi on Sep 16 2021, 7:04 PM.

Details

Reviewers
rnk
Commits
rG22ea0cea595e: [compiler-rt] [windows] Add more assembly patterns for interception
Summary

To intercept the functions in Win11's ntdll.dll, we need to use the trampoline
technique because there are bytes other than 0x90 or 0xcc in the gaps between
exported functions. This patch adds more patterns that appear in ntdll's
functions.

Bug: https://bugs.llvm.org/show_bug.cgi?id=51721

Diff Detail

Event Timeline

toshi created this revision.Sep 16 2021, 7:04 PM
Herald added a subscriber: dberris. · View Herald TranscriptSep 16 2021, 7:04 PM
toshi requested review of this revision.Sep 16 2021, 7:04 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 16 2021, 7:04 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B124321: Diff 373122.Sep 16 2021, 7:36 PM
timurrrr edited reviewers, added: rnk; removed: timurrrr.Sep 16 2021, 8:23 PM
rnk mentioned this in D97781: Hook Rtl* allocation functions directly on Windows.Sep 17 2021, 3:47 PM
rnk accepted this revision.Sep 20 2021, 12:29 PM

lgtm, thanks for the patch. Would you like me to push it for you? Would you like me to exclude or include your email from the Author record?

This revision is now accepted and ready to land.Sep 20 2021, 12:29 PM
toshi added a comment.Sep 20 2021, 6:20 PM
In D109941#3010249, @rnk wrote:

lgtm, thanks for the patch. Would you like me to push it for you? Would you like me to exclude or include your email from the Author record?

Thank you for reviewing my patch! Yes, I'd like you to land this on my behalf. Please include my email to the record if possible. That's an honor.

This revision was landed with ongoing or failed builds.Sep 21 2021, 3:52 PM
Closed by commit rG22ea0cea595e: [compiler-rt] [windows] Add more assembly patterns for interception (authored by toshi, committed by rnk). · Explain Why
This revision was automatically updated to reflect the committed changes.
rnk added a commit: rG22ea0cea595e: [compiler-rt] [windows] Add more assembly patterns for interception.
cbezault added a subscriber: cbezault.Dec 2 2021, 2:02 PM

Note that we should get in contact with the Windows maintainers about this. Windows OS dlls are built with /HOTPATCH and should all be hotpatchable. It's unclear what the leading junk in the hotpatch padding is.

cbezault added a comment.Dec 2 2021, 2:53 PM

I've followed up with people more knowledgeable than myself. The unknown leading bytes in the padding region are XFG hashes and can be safely overwritten as long as XFG is not enabled for the process. (XFG is an eXtension of CFG, control flow guard)
I can't imagine many people will have both ASan and XFG enabled at the same time so I think the interception logic should just always assume there is padding before Windows OS functions.

