This is an archive of the discontinued LLVM Phabricator instance.

Differential D22111

[compiler-rt] Refactor the interception code on windows.
ClosedPublic

Authored by etienneb on Jul 7 2016, 2:27 PM.

Details

Reviewers
rnk
Commits
rGf5525670ad6c: [compiler-rt] Refactor the interception code on windows.
rCRT275123: [compiler-rt] Refactor the interception code on windows.
rL275123: [compiler-rt] Refactor the interception code on windows.
Summary

This is a cleanup and refactoring of the interception code on windows

Enhancement:

  • Adding the support for 64-bits code
  • Adding several hooking technique:
    • Detour
    • JumpRedirect
    • HotPatch
    • Trampoline
  • Adding a trampoline memory pool (64-bits) and release the allocated memory in unittests

Cleanup:

  • Adding unittests for 64-bits hooking techniques
  • Enhancing the RoundUpInstruction by sharing common decoder

Diff Detail

Event Timeline

etienneb updated this revision to Diff 63138.Jul 7 2016, 2:27 PM
etienneb retitled this revision from to [compiler-rt] Refactor the interception code on windows..
etienneb updated this object.
etienneb added a reviewer: rnk.
etienneb added subscribers: chrisha, wang0109, llvm-commits.
rnk added inline comments.Jul 7 2016, 3:59 PM
lib/interception/interception_win.cc
205–213

static

211

static

218

Doesn't this scan forwards, and aren't we trying to scan backwards?

613

These local variables should probably follow google naming conventions, which is the prevailing local style in the sanitizer libraries.

etienneb updated this revision to Diff 63180.Jul 8 2016, 12:10 AM
etienneb marked 4 inline comments as done.

add 64-bits unittests

etienneb updated this revision to Diff 63182.Jul 8 2016, 12:17 AM

nits

etienneb added a comment.Jul 8 2016, 12:19 AM

added some 64-bits unittests.

lib/interception/interception_win.cc
218

I'll rename the function.
It's scanning a memory region.
The computation for the nop is done at the call size.
This function will have other usage, so let rename it.

613

ok. I'm used to take the llvm coding style.

etienneb updated this revision to Diff 63249.Jul 8 2016, 9:40 AM

more unittests

etienneb updated this object.Jul 8 2016, 9:51 AM
etienneb updated this revision to Diff 63260.Jul 8 2016, 11:03 AM

nits

etienneb updated this revision to Diff 63261.Jul 8 2016, 11:05 AM

nit

etienneb updated this revision to Diff 63410.Jul 9 2016, 8:31 PM

add more hooking techniques

etienneb updated this revision to Diff 63411.Jul 9 2016, 11:08 PM

cleanup + documentation

etienneb updated this object.Jul 9 2016, 11:10 PM
etienneb updated this object.
etienneb updated this object.
etienneb updated this revision to Diff 63412.Jul 9 2016, 11:14 PM
etienneb updated this object.

upload real patch

etienneb updated this revision to Diff 63413.Jul 9 2016, 11:40 PM

nits

etienneb updated this revision to Diff 63414.Jul 9 2016, 11:40 PM

nit

etienneb updated this revision to Diff 63415.Jul 10 2016, 12:18 AM

more unittests

etienneb updated this revision to Diff 63416.Jul 10 2016, 12:23 AM

fix typos

etienneb updated this revision to Diff 63451.Jul 10 2016, 7:45 PM

more nits

etienneb updated this revision to Diff 63528.Jul 11 2016, 10:05 AM

decode more instructions

etienneb updated this revision to Diff 63531.Jul 11 2016, 10:12 AM

more nits

etienneb updated this revision to Diff 63533.Jul 11 2016, 10:18 AM

fix dependencies issues

rnk added inline comments.Jul 11 2016, 1:27 PM
lib/interception/interception_win.cc
191

Maybe CHECK(offset >= INT_MIN && offset <= INT_MAX) or an equivalent?

199

Check overflow

213

check overflow

247

We should protect this with a critical section or some other mutex. The sanitizer_common mutex is probably not accessible from here, so I guess we should use a windows critical section.

359

A comment before this case block that these are all control flow instructions that we can't overwrite, and we indicate failure by returning 0.

lib/interception/tests/CMakeLists.txt
124–125

This file is otherwise unchanged, so I'd revert this whitespace-only change.

lib/interception/tests/interception_win_test.cc
43–44

I don't think these need to be functors, you can just pass function pointers to TestIdentityFunctionPatching and the other guy.

350–352

Do you think this is cleaner without the functor? Do you think we'll need to put other stuff in the overrider class?

I think you can use plain function pointers like this:

typedef void (*Overrider)(uptr, uptr, uptr*);
Overrider o = &OverrideFunctionWithDetour;
FunctionPrefixKind prefix = FunctionPrefixDetour;
TestIdentityFunctionPatching(kIdenti..., prefix, o);
TestIdentityFunctionPatching(kIdenti..., prefix, o);
TestIdentityFunctionPatching(kIdenti..., prefix, o);
etienneb updated this revision to Diff 63599.Jul 11 2016, 3:31 PM
etienneb marked 7 inline comments as done.

address rnk@ comments

lib/interception/interception_win.cc
247

I do not see why.
I was thinking the patching must occur before threads creation (or after a StopTheWorld).

Otherwise, dynamic rewriting the code will also need critical section.

lib/interception/tests/interception_win_test.cc
350–352

Both are fine to me.
I do not think we need to put more into the functor.
Moved to function pointer.

rnk accepted this revision.Jul 11 2016, 3:38 PM
rnk edited edge metadata.

lgtm

lib/interception/interception_win.cc
247

OK, I believe that.

lib/interception/tests/interception_win_test.cc
307

This should be 'override' instead of 'Override', since it's a variable. Also below.

This revision is now accepted and ready to land.Jul 11 2016, 3:38 PM
etienneb updated this revision to Diff 63606.Jul 11 2016, 4:05 PM
etienneb edited edge metadata.

nits

etienneb closed this revision.Jul 11 2016, 4:09 PM

Revision Contents

PathSize
lib/
interception/
17 lines
876 lines
tests/
6 lines
495 lines

Diff 63412

lib/interception/interception_win.h

Show All 36 Lines
// Overrides a function only when it is called from a specific DLL. For example, // Overrides a function only when it is called from a specific DLL. For example,
// this is used to override calls to HeapAlloc/HeapFree from ucrtbase without // this is used to override calls to HeapAlloc/HeapFree from ucrtbase without
// affecting other third party libraries. // affecting other third party libraries.
bool OverrideImportedFunction(const char *module_to_patch, bool OverrideImportedFunction(const char *module_to_patch,
const char *imported_module, const char *imported_module,
const char *function_name, uptr new_function, const char *function_name, uptr new_function,
uptr *orig_old_func); uptr *orig_old_func);
#if !SANITIZER_WINDOWS64
// Exposed for unittests
bool OverrideFunctionWithDetour(
uptr old_func, uptr new_func, uptr *orig_old_func);
#endif
// Exposed for unittests
bool OverrideFunctionWithRedirectJump(
uptr old_func, uptr new_func, uptr *orig_old_func);
bool OverrideFunctionWithHotPatch(
uptr old_func, uptr new_func, uptr *orig_old_func);
bool OverrideFunctionWithTrampoline(
uptr old_func, uptr new_func, uptr *orig_old_func);
// Exposed for unittests
void TestOnlyReleaseTrampolineRegions();
} // namespace __interception } // namespace __interception
#if defined(INTERCEPTION_DYNAMIC_CRT) #if defined(INTERCEPTION_DYNAMIC_CRT)
#define INTERCEPT_FUNCTION_WIN(func) \ #define INTERCEPT_FUNCTION_WIN(func) \
::__interception::OverrideFunction(#func, \ ::__interception::OverrideFunction(#func, \
(::__interception::uptr)WRAP(func), \ (::__interception::uptr)WRAP(func), \
(::__interception::uptr *)&REAL(func)) (::__interception::uptr *)&REAL(func))
#else #else
Show All 15 Lines

