This is an archive of the discontinued LLVM Phabricator instance.

Differential D21519

Add missing decoding patterns toRoundUpToInstrBoundary
ClosedPublic

Authored by etienneb on Jun 20 2016, 9:29 AM.

Details

Reviewers
rnk
Commits
rG3ac879f9a601: Add missing decoding patterns toRoundUpToInstrBoundary
rCRT273176: Add missing decoding patterns toRoundUpToInstrBoundary
rL273176: Add missing decoding patterns toRoundUpToInstrBoundary
Summary

The RoundUpToInstrBoundary determines intructions boundary and it's used to determine how to patch (intercept) functions.

The current x64-bit implementation is incomplete. This patch is adding patterns observed when trying to sanitize a 64-bit executable on my computer.

Thw two current functions not intercepted are:

RaiseExceptionStub:
000000007720C3B0 EB 06                jmp         RaiseException (07720C3B8h)  
000000007720C3B2 90                   nop  
000000007720C3B3 90                   nop  
000000007720C3B4 90                   nop  
000000007720C3B5 90                   nop  
000000007720C3B6 90                   nop  
000000007720C3B7 90                   nop  
RaiseException:
000000007720C3B8 FF 25 3A 18 09 00    jmp         qword ptr [__imp_RaiseException (07729DBF8h)]  
000000007720C3BE 8B 44 24 54          mov         eax,dword ptr [rsp+54h]  
000000007720C3C2 85 C0                test        eax,eax  
000000007720C3C4 0F 84 F5 05 00 00    je          Wow64NtCreateKey+12Fh (07720C9BFh)
CreateThreadStub:
0000000077215A10 48 83 EC 48          sub         rsp,48h  
0000000077215A14 48 8B 44 24 78       mov         rax,qword ptr [rsp+78h]  
0000000077215A19 48 89 44 24 38       mov         qword ptr [rsp+38h],rax  
0000000077215A1E 8B 44 24 70          mov         eax,dword ptr [rsp+70h]

Diff Detail

Event Timeline

etienneb updated this revision to Diff 61258.Jun 20 2016, 9:29 AM
etienneb retitled this revision from to Add missing decoding patterns toRoundUpToInstrBoundary.
etienneb updated this object.
etienneb added a reviewer: rnk.
etienneb added a subscriber: chrisha.
wang0109 added a subscriber: wang0109.Jun 20 2016, 9:32 AM
wang0109 added a comment.Jun 20 2016, 10:12 AM

The jmp in head, when separated from its "body", would break the trampoline machanism where original function is preserved, because jump from head could go to some unknown region int the tampoline area. See my artwork at: http://imgur.com/5vMplUn . But in 32-bit the same problem likely exists, so it's not worse.

etienneb updated this object.Jun 20 2016, 10:44 AM
In D21519#462255, @wang0109 wrote:

The jmp in head, when separated from its "body", would break the trampoline machanism where original function is preserved, because jump from head could go to some unknown region int the tampoline area. See my artwork at: http://imgur.com/5vMplUn . But in 32-bit the same problem likely exists, so it's not worse.

I'm gonna make a quick fix over my patch. It is still not a general solution, but it's working.
Interception is not yet solved, but we can move forward.

etienneb updated this revision to Diff 61268.Jun 20 2016, 10:46 AM

update

rnk accepted this revision.Jun 20 2016, 10:50 AM
rnk edited edge metadata.

lgtm

This revision is now accepted and ready to land.Jun 20 2016, 10:50 AM
wang0109 added a comment.Jun 20 2016, 10:53 AM

LGTM

etienneb closed this revision.Jun 20 2016, 11:06 AM

Revision Contents

PathSize
lib/
interception/
16 lines

Diff 61268

lib/interception/interception_win.cc

Show First 20 LinesShow All 115 Lines▼ Show 20 Lines
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
// Win64 RoundUpToInstrBoundary is a work in progress. // Win64 RoundUpToInstrBoundary is a work in progress.
size_t cursor = 0; size_t cursor = 0;
while (cursor < size) { while (cursor < size) {
switch (code[cursor]) { switch (code[cursor]) {
case '\x57': // 57 : push rdi case '\x57': // 57 : push rdi
cursor++; cursor++;
continue; continue;
case '\x90': // 90 : nop
cursor++;
continue;
case '\xb8': // b8 XX XX XX XX : mov eax, XX XX XX XX case '\xb8': // b8 XX XX XX XX : mov eax, XX XX XX XX
cursor += 5; cursor += 5;
continue; continue;
} }
switch (*(unsigned short*)(code + cursor)) { // NOLINT switch (*(unsigned short*)(code + cursor)) { // NOLINT
case 0x5540: // 40 55 : rex push rbp case 0x5540: // 40 55 : rex push rbp
case 0x5340: // 40 53 : rex push rbx case 0x5340: // 40 53 : rex push rbx
Show All 31 Lines switch (0x00FFFFFF & *(unsigned int*)(code + cursor)) {
case 0x058b48: // 48 8b 05 XX XX XX XX case 0x058b48: // 48 8b 05 XX XX XX XX
// = mov rax, QWORD PTR [rip+ 0xXXXXXXXX] // = mov rax, QWORD PTR [rip+ 0xXXXXXXXX]
case 0x25ff48: // 48 ff 25 XX XX XX XX case 0x25ff48: // 48 ff 25 XX XX XX XX
// = rex.W jmp QWORD PTR [rip + 0xXXXXXXXX] // = rex.W jmp QWORD PTR [rip + 0xXXXXXXXX]
cursor += 7; cursor += 7;
continue; continue;
} }
switch (*(unsigned int*)(code + cursor)) {
case 0x24448b48: // 48 8b 44 24 XX : mov rax, qword ptr [rsp + 0xXX]
cursor += 5;
continue;
}
// Check first 5 bytes. // Check first 5 bytes.
switch (0xFFFFFFFFFFull & *(unsigned long long*)(code + cursor)) { switch (0xFFFFFFFFFFull & *(unsigned long long*)(code + cursor)) {
case 0x08245c8948: // 48 89 5c 24 08 : mov QWORD PTR [rsp+0x8], rbx case 0x08245c8948: // 48 89 5c 24 08 : mov QWORD PTR [rsp+0x8], rbx
case 0x1024748948: // 48 89 74 24 10 : mov QWORD PTR [rsp+0x10], rsi case 0x1024748948: // 48 89 74 24 10 : mov QWORD PTR [rsp+0x10], rsi
cursor += 5; cursor += 5;
continue; continue;
} }
// Check 8 bytes.
switch (*(unsigned long long*)(code + cursor)) {
case 0x90909090909006EBull: // JMP +6, 6x NOP
cursor += 8;
continue;
}
// Unknown instructions! // Unknown instructions!
__debugbreak(); __debugbreak();
} }
return cursor; return cursor;
#else #else
size_t cursor = 0; size_t cursor = 0;
while (cursor < size) { while (cursor < size) {
▲ Show 20 LinesShow All 294 LinesShow Last 20 Lines