Revision Contents

PathSize
compiler-rt/
lib/
interception/
46 lines
tests/
45 lines

Diff 374060

compiler-rt/lib/interception/interception_win.cpp

Show First 20 LinesShow All 392 Lines▼ Show 20 Lines#endif
// Allocate the space in the current region. // Allocate the space in the current region.
uptr allocated_space = region->content + region->allocated_size; uptr allocated_space = region->content + region->allocated_size;
region->allocated_size += size; region->allocated_size += size;
WritePadding(allocated_space, size); WritePadding(allocated_space, size);
return allocated_space; return allocated_space;
} }
// The following prologues cannot be patched because of the short jump
// jumping to the patching region.
// ntdll!wcslen in Win11
// 488bc1 mov rax,rcx
// 0fb710 movzx edx,word ptr [rax]
// 4883c002 add rax,2
// 6685d2 test dx,dx
// 75f4 jne -12
static const u8 kPrologueWithShortJump1[] = {
0x48, 0x8b, 0xc1, 0x0f, 0xb7, 0x10, 0x48, 0x83,
0xc0, 0x02, 0x66, 0x85, 0xd2, 0x75, 0xf4,
};
// ntdll!strrchr in Win11
// 4c8bc1 mov r8,rcx
// 8a01 mov al,byte ptr [rcx]
// 48ffc1 inc rcx
// 84c0 test al,al
// 75f7 jne -9
static const u8 kPrologueWithShortJump2[] = {
0x4c, 0x8b, 0xc1, 0x8a, 0x01, 0x48, 0xff, 0xc1,
0x84, 0xc0, 0x75, 0xf7,
};
// Returns 0 on error. // Returns 0 on error.
static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) { static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) {
#if SANITIZER_WINDOWS64
if (memcmp((u8*)address, kPrologueWithShortJump1,
sizeof(kPrologueWithShortJump1)) == 0 ||
memcmp((u8*)address, kPrologueWithShortJump2,
sizeof(kPrologueWithShortJump2)) == 0) {
return 0;
}
#endif
switch (*(u64*)address) { switch (*(u64*)address) {
case 0x90909090909006EB: // stub: jmp over 6 x nop. case 0x90909090909006EB: // stub: jmp over 6 x nop.
return 8; return 8;
} }
switch (*(u8*)address) { switch (*(u8*)address) {
case 0x90: // 90 : nop case 0x90: // 90 : nop
return 1; return 1;
▲ Show 20 LinesShow All 61 Lines▼ Show 20 Lines case 0x24A48D: // 8D A4 24 XX XX XX XX : lea esp, [esp + XX XX XX XX]
return 7; return 7;
} }
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
switch (*(u8*)address) { switch (*(u8*)address) {
case 0xA1: // A1 XX XX XX XX XX XX XX XX : case 0xA1: // A1 XX XX XX XX XX XX XX XX :
// movabs eax, dword ptr ds:[XXXXXXXX] // movabs eax, dword ptr ds:[XXXXXXXX]
return 9; return 9;
case 0x83:
const u8 next_byte = *(u8*)(address + 1);
const u8 mod = next_byte >> 6;
const u8 rm = next_byte & 7;
if (mod == 1 && rm == 4)
return 5; // 83 ModR/M SIB Disp8 Imm8
// add|or|adc|sbb|and|sub|xor|cmp [r+disp8], imm8
} }
switch (*(u16*)address) { switch (*(u16*)address) {
case 0x5040: // push rax case 0x5040: // push rax
case 0x5140: // push rcx case 0x5140: // push rcx
case 0x5240: // push rdx case 0x5240: // push rdx
case 0x5340: // push rbx case 0x5340: // push rbx
case 0x5440: // push rsp case 0x5440: // push rsp
case 0x5540: // push rbp case 0x5540: // push rbp
case 0x5640: // push rsi case 0x5640: // push rsi
case 0x5740: // push rdi case 0x5740: // push rdi