lib/interception/interception_win.cc

//===-- interception_linux.cc -----------------------------------*- C++ -*-===// //===-- interception_linux.cc -----------------------------------*- C++ -*-===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is a part of AddressSanitizer, an address sanity checker. // This file is a part of AddressSanitizer, an address sanity checker.
// //
// Windows-specific interception methods. // Windows-specific interception methods.
//
// This file is implementing several hooking techniques to intercept calls
// to functions. The hooks are dynamically installed by modifying the assembly
// code.
//
// The hooking techniques are making assumptions on the way the code is
// generated. The hooking techniques are safe under certain assumptions.
//
// On 64-bit architecture, there is no direct 64-bit jump instruction. To allow
// arbitrary branching on the whole memory space, the notion of trampoline
// region is used. A trampoline region is a memory space withing 2G boundary
// where it is safe to add custom assembly code to build 64-bit jumps.
//
// Here are the different hooking techniques used:
//
// 1) Detour
//
// The Detour hooking technique is assuming the presence of an header with
// padding and an overridable 2-bytes nop instruction (mov edi, edi). The
// nop instruction can safely be replaced by a 2-bytes jump without any need
// to save the instruction. A jump to the target is encoded in the function
// header and the nop instruction is replaced by a short jump to the header.
//
// head: 5 x nop head: jmp <hook>
// func: mov edi, edi --> func: jmp short <head>
// [...] real: [...]
//
// This technique is only implemented on 32-bit architecture.
//
// 2) Redirect Jump
//
// The redirect jump is applicable when the first instruction is a direct
// jump. The instruction is replaced by jump to the hook.
//
// func: jmp <label> --> func: jmp <hook>
//
// On an 64-bit architecture, a trampoline is inserted.
//
// func: jmp <label> --> func: jmp <tramp>
// [...]
//
// [trampoline]
// tramp: jmp QWORD [addr]
// addr: .bytes <hook>
//
// Note: <real> is equilavent to <label>.
//
// 3) HotPatch
//
// The HotPatch hooking is assuming the presence of an header with padding
// and a first instruction with at least 2-bytes.
//
// The reason to enforce the 2-bytes limitation is to provide the minimal
// space to encode a short jump. HotPatch technique is only rewriting one
// instruction to avoid breaking a sequence of instructions containing a
// branching target.
//
// Assumptions are enforced by MSVC compiler by using the /HOTPATCH flag.
// see: https://msdn.microsoft.com/en-us/library/ms173507.aspx
// Default padding length is 5 bytes in 32-bits and 6 bytes in 64-bits.
//
// head: 5 x nop head: jmp <hook>
// func: <instr> --> func: jmp short <head>
// [...] body: [...]
//
// [trampoline]
// real: <instr>
// jmp <body>
//
// On an 64-bit architecture:
//
// head: 6 x nop head: jmp QWORD [addr1]
// func: <instr> --> func: jmp short <head>
// [...] body: [...]
//
// [trampoline]
// addr1: .bytes <hook>
// real: <instr>
// jmp QWORD [addr2]
// addr2: .bytes <body>
//
// 4) Trampoline
//
// The Trampoline hooking technique is the most aggressive one. It is
// assuming that there is a sequence of instructions that can be safely
// replaced by a jump (enough room and no incoming branches).
//
// Unfortunately, these assumptions can't be safely presumed and code may
// be broken after hooking.
//
// func: <instr> --> func: jmp <hook>
// <instr>
// [...] body: [...]
//
// [trampoline]
// real: <instr>
// <instr>
// jmp <body>
//
// On an 64-bit architecture:
//
// func: <instr> --> func: jmp QWORD [addr1]
// <instr>
// [...] body: [...]
//
// [trampoline]
// addr1: .bytes <hook>
// real: <instr>
// <instr>
// jmp QWORD [addr2]
// addr2: .bytes <body>
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifdef _WIN32 #ifdef _WIN32
#include "interception.h" #include "interception.h"
#include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_platform.h"
#define WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN
#include <windows.h> #include <windows.h>
namespace __interception { namespace __interception {
static const int kAddressLength = FIRST_32_SECOND_64(4, 8);
static const int kJumpInstructionLength = 5;
static const int kShortJumpInstructionLength = 2;
static const int kIndirectJumpInstructionLength = 6;
static const int kBranchLength =
FIRST_32_SECOND_64(kJumpInstructionLength, kIndirectJumpInstructionLength);
static const int kDirectBranchLength = kBranchLength + kAddressLength;
// FIXME: internal_str* and internal_mem* functions should be moved from the // FIXME: internal_str* and internal_mem* functions should be moved from the
// ASan sources into interception/. // ASan sources into interception/.
static void _memset(void *p, int value, size_t sz) { static void _memset(void *p, int value, size_t sz) {
for (size_t i = 0; i < sz; ++i) for (size_t i = 0; i < sz; ++i)
((char*)p)[i] = (char)value; ((char*)p)[i] = (char)value;
} }
static void _memcpy(void *dst, void *src, size_t sz) { static void _memcpy(void *dst, void *src, size_t sz) {
char *dst_c = (char*)dst, char *dst_c = (char*)dst,
*src_c = (char*)src; *src_c = (char*)src;
for (size_t i = 0; i < sz; ++i) for (size_t i = 0; i < sz; ++i)
dst_c[i] = src_c[i]; dst_c[i] = src_c[i];
} }
#if SANITIZER_WINDOWS64 static bool ChangeMemoryProtection(
static void WriteIndirectJumpInstruction(char *jmp_from, uptr *indirect_target) { // NOLINT uptr address, uptr size, DWORD* old_protection) {
// jmp [rip + XXYYZZWW] = FF 25 WW ZZ YY XX, where return ::VirtualProtect((void *)address, size,
// XXYYZZWW is an offset from jmp_from. PAGE_EXECUTE_READWRITE,
// The displacement is still 32-bit in x64, so indirect_target must be located old_protection) != FALSE;
// within +/- 2GB range. }
int offset = (int)(indirect_target - (uptr *)jmp_from);
jmp_from[0] = '\xFF'; static bool RestoreMemoryProtection(
jmp_from[1] = '\x25'; uptr address, uptr size, DWORD old_protection) {
*(int*)(jmp_from + 2) = offset; DWORD unused;
return ::VirtualProtect((void *)address, size,
old_protection,
&unused) != FALSE;
}
static bool IsMemoryPadding(uptr address, uptr size) {
u8* function = (u8*)address;
for (size_t i = 0; i < size; ++i)
if (function[i] != 0x90 && function[i] != 0xCC)
return false;
return true;
} }
#else
static void WriteJumpInstruction(char *jmp_from, char *to) { static void WritePadding(uptr from, uptr size) {
// jmp XXYYZZWW = E9 WW ZZ YY XX, where XXYYZZWW is an offset from jmp_from _memset((void*)from, 0xCC, (size_t)size);
// to the next instruction to the destination. }
ptrdiff_t offset = to - jmp_from - 5;
*jmp_from = '\xE9'; static void CopyInstructions(uptr from, uptr to, uptr size) {
*(ptrdiff_t*)(jmp_from + 1) = offset; _memcpy((void*)from, (void*)to, (size_t)size);
}
static void WriteJumpInstruction(uptr from, uptr target) {
// jmp XXYYZZWW = E9 <offset>, where <offset> is relative from the end of the
rnkUnsubmitted
Done
ReplyInline Actions

Maybe CHECK(offset >= INT_MIN && offset <= INT_MAX) or an equivalent?

rnk: Maybe CHECK(offset >= INT_MIN && offset <= INT_MAX) or an equivalent?
// instruction to the target.
ptrdiff_t offset = target - from - kJumpInstructionLength;
*(u8*)from = 0xE9;
*(u32*)(from + 1) = offset;
}
static void WriteShortJumpInstruction(uptr from, uptr target) {
uptr offset = target - from - kShortJumpInstructionLength;
rnkUnsubmitted
Done
ReplyInline Actions

Check overflow

rnk: Check overflow
*(u8*)from = 0xEB;
*(u8*)(from + 1) = (u8)offset;
}
#if SANITIZER_WINDOWS64
static void WriteIndirectJumpInstruction(uptr from, uptr indirect_target) {
// jmp [rip + <offset>] = FF 25 <offset> where <offset> is a relative
// offset.
// The offset is the distance from then end of the jump instruction to the
// memory location containing the targeted address. The displacement is still
// 32-bit in x64, so indirect_target must be located within +/- 2GB range.
int offset = indirect_target - from - kIndirectJumpInstructionLength;
rnkUnsubmitted
Done
ReplyInline Actions

static

rnk: static
*(u16*)from = 0x25FF;
*(u32*)(from + 2) = offset;
rnkUnsubmitted
Done
ReplyInline Actions

static

rnk: static
rnkUnsubmitted
Done
ReplyInline Actions

check overflow

rnk: check overflow
} }
#endif #endif
static void WriteTrampolineJumpInstruction(char *jmp_from, char *to) { static void WriteBranch(
uptr from, uptr indirect_target, uptr target) {
rnkUnsubmitted
Done
ReplyInline Actions

Doesn't this scan forwards, and aren't we trying to scan backwards?

rnk: Doesn't this scan forwards, and aren't we trying to scan backwards?
etiennebAuthorUnsubmitted
Not Done
ReplyInline Actions

I'll rename the function.
It's scanning a memory region.
The computation for the nop is done at the call size.
This function will have other usage, so let rename it.

etienneb: I'll rename the function. It's scanning a memory region. The computation for the nop is done at…
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
// Emit an indirect jump through immediately following bytes: WriteIndirectJumpInstruction(from, indirect_target);
// jmp_from: *(u64*)indirect_target = target;
// jmp [rip + 6]
// .quad to
// Store the address.
uptr *indirect_target = (uptr *)(jmp_from + 6);
*indirect_target = (uptr)to;
// Write the indirect jump.
WriteIndirectJumpInstruction(jmp_from, indirect_target);
#else #else
WriteJumpInstruction(jmp_from, to); (void)indirect_target;
WriteJumpInstruction(from, target);
#endif #endif
} }
static void WriteInterceptorJumpInstruction(char *jmp_from, char *to) { static void WriteDirectBranch(uptr from, uptr target) {
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
// Emit an indirect jump through immediately following bytes: // Emit an indirect jump through immediately following bytes:
// jmp_from: // jmp [rip + 6]
// jmp [rip - 8] // .quad <target>
// .quad to WriteBranch(from, from + kBranchLength, target);
// Store the address.
uptr *indirect_target = (uptr *)(jmp_from - 8);
*indirect_target = (uptr)to;
// Write the indirect jump.
WriteIndirectJumpInstruction(jmp_from, indirect_target);
#else #else
WriteJumpInstruction(jmp_from, to); WriteJumpInstruction(from, target);
#endif #endif
} }
static char *GetMemoryForTrampoline(size_t size) { struct TrampolineMemoryRegion {
// Trampolines are allocated from a common pool. uptr content;
const int POOL_SIZE = 1024; uptr allocated_size;
static char *pool = NULL; uptr max_size;
static size_t pool_used = 0; };
if (!pool) {
pool = (char *)VirtualAlloc(NULL, POOL_SIZE, MEM_RESERVE | MEM_COMMIT, static const uptr kTrampolineScanLimitRange = (1000ULL) << 20; // 1 gig
static const int kMaxTrampolineyRegion = 1024;
static TrampolineMemoryRegion TrampolineRegions[kMaxTrampolineyRegion];
rnkUnsubmitted
Done
ReplyInline Actions

We should protect this with a critical section or some other mutex. The sanitizer_common mutex is probably not accessible from here, so I guess we should use a windows critical section.

rnk: We should protect this with a critical section or some other mutex. The sanitizer_common mutex…
etiennebAuthorUnsubmitted
Not Done
ReplyInline Actions

I do not see why.
I was thinking the patching must occur before threads creation (or after a StopTheWorld).

Otherwise, dynamic rewriting the code will also need critical section.

etienneb: I do not see why. I was thinking the patching must occur before threads creation (or after a…
rnkUnsubmitted
Not Done
ReplyInline Actions

OK, I believe that.