case 0x5441: // push r12 case 0x5441: // push r12
case 0x5541: // push r13 case 0x5541: // push r13
case 0x5641: // push r14 case 0x5641: // push r14
case 0x5741: // push r15 case 0x5741: // push r15
case 0x9066: // Two-byte NOP case 0x9066: // Two-byte NOP
case 0xc084: // test al, al
case 0x018a: // mov al, byte ptr [rcx]
return 2; return 2;
case 0x058B: // 8B 05 XX XX XX XX : mov eax, dword ptr [XX XX XX XX] case 0x058B: // 8B 05 XX XX XX XX : mov eax, dword ptr [XX XX XX XX]
if (rel_offset) if (rel_offset)
*rel_offset = 2; *rel_offset = 2;
return 6; return 6;
} }
switch (0x00FFFFFF & *(u32*)address) { switch (0x00FFFFFF & *(u32*)address) {
case 0xe58948: // 48 8b c4 : mov rbp, rsp case 0xe58948: // 48 8b c4 : mov rbp, rsp
case 0xc18b48: // 48 8b c1 : mov rax, rcx case 0xc18b48: // 48 8b c1 : mov rax, rcx
case 0xc48b48: // 48 8b c4 : mov rax, rsp case 0xc48b48: // 48 8b c4 : mov rax, rsp
case 0xd9f748: // 48 f7 d9 : neg rcx case 0xd9f748: // 48 f7 d9 : neg rcx
case 0xd12b48: // 48 2b d1 : sub rdx, rcx case 0xd12b48: // 48 2b d1 : sub rdx, rcx
case 0x07c1f6: // f6 c1 07 : test cl, 0x7 case 0x07c1f6: // f6 c1 07 : test cl, 0x7
case 0xc98548: // 48 85 C9 : test rcx, rcx case 0xc98548: // 48 85 C9 : test rcx, rcx
case 0xd28548: // 48 85 d2 : test rdx, rdx
case 0xc0854d: // 4d 85 c0 : test r8, r8 case 0xc0854d: // 4d 85 c0 : test r8, r8
case 0xc2b60f: // 0f b6 c2 : movzx eax, dl case 0xc2b60f: // 0f b6 c2 : movzx eax, dl
case 0xc03345: // 45 33 c0 : xor r8d, r8d case 0xc03345: // 45 33 c0 : xor r8d, r8d
case 0xc93345: // 45 33 c9 : xor r9d, r9d case 0xc93345: // 45 33 c9 : xor r9d, r9d
case 0xdb3345: // 45 33 DB : xor r11d, r11d case 0xdb3345: // 45 33 DB : xor r11d, r11d
case 0xd98b4c: // 4c 8b d9 : mov r11, rcx case 0xd98b4c: // 4c 8b d9 : mov r11, rcx
case 0xd28b4c: // 4c 8b d2 : mov r10, rdx case 0xd28b4c: // 4c 8b d2 : mov r10, rdx
case 0xc98b4c: // 4C 8B C9 : mov r9, rcx case 0xc98b4c: // 4C 8B C9 : mov r9, rcx
case 0xc18b4c: // 4C 8B C1 : mov r8, rcx case 0xc18b4c: // 4C 8B C1 : mov r8, rcx
case 0xd2b60f: // 0f b6 d2 : movzx edx, dl case 0xd2b60f: // 0f b6 d2 : movzx edx, dl
case 0xca2b48: // 48 2b ca : sub rcx, rdx case 0xca2b48: // 48 2b ca : sub rcx, rdx
case 0x10b70f: // 0f b7 10 : movzx edx, WORD PTR [rax] case 0x10b70f: // 0f b7 10 : movzx edx, WORD PTR [rax]
case 0xc00b4d: // 3d 0b c0 : or r8, r8 case 0xc00b4d: // 3d 0b c0 : or r8, r8
case 0xc08b41: // 41 8b c0 : mov eax, r8d
case 0xd18b48: // 48 8b d1 : mov rdx, rcx case 0xd18b48: // 48 8b d1 : mov rdx, rcx
case 0xdc8b4c: // 4c 8b dc : mov r11, rsp case 0xdc8b4c: // 4c 8b dc : mov r11, rsp
case 0xd18b4c: // 4c 8b d1 : mov r10, rcx case 0xd18b4c: // 4c 8b d1 : mov r10, rcx
case 0xE0E483: // 83 E4 E0 : and esp, 0xFFFFFFE0 case 0xE0E483: // 83 E4 E0 : and esp, 0xFFFFFFE0
return 3; return 3;
case 0xec8348: // 48 83 ec XX : sub rsp, XX case 0xec8348: // 48 83 ec XX : sub rsp, XX
case 0xf88349: // 49 83 f8 XX : cmp r8, XX case 0xf88349: // 49 83 f8 XX : cmp r8, XX
▲ Show 20 LinesShow All 490 LinesShow Last 20 Lines