rnk: OK, I believe that.
static void *AllocateTrampolineRegion(uptr image_address, size_t granularity) {
#if SANITIZER_WINDOWS64
uptr address = image_address;
uptr scanned = 0;
while (scanned < kTrampolineScanLimitRange) {
MEMORY_BASIC_INFORMATION info;
if (!::VirtualQuery((void*)address, &info, sizeof(info)))
return nullptr;
// Check whether a region can be allocated at |address|.
if (info.State == MEM_FREE && info.RegionSize >= granularity) {
void *page = ::VirtualAlloc((void*)RoundUpTo(address, granularity),
granularity,
MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE); PAGE_EXECUTE_READWRITE);
// FIXME: Might want to apply PAGE_EXECUTE_READ access after all the return page;
// interceptors are in place.
if (!pool)
return NULL;
_memset(pool, 0xCC /* int 3 */, POOL_SIZE);
} }
if (pool_used + size > POOL_SIZE) // Move to the next region.
return NULL; address = (uptr)info.BaseAddress + info.RegionSize;
scanned += info.RegionSize;
char *ret = pool + pool_used; }
pool_used += size; return nullptr;
return ret; #else
return ::VirtualAlloc(nullptr,
granularity,
MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
#endif
} }
// Returns 0 on error. // Used by unittests to release mapped memory space.
static size_t RoundUpToInstrBoundary(size_t size, char *code) { void TestOnlyReleaseTrampolineRegions() {
for (size_t bucket = 0; bucket < kMaxTrampolineyRegion; ++bucket) {
TrampolineMemoryRegion* current = &TrampolineRegions[bucket];
::VirtualFree((void*)current->content, 0, MEM_RELEASE);
current->content = 0;
}
}
static uptr AllocateMemoryForTrampoline(uptr image_address, size_t size) {
// Find a region within 2G with enough space to allocate |size| bytes.
TrampolineMemoryRegion* region = nullptr;
for (size_t bucket = 0; bucket < kMaxTrampolineyRegion; ++bucket) {
TrampolineMemoryRegion* current = &TrampolineRegions[bucket];
if (current->content == 0) {
// No valid region found, allocate a new region.
size_t bucket_size = GetMmapGranularity();
void* content = AllocateTrampolineRegion(image_address, bucket_size);
if (content == nullptr)
return 0U;
current->content = (uptr)content;
current->allocated_size = 0;
current->max_size = bucket_size;
region = current;
break;
} else if (current->max_size - current->allocated_size > size) {
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
// Win64 RoundUpToInstrBoundary is a work in progress. // In 64-bits, the memory space must be allocated within 2G boundary.
size_t cursor = 0; if (current->content < image_address ||
while (cursor < size) { current->content - image_address >= 0x7FFFF0000)
switch (code[cursor]) {
case '\x57': // 57 : push rdi
cursor++;
continue;
case '\x90': // 90 : nop
cursor++;
continue;
case '\xb8': // b8 XX XX XX XX : mov eax, XX XX XX XX
cursor += 5;
continue; continue;
#endif
// The space can be allocated in the current region.
region = current;
break;
}
} }
switch (*(u16*)(code + cursor)) { // NOLINT // Failed to find a region.
case 0x5540: // 40 55 : rex push rbp if (region == nullptr)
case 0x5340: // 40 53 : rex push rbx return 0U;
cursor += 2;
continue; // Allocate the space in the current region.
uptr allocated_space = region->content + region->allocated_size;
region->allocated_size += size;
WritePadding(allocated_space, size);
return allocated_space;
}
// Returns 0 on error.
static size_t GetInstructionSize(uptr address) {
switch (*(u8*)address) {
case 0x90: // 90 : nop
return 1;
case 0x50: // push eax / rax
case 0x51: // push ecx / rcx
case 0x52: // push edx / rdx
case 0x53: // push ebx / rbx
case 0x54: // push esp / rsp
case 0x55: // push ebp / rbp
case 0x56: // push esi / rsi
case 0x57: // push edi / rdi
case 0x5D: // pop ebp / rbp
return 1;
case 0x6A: // 6A XX = push XX
return 2;
case 0xb8: // b8 XX XX XX XX : mov eax, XX XX XX XX
case 0xB9: // b9 XX XX XX XX : mov ecx, XX XX XX XX
return 5;
case 0xE9: // E9 XX XX XX XX : jmp <label>
return 0;
case 0xE8: // E8 XX XX XX XX : call <func>
case 0xC3: // C3 : ret
rnkUnsubmitted
Done
ReplyInline Actions

A comment before this case block that these are all control flow instructions that we can't overwrite, and we indicate failure by returning 0.

rnk: A comment before this case block that these are all control flow instructions that we can't…
case 0xEB: // EB XX : jmp XX (short jump)
case 0x70: // 7X YY : jx XX (short conditional jump)
case 0x71:
case 0x72:
case 0x73:
case 0x74:
case 0x75:
case 0x76:
case 0x77:
case 0x78:
case 0x79:
case 0x7A:
case 0x7B:
case 0x7C:
case 0x7D:
case 0x7E:
case 0x7F:
return 0;
} }
switch (0x00FFFFFF & *(u32*)(code + cursor)) { switch (*(u16*)(address)) {
case 0xFF8B: // 8B FF : mov edi, edi
case 0xEC8B: // 8B EC : mov ebp, esp
case 0xc889: // 89 C8 : mov eax, ecx
case 0xC18B: // 8B C1 : mov eax, ecx
case 0xC033: // 33 C0 : xor eax, eax
case 0xC933: // 33 C9 : xor ecx, ecx
case 0xD233: // 33 D2 : xor edx, edx
return 2;
}
#if SANITIZER_WINDOWS64
switch (*(u16*)address) {
case 0x5040: // push rax
case 0x5140: // push rcx
case 0x5240: // push rdx
case 0x5340: // push rbx
case 0x5440: // push rsp
case 0x5540: // push rbp
case 0x5640: // push rsi
case 0x5740: // push rdi
case 0x5441: // push r12
case 0x5541: // push r13
case 0x5641: // push r14
case 0x5741: // push r15
return 2;
}
switch (0x00FFFFFF & *(u32*)address) {
case 0xe58948: // 48 8b c4 : mov rbp, rsp
case 0xc18b48: // 48 8b c1 : mov rax, rcx case 0xc18b48: // 48 8b c1 : mov rax, rcx
case 0xc48b48: // 48 8b c4 : mov rax, rsp case 0xc48b48: // 48 8b c4 : mov rax, rsp
case 0xd9f748: // 48 f7 d9 : neg rcx case 0xd9f748: // 48 f7 d9 : neg rcx
case 0xd12b48: // 48 2b d1 : sub rdx, rcx case 0xd12b48: // 48 2b d1 : sub rdx, rcx
case 0x07c1f6: // f6 c1 07 : test cl, 0x7 case 0x07c1f6: // f6 c1 07 : test cl, 0x7
case 0xc0854d: // 4d 85 c0 : test r8, r8 case 0xc0854d: // 4d 85 c0 : test r8, r8
case 0xc2b60f: // 0f b6 c2 : movzx eax, dl case 0xc2b60f: // 0f b6 c2 : movzx eax, dl
case 0xc03345: // 45 33 c0 : xor r8d, r8d case 0xc03345: // 45 33 c0 : xor r8d, r8d
case 0xd98b4c: // 4c 8b d9 : mov r11, rcx case 0xd98b4c: // 4c 8b d9 : mov r11, rcx
case 0xd28b4c: // 4c 8b d2 : mov r10, rdx case 0xd28b4c: // 4c 8b d2 : mov r10, rdx
case 0xd2b60f: // 0f b6 d2 : movzx edx, dl case 0xd2b60f: // 0f b6 d2 : movzx edx, dl
case 0xca2b48: // 48 2b ca : sub rcx, rdx case 0xca2b48: // 48 2b ca : sub rcx, rdx
case 0x10b70f: // 0f b7 10 : movzx edx, WORD PTR [rax] case 0x10b70f: // 0f b7 10 : movzx edx, WORD PTR [rax]
case 0xc00b4d: // 3d 0b c0 : or r8, r8 case 0xc00b4d: // 3d 0b c0 : or r8, r8
case 0xd18b48: // 48 8b d1 : mov rdx, rcx case 0xd18b48: // 48 8b d1 : mov rdx, rcx
case 0xdc8b4c: // 4c 8b dc : mov r11,rsp case 0xdc8b4c: // 4c 8b dc : mov r11,rsp
case 0xd18b4c: // 4c 8b d1 : mov r10, rcx case 0xd18b4c: // 4c 8b d1 : mov r10, rcx
cursor += 3; return 3;
continue;
case 0xec8348: // 48 83 ec XX : sub rsp, 0xXX case 0xec8348: // 48 83 ec XX : sub rsp, 0xXX
case 0xf88349: // 49 83 f8 XX : cmp r8, XX case 0xf88349: // 49 83 f8 XX : cmp r8, XX
case 0x588948: // 48 89 58 XX : mov QWORD PTR[rax + XX], rbx case 0x588948: // 48 89 58 XX : mov QWORD PTR[rax + XX], rbx
cursor += 4; return 4;
continue;
case 0x058b48: // 48 8b 05 XX XX XX XX case 0x058b48: // 48 8b 05 XX XX XX XX :
// = mov rax, QWORD PTR [rip+ 0xXXXXXXXX] // mov rax, QWORD PTR [rip+ 0xXXXXXXXX]
case 0x25ff48: // 48 ff 25 XX XX XX XX case 0x25ff48: // 48 ff 25 XX XX XX XX :
// = rex.W jmp QWORD PTR [rip + 0xXXXXXXXX] // rex.W jmp QWORD PTR [rip + 0xXXXXXXXX]
cursor += 7; return 7;
continue;
} }
switch (*(u32*)(code + cursor)) { switch (*(u32*)(address)) {
case 0x24448b48: // 48 8b 44 24 XX : mov rax, qword ptr [rsp + 0xXX] case 0x24448b48: // 48 8b 44 24 XX : mov rax, qword ptr [rsp + 0xXX]
cursor += 5; return 5;
continue;
} }
// Check first 5 bytes. switch (0xFFFFFFFFFFull & *(u64*)(address)) {
switch (0xFFFFFFFFFFull & *(u64*)(code + cursor)) {
case 0x08245c8948: // 48 89 5c 24 08 : mov QWORD PTR [rsp+0x8], rbx case 0x08245c8948: // 48 89 5c 24 08 : mov QWORD PTR [rsp+0x8], rbx
case 0x1024748948: // 48 89 74 24 10 : mov QWORD PTR [rsp+0x10], rsi case 0x1024748948: // 48 89 74 24 10 : mov QWORD PTR [rsp+0x10], rsi
cursor += 5; return 5;
continue;
} }
// Check 8 bytes.
switch (*(u64*)(code + cursor)) {
case 0x90909090909006EBull: // JMP +6, 6x NOP
cursor += 8;
continue;
}
// Unknown instructions!
__debugbreak();
}
return cursor;
#else #else
size_t cursor = 0;
while (cursor < size) {
switch (code[cursor]) {
case '\xE8': // E8 XX XX XX XX = call <func>
case '\xE9': // E9 XX XX XX XX = jmp <label>
case '\xC3': // C3 = ret
case '\xEB': // EB XX = jmp XX (short jump)
case '\x70': // 7X YY = jx XX (short conditional jump)
case '\x71':
case '\x72':
case '\x73':
case '\x74':
case '\x75':
case '\x76':
case '\x77':
case '\x78':
case '\x79':
case '\x7A':
case '\x7B':
case '\x7C':
case '\x7D':
case '\x7E':
case '\x7F':
return 0;
case '\x50': // push eax switch (*(u16*)address) {
case '\x51': // push ecx case 0x458B: // 8B 45 XX : mov eax, dword ptr [ebp+XXh]
case '\x52': // push edx case 0x5D8B: // 8B 5D XX : mov ebx, dword ptr [ebp+XXh]
case '\x53': // push ebx case 0x7D8B: // 8B 7D XX : mov edi, dword ptr [ebp+XXh]
case '\x54': // push esp case 0xEC83: // 83 EC XX : sub esp, XX
case '\x55': // push ebp case 0x75FF: // FF 75 XX : push dword ptr [ebp+XXh]
case '\x56': // push esi return 3;
case '\x57': // push edi case 0xC1F7: // F7 C1 XX YY ZZ WW : test ecx, WWZZYYXX
case '\x5D': // pop ebp case 0x25FF: // FF 25 XX YY ZZ WW : jmp dword ptr ds:[WWZZYYXX]
cursor++; return 6;
continue; case 0x3D83: // 83 3D XX YY ZZ WW TT : cmp TT, WWZZYYXX
case '\x6A': // 6A XX = push XX return 7;
cursor += 2; case 0x7D83: // 83 7D XX YY : cmp dword ptr [ebp+XXh], YY
continue; return 4;
case '\xB8': // B8 XX YY ZZ WW = mov eax, WWZZYYXX }
cursor += 5;
continue; switch (0x00FFFFFF & *(u32*)address) {
} case 0x24448A: // 8A 44 24 XX : mov eal, dword ptr [esp+XXh]
switch (*(u16*)(code + cursor)) { // NOLINT case 0x24448B: // 8B 44 24 XX : mov eax, dword ptr [esp+XXh]
case 0xFF8B: // 8B FF = mov edi, edi case 0x244C8B: // 8B 4C 24 XX : mov ecx, dword ptr [esp+XXh]
case 0xEC8B: // 8B EC = mov ebp, esp case 0x24548B: // 8B 54 24 XX : mov edx, dword ptr [esp+XXh]
case 0xC033: // 33 C0 = xor eax, eax case 0x24748B: // 8B 74 24 XX : mov esi, dword ptr [esp+XXh]
case 0xC933: // 33 C9 = xor ecx, ecx return 4;
cursor += 2; }
continue;
case 0x458B: // 8B 45 XX = mov eax, dword ptr [ebp+XXh] switch (*(u32*)address) {
case 0x5D8B: // 8B 5D XX = mov ebx, dword ptr [ebp+XXh] case 0x2444B60F: // 0F B6 44 24 XX : movzx eax, byte ptr [esp+XXh]
case 0x7D8B: // 8B 7D XX = mov edi, dword ptr [ebp+XXh] return 5;
case 0xEC83: // 83 EC XX = sub esp, XX