compiler-rt/lib/interception/tests/interception_win_test.cpp

Show First 20 LinesShow All 202 Lines▼ Show 20 Linesconst u8 kUnpatchableCode5[] = {
0xC3, // ret 0xC3, // ret
}; };
const u8 kUnpatchableCode6[] = { const u8 kUnpatchableCode6[] = {
0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call <func> 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call <func>
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
}; };
const u8 kUnpatchableCode7[] = {
0x33, 0xc0, // xor eax,eax
0x48, 0x85, 0xd2, // test rdx,rdx
0x74, 0x10, // je +16 (unpatchable)
};
const u8 kUnpatchableCode8[] = {
0x48, 0x8b, 0xc1, // mov rax,rcx
0x0f, 0xb7, 0x10, // movzx edx,word ptr [rax]
0x48, 0x83, 0xc0, 0x02, // add rax,2
0x66, 0x85, 0xd2, // test dx,dx
0x75, 0xf4, // jne -12 (unpatchable)
};
const u8 kUnpatchableCode9[] = {
0x4c, 0x8b, 0xc1, // mov r8,rcx
0x8a, 0x01, // mov al,byte ptr [rcx]
0x48, 0xff, 0xc1, // inc rcx
0x84, 0xc0, // test al,al
0x75, 0xf7, // jne -9 (unpatchable)
};
const u8 kPatchableCode6[] = { const u8 kPatchableCode6[] = {
0x48, 0x89, 0x54, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], rdx 0x48, 0x89, 0x54, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], rdx
0x33, 0xC9, // xor ecx,ecx 0x33, 0xC9, // xor ecx,ecx
0xC3, // ret 0xC3, // ret
}; };
const u8 kPatchableCode7[] = { const u8 kPatchableCode7[] = {
0x4c, 0x89, 0x4c, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], r9 0x4c, 0x89, 0x4c, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], r9
0x33, 0xC9, // xor ecx,ecx 0x33, 0xC9, // xor ecx,ecx
0xC3, // ret 0xC3, // ret
}; };
const u8 kPatchableCode8[] = { const u8 kPatchableCode8[] = {
0x4c, 0x89, 0x44, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], r8 0x4c, 0x89, 0x44, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], r8
0x33, 0xC9, // xor ecx,ecx 0x33, 0xC9, // xor ecx,ecx
0xC3, // ret 0xC3, // ret
}; };
const u8 kPatchableCode9[] = {
0x8a, 0x01, // al,byte ptr [rcx]
0x45, 0x33, 0xc0, // xor r8d,r8d
0x84, 0xc0, // test al,al
};
const u8 kPatchableCode10[] = {
0x45, 0x33, 0xc0, // xor r8d,r8d
0x41, 0x8b, 0xc0, // mov eax,r8d
0x48, 0x85, 0xd2, // test rdx,rdx
};
const u8 kPatchableCode11[] = {
0x48, 0x83, 0xec, 0x38, // sub rsp,38h
0x83, 0x64, 0x24, 0x28, 0x00, // and dword ptr [rsp+28h],0
};
// A buffer holding the dynamically generated code under test. // A buffer holding the dynamically generated code under test.
u8* ActiveCode; u8* ActiveCode;
const size_t ActiveCodeLength = 4096; const size_t ActiveCodeLength = 4096;
int InterceptorFunction(int x); int InterceptorFunction(int x);
/// Allocate code memory more than 2GB away from Base. /// Allocate code memory more than 2GB away from Base.
u8 *AllocateCode2GBAway(u8 *Base) { u8 *AllocateCode2GBAway(u8 *Base) {
▲ Show 20 LinesShow All 368 Lines▼ Show 20 Lines
TEST(Interception, PatchableFunctionWithTrampoline) { TEST(Interception, PatchableFunctionWithTrampoline) {
TestOverrideFunction override = OverrideFunctionWithTrampoline; TestOverrideFunction override = OverrideFunctionWithTrampoline;
FunctionPrefixKind prefix = FunctionPrefixPadding; FunctionPrefixKind prefix = FunctionPrefixPadding;
EXPECT_TRUE(TestFunctionPatching(kPatchableCode1, override, prefix)); EXPECT_TRUE(TestFunctionPatching(kPatchableCode1, override, prefix));
EXPECT_TRUE(TestFunctionPatching(kPatchableCode2, override, prefix)); EXPECT_TRUE(TestFunctionPatching(kPatchableCode2, override, prefix));
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
EXPECT_FALSE(TestFunctionPatching(kPatchableCode3, override, prefix)); EXPECT_FALSE(TestFunctionPatching(kPatchableCode3, override, prefix));
EXPECT_TRUE(TestFunctionPatching(kPatchableCode9, override, prefix));
EXPECT_TRUE(TestFunctionPatching(kPatchableCode10, override, prefix));
EXPECT_TRUE(TestFunctionPatching(kPatchableCode11, override, prefix));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode7, override, prefix));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode8, override, prefix));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode9, override, prefix));
#else #else
EXPECT_TRUE(TestFunctionPatching(kPatchableCode3, override, prefix)); EXPECT_TRUE(TestFunctionPatching(kPatchableCode3, override, prefix));
#endif #endif
EXPECT_FALSE(TestFunctionPatching(kPatchableCode4, override, prefix)); EXPECT_FALSE(TestFunctionPatching(kPatchableCode4, override, prefix));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode1, override, prefix)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode1, override, prefix));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode2, override, prefix)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode2, override, prefix));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode3, override, prefix)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode3, override, prefix));
Show All 37 Lines