case 0x75FF: // FF 75 XX = push dword ptr [ebp+XXh]
cursor += 3;
continue;
case 0xC1F7: // F7 C1 XX YY ZZ WW = test ecx, WWZZYYXX
case 0x25FF: // FF 25 XX YY ZZ WW = jmp dword ptr ds:[WWZZYYXX]
cursor += 6;
continue;
case 0x3D83: // 83 3D XX YY ZZ WW TT = cmp TT, WWZZYYXX
cursor += 7;
continue;
case 0x7D83: // 83 7D XX YY = cmp dword ptr [ebp+XXh], YY
cursor += 4;
continue;
}
switch (0x00FFFFFF & *(u32*)(code + cursor)) {
case 0x24448A: // 8A 44 24 XX = mov eal, dword ptr [esp+XXh]
case 0x24448B: // 8B 44 24 XX = mov eax, dword ptr [esp+XXh]
case 0x244C8B: // 8B 4C 24 XX = mov ecx, dword ptr [esp+XXh]
case 0x24548B: // 8B 54 24 XX = mov edx, dword ptr [esp+XXh]
case 0x24748B: // 8B 74 24 XX = mov esi, dword ptr [esp+XXh]
case 0x247C8B: // 8B 7C 24 XX = mov edi, dword ptr [esp+XXh]
cursor += 4;
continue;
}
switch (*(u32*)(code + cursor)) {
case 0x2444B60F: // 0F B6 44 24 XX = movzx eax, byte ptr [esp+XXh]
cursor += 5;
continue;
} }
#endif
// Unknown instruction! // Unknown instruction!
// FIXME: Unknown instruction failures might happen when we add a new // FIXME: Unknown instruction failures might happen when we add a new
// interceptor or a new compiler version. In either case, they should result // interceptor or a new compiler version. In either case, they should result
// in visible and readable error messages. However, merely calling abort() // in visible and readable error messages. However, merely calling abort()
// leads to an infinite recursion in CheckFailed. // leads to an infinite recursion in CheckFailed.
// Do we have a good way to abort with an error message here? // Do we have a good way to abort with an error message here?
__debugbreak(); __debugbreak();
return 0; return 0;
} }
// Returns 0 on error.
static size_t RoundUpToInstrBoundary(size_t size, uptr address) {
size_t cursor = 0;
while (cursor < size) {
size_t instruction_size = GetInstructionSize(address + cursor);
if (!instruction_size)
return 0;
cursor += instruction_size;
}
return cursor; return cursor;
}
#if !SANITIZER_WINDOWS64
bool OverrideFunctionWithDetour(
uptr old_func, uptr new_func, uptr *orig_old_func) {
const int kDetourHeaderLen = 5;
const u16 kDetourInstruction = 0xFF8B;
uptr header = (uptr)old_func - kDetourHeaderLen;
uptr patch_length = kDetourHeaderLen + kShortJumpInstructionLength;
// Validate that the function is hookable.
if (*(u16*)old_func != kDetourInstruction ||
!IsMemoryPadding(header, kDetourHeaderLen))
return false;
// Change memory protection to writable.
DWORD protection = 0;
if (!ChangeMemoryProtection(header, patch_length, &protection))
return false;
// Write a relative jump to the redirected function.
WriteJumpInstruction(header, new_func);
// Write the short jump to the function prefix.
WriteShortJumpInstruction(old_func, header);
// Restore previous memory protection.
if (!RestoreMemoryProtection(header, patch_length, protection))
return false;
if (orig_old_func)
*orig_old_func = old_func + kShortJumpInstructionLength;
return true;
}
#endif
bool OverrideFunctionWithRedirectJump(
uptr old_func, uptr new_func, uptr *orig_old_func) {
// Check whether the first instruction is a relative jump.
if (*(u8*)old_func != 0xE9)
return false;
if (orig_old_func) {
uptr relative_offset = *(u32*)(old_func + 1);
uptr absolute_target = old_func + relative_offset + kJumpInstructionLength;
*orig_old_func = absolute_target;
}
#if SANITIZER_WINDOWS64
// If needed, get memory space for a trampoline jump.
uptr trampoline = AllocateMemoryForTrampoline(old_func, kDirectBranchLength);
if (!trampoline)
return false;
WriteDirectBranch(trampoline, new_func);
#endif #endif
// Change memory protection to writable.
DWORD protection = 0;
if (!ChangeMemoryProtection(old_func, kJumpInstructionLength, &protection))
return false;
// Write a relative jump to the redirected function.
WriteJumpInstruction(old_func, FIRST_32_SECOND_64(new_func, trampoline));
// Restore previous memory protection.
if (!RestoreMemoryProtection(old_func, kJumpInstructionLength, protection))
return false;
return true;
} }
bool OverrideFunction(uptr old_func, uptr new_func, uptr *orig_old_func) { bool OverrideFunctionWithHotPatch(
// Function overriding works basically like this: uptr old_func, uptr new_func, uptr *orig_old_func) {
// On Win32, We write "jmp <new_func>" (5 bytes) at the beginning of const int kHotPatchHeaderLen = FIRST_32_SECOND_64(5, 6);
// the 'old_func' to override it.
// On Win64, We write "jmp [rip -8]" (6 bytes) at the beginning of uptr header = (uptr)old_func - kHotPatchHeaderLen;
// the 'old_func' to override it, and use 8 bytes of data to store uptr patch_length = kHotPatchHeaderLen + kShortJumpInstructionLength;
// the full 64-bit address for new_func.
// We might want to be able to execute the original 'old_func' from the // Validate that the function is hot patchable.
// wrapper, in this case we need to keep the leading 5+ (6+ on Win64) size_t instruction_size = GetInstructionSize(old_func);
// bytes ('head') of the original code somewhere with a "jmp <old_func+head>". if (instruction_size < 2 ||
// We call these 'head'+5/6 bytes of instructions a "trampoline". !IsMemoryPadding(header, kHotPatchHeaderLen))
char *old_bytes = (char *)old_func; return false;
if (orig_old_func) {
// Put the needed instructions into the trampoline bytes.
uptr trampoline_length = instruction_size + kDirectBranchLength;
uptr trampoline = AllocateMemoryForTrampoline(old_func, trampoline_length);
if (!trampoline)
return false;
CopyInstructions(trampoline, old_func, instruction_size);
WriteDirectBranch(trampoline + instruction_size,
old_func + instruction_size);
*orig_old_func = trampoline;
}
// If needed, get memory space for indirect address.
uptr indirect_address = 0;
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
size_t kHeadMin = 6; // The minimum size of the head to contain the 'jmp'. indirect_address = AllocateMemoryForTrampoline(old_func, kAddressLength);
size_t kTrampolineJumpSize = 14; // The total bytes used at the end of if (!indirect_address)
// trampoline for jumping back to the return false;
// remains of original function.
size_t kExtraPrevBytes = 8; // The extra bytes we need to mark READWRITE for
// page access, that is preceeding the begin
// of function.
#else
size_t kHeadMin = 5;
size_t kTrampolineJumpSize = 5;
size_t kExtraPrevBytes = 0;
#endif #endif
size_t head = kHeadMin;
// Change memory protection to writable.
DWORD protection = 0;
if (!ChangeMemoryProtection(header, patch_length, &protection))
rnkUnsubmitted
Done
ReplyInline Actions

These local variables should probably follow google naming conventions, which is the prevailing local style in the sanitizer libraries.

rnk: These local variables should probably follow google naming conventions, which is the prevailing…
etiennebAuthorUnsubmitted
Not Done
ReplyInline Actions

ok. I'm used to take the llvm coding style.

etienneb: ok. I'm used to take the llvm coding style.
return false;
// Write jumps to the redirected function.
WriteBranch(header, indirect_address, new_func);
WriteShortJumpInstruction(old_func, header);
// Restore previous memory protection.
if (!RestoreMemoryProtection(header, patch_length, protection))
return false;
return true;
}
bool OverrideFunctionWithTrampoline(
uptr old_func, uptr new_func, uptr *orig_old_func) {
size_t instructions_length = kBranchLength;
size_t padding_length = 0;
uptr indirect_address = 0;
if (orig_old_func) { if (orig_old_func) {
// Find out the number of bytes of the instructions we need to copy // Find out the number of bytes of the instructions we need to copy
// to the trampoline and store it in 'head'. // to the trampoline.
head = RoundUpToInstrBoundary(kHeadMin, old_bytes); instructions_length = RoundUpToInstrBoundary(kBranchLength, old_func);
if (!head) if (!instructions_length)
return false; return false;
// Put the needed instructions into the trampoline bytes. // Put the needed instructions into the trampoline bytes.
char *trampoline = GetMemoryForTrampoline(head + kTrampolineJumpSize); uptr trampoline_length = instructions_length + kDirectBranchLength;
uptr trampoline = AllocateMemoryForTrampoline(old_func, trampoline_length);
if (!trampoline) if (!trampoline)
return false; return false;
_memcpy(trampoline, old_bytes, head); CopyInstructions(trampoline, old_func, instructions_length);
WriteTrampolineJumpInstruction(trampoline + head, old_bytes + head); WriteDirectBranch(trampoline + instructions_length,
*orig_old_func = (uptr)trampoline; old_func + instructions_length);
*orig_old_func = trampoline;
} }
// Now put the "jmp <new_func>" instruction at the original code location. #if SANITIZER_WINDOWS64
// We should preserve the EXECUTE flag as some of our own code might be // Check if the targeted address can be encoded in the function padding.
// located in the same page (sic!). FIXME: might consider putting the // Otherwise, allocate it in the trampoline region.
// __interception code into a separate section or something? if (IsMemoryPadding(old_func - kAddressLength, kAddressLength)) {
DWORD old_prot, unused_prot; indirect_address = old_func - kAddressLength;
// TODO(wwchrome): Properly handle access violations when finding a safe padding_length = kAddressLength;
// region to store the indirect jump target address. } else {
// Need to mark extra 8 bytes for Win64 because jmp [rip -8] indirect_address = AllocateMemoryForTrampoline(old_func, kAddressLength);
if (!VirtualProtect((void *)(old_bytes - kExtraPrevBytes), if (!indirect_address)
head + kExtraPrevBytes, PAGE_EXECUTE_READWRITE,
&old_prot))
return false; return false;
}
#endif
WriteInterceptorJumpInstruction(old_bytes, (char *)new_func); // Change memory protection to writable.
_memset(old_bytes + kHeadMin, 0xCC /* int 3 */, head - kHeadMin); uptr patch_address = old_func - padding_length;
uptr patch_length = instructions_length + padding_length;
DWORD protection = 0;
if (!ChangeMemoryProtection(patch_address, patch_length, &protection))
return false;
// Patch the original function.
WriteBranch(old_func, indirect_address, new_func);
WritePadding(old_func + kBranchLength, instructions_length - kBranchLength);
// Restore previous memory protection.
if (!RestoreMemoryProtection(patch_address, patch_length, protection))
return false;
// Restore the original permissions. return true;
if (!VirtualProtect((void *)(old_bytes - kExtraPrevBytes), }
head + kExtraPrevBytes, old_prot, &unused_prot))
return false; // not clear if this failure bothers us.
bool OverrideFunction(
uptr old_func, uptr new_func, uptr *orig_old_func) {
#if !SANITIZER_WINDOWS64
if (OverrideFunctionWithDetour(old_func, new_func, orig_old_func))
return true; return true;
#endif
if (OverrideFunctionWithRedirectJump(old_func, new_func, orig_old_func))
return true;
if (OverrideFunctionWithHotPatch(old_func, new_func, orig_old_func))
return true;
if (OverrideFunctionWithTrampoline(old_func, new_func, orig_old_func))
return true;
return false;
} }
static void **InterestingDLLsAvailable() { static void **InterestingDLLsAvailable() {
static const char *InterestingDLLs[] = { static const char *InterestingDLLs[] = {
"kernel32.dll", "kernel32.dll",
"msvcr110.dll", // VS2012 "msvcr110.dll", // VS2012
"msvcr120.dll", // VS2013 "msvcr120.dll", // VS2013
"vcruntime140.dll", // VS2015 "vcruntime140.dll", // VS2015
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Linesbool OverrideImportedFunction(const char *module_to_patch,
HMODULE module = GetModuleHandleA(module_to_patch); HMODULE module = GetModuleHandleA(module_to_patch);
if (!module) if (!module)
return false; return false;
// Check that the module header is full and present. // Check that the module header is full and present.
RVAPtr<IMAGE_DOS_HEADER> dos_stub(module, 0); RVAPtr<IMAGE_DOS_HEADER> dos_stub(module, 0);
RVAPtr<IMAGE_NT_HEADERS> headers(module, dos_stub->e_lfanew); RVAPtr<IMAGE_NT_HEADERS> headers(module, dos_stub->e_lfanew);
if (!module || dos_stub->e_magic != IMAGE_DOS_SIGNATURE || // "MZ" if (!module || dos_stub->e_magic != IMAGE_DOS_SIGNATURE || // "MZ"
headers->Signature != IMAGE_NT_SIGNATURE || // "PE\0\0" headers->Signature != IMAGE_NT_SIGNATURE || // "PE\0\0"
headers->FileHeader.SizeOfOptionalHeader < headers->FileHeader.SizeOfOptionalHeader <
sizeof(IMAGE_OPTIONAL_HEADER)) { sizeof(IMAGE_OPTIONAL_HEADER)) {
return false; return false;
} }
IMAGE_DATA_DIRECTORY *import_directory = IMAGE_DATA_DIRECTORY *import_directory =
&headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
▲ Show 20 LinesShow All 47 LinesShow Last 20 Lines

lib/interception/tests/CMakeLists.txt

Show First 20 LinesShow All 115 Lines▼ Show 20 Linesmacro(add_interception_tests_for_arch arch)
# Add unittest target. # Add unittest target.
set(INTERCEPTION_TEST_NAME "Interception-${arch}-Test") set(INTERCEPTION_TEST_NAME "Interception-${arch}-Test")
add_compiler_rt_test(InterceptionUnitTests ${INTERCEPTION_TEST_NAME} add_compiler_rt_test(InterceptionUnitTests ${INTERCEPTION_TEST_NAME}
OBJECTS ${INTERCEPTION_TEST_OBJECTS} OBJECTS ${INTERCEPTION_TEST_OBJECTS}
${INTERCEPTION_COMMON_LIB_NAME} ${INTERCEPTION_COMMON_LIB_NAME}
DEPS ${INTERCEPTION_TEST_OBJECTS} ${INTERCEPTION_COMMON_LIB} DEPS ${INTERCEPTION_TEST_OBJECTS} ${INTERCEPTION_COMMON_LIB}
LINK_FLAGS ${INTERCEPTION_TEST_LINK_FLAGS_COMMON} LINK_FLAGS ${INTERCEPTION_TEST_LINK_FLAGS_COMMON}
${TARGET_FLAGS}) ${TARGET_FLAGS})
rnkUnsubmitted
Done
ReplyInline Actions

This file is otherwise unchanged, so I'd revert this whitespace-only change.

rnk: This file is otherwise unchanged, so I'd revert this whitespace-only change.
endmacro() endmacro()
if(COMPILER_RT_CAN_EXECUTE_TESTS AND NOT ANDROID AND NOT APPLE) if(COMPILER_RT_CAN_EXECUTE_TESTS AND NOT ANDROID AND NOT APPLE)
# We use just-built clang to build interception unittests, so we must # We use just-built clang to build interception unittests, so we must
# be sure that produced binaries would work. # be sure that produced binaries would work.
if(APPLE) if(APPLE)
add_interceptor_lib("RTInterception.test.osx" add_interceptor_lib("RTInterception.test.osx"
$<TARGET_OBJECTS:RTInterception.osx>) $<TARGET_OBJECTS:RTInterception.osx>)
else() else()
foreach(arch ${INTERCEPTION_UNITTEST_SUPPORTED_ARCH}) foreach(arch ${INTERCEPTION_UNITTEST_SUPPORTED_ARCH})
add_interceptor_lib("RTInterception.test.${arch}" add_interceptor_lib("RTInterception.test.${arch}"
$<TARGET_OBJECTS:RTInterception.${arch}>) $<TARGET_OBJECTS:RTInterception.${arch}>
$<TARGET_OBJECTS:RTSanitizerCommon.${arch}>
$<TARGET_OBJECTS:RTSanitizerCommonLibc.${arch}>)
endforeach() endforeach()
endif() endif()
foreach(arch ${INTERCEPTION_UNITTEST_SUPPORTED_ARCH}) foreach(arch ${INTERCEPTION_UNITTEST_SUPPORTED_ARCH})
add_interception_tests_for_arch(${arch}) add_interception_tests_for_arch(${arch})
endforeach() endforeach()
endif() endif()

lib/interception/tests/interception_win_test.cc

Show All 16 Lines
// Too slow for debug build // Too slow for debug build
#if !SANITIZER_DEBUG #if !SANITIZER_DEBUG
#if SANITIZER_WINDOWS #if SANITIZER_WINDOWS
#define WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN
#include <windows.h> #include <windows.h>
namespace __interception {
namespace { namespace {
typedef int (*IdentityFunction)(int); enum FunctionPrefixKind {
FunctionPrefixNone,
FunctionPrefixPadding,
FunctionPrefixHotPatch,
FunctionPrefixDetour,
};
struct TestOverrideFunction {
uptr Override(
uptr old_func, uptr new_func, uptr *orig_old_func) const {
return OverrideFunction(old_func, new_func, orig_old_func);
}
};
#if !SANITIZER_WINDOWS64 #if !SANITIZER_WINDOWS64
struct TestOverrideFunctionWithDetour {
uptr Override(
rnkUnsubmitted
Done
ReplyInline Actions

I don't think these need to be functors, you can just pass function pointers to TestIdentityFunctionPatching and the other guy.

rnk: I don't think these need to be functors, you can just pass function pointers to…
uptr old_func, uptr new_func, uptr *orig_old_func) const {
return OverrideFunctionWithDetour(old_func, new_func, orig_old_func);
}
};
#endif
struct TestOverrideFunctionWithRedirectJump {
uptr Override(
uptr old_func, uptr new_func, uptr *orig_old_func) const {
return OverrideFunctionWithRedirectJump(old_func, new_func, orig_old_func);
}
};
struct TestOverrideFunctionWithHotPatch {
uptr Override(
uptr old_func, uptr new_func, uptr *orig_old_func) const {
return OverrideFunctionWithHotPatch(old_func, new_func, orig_old_func);
}
};
struct TestOverrideFunctionWithTrampoline {
uptr Override(
uptr old_func, uptr new_func, uptr *orig_old_func) const {
return OverrideFunctionWithTrampoline(old_func, new_func, orig_old_func);
}
};
typedef int (*IdentityFunction)(int);
#if SANITIZER_WINDOWS64
const u8 kIdentityCodeWithPrologue[] = {
0x55, // push rbp
0x48, 0x89, 0xE5, // mov rbp,rsp
0x8B, 0xC1, // mov eax,ecx
0x5D, // pop rbp
0xC3, // ret
};
const u8 kIdentityCodeWithPushPop[] = {
0x55, // push rbp
0x48, 0x89, 0xE5, // mov rbp,rsp
0x53, // push rbx
0x50, // push rax
0x58, // pop rax
0x8B, 0xC1, // mov rax,rcx
0x5B, // pop rbx
0x5D, // pop rbp
0xC3, // ret
};
const u8 kIdentityTwiceOffset = 16;
const u8 kIdentityTwice[] = {
0x55, // push rbp
0x48, 0x89, 0xE5, // mov rbp,rsp
0x8B, 0xC1, // mov eax,ecx
0x5D, // pop rbp
0xC3, // ret
0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90,
0x55, // push rbp
0x48, 0x89, 0xE5, // mov rbp,rsp
0x8B, 0xC1, // mov eax,ecx
0x5D, // pop rbp
0xC3, // ret
};
const u8 kIdentityCodeWithMov[] = {
0x89, 0xC8, // mov eax, ecx
0xC3, // ret
};
const u8 kIdentityCodeWithJump[] = {
0xE9, 0x04, 0x00, 0x00,
0x00, // jmp + 4
0xCC, 0xCC, 0xCC, 0xCC,
0x89, 0xC8, // mov eax, ecx
0xC3, // ret
};
#else
const u8 kIdentityCodeWithPrologue[] = { const u8 kIdentityCodeWithPrologue[] = {
0x55, // push ebp 0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp 0x8B, 0xEC, // mov ebp,esp
0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8] 0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8]
0x5D, // pop ebp 0x5D, // pop ebp
0xC3, // ret 0xC3, // ret
}; };
const u8 kIdentityCodeWithPushPop[] = { const u8 kIdentityCodeWithPushPop[] = {
0x55, // push ebp 0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp 0x8B, 0xEC, // mov ebp,esp
0x53, // push ebx 0x53, // push ebx
0x50, // push eax 0x50, // push eax
0x58, // pop eax 0x58, // pop eax
0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8] 0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8]
0x5B, // pop ebx 0x5B, // pop ebx
0x5D, // pop ebp 0x5D, // pop ebp
0xC3, // ret 0xC3, // ret
}; };
const u8 kIdentityTwiceOffset = 8;
const u8 kIdentityTwice[] = {
0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp
0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8]
0x5D, // pop ebp
0xC3, // ret
0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp
0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8]
0x5D, // pop ebp
0xC3, // ret
};
const u8 kIdentityCodeWithMov[] = {
0x8B, 0x44, 0x24, 0x04, // mov eax,dword ptr [esp + 4]
0xC3, // ret
};
const u8 kIdentityCodeWithJump[] = {
0xE9, 0x04, 0x00, 0x00,
0x00, // jmp + 4
0xCC, 0xCC, 0xCC, 0xCC,
0x8B, 0x44, 0x24, 0x04, // mov eax,dword ptr [esp + 4]
0xC3, // ret
};
#endif
const u8 kPatchableCode1[] = { const u8 kPatchableCode1[] = {
0xB8, 0x4B, 0x00, 0x00, 0x00, // mov eax,4B 0xB8, 0x4B, 0x00, 0x00, 0x00, // mov eax,4B
0x33, 0xC9, // xor ecx,ecx 0x33, 0xC9, // xor ecx,ecx
0xC3, // ret 0xC3, // ret
}; };
const u8 kPatchableCode2[] = { const u8 kPatchableCode2[] = {
0x55, // push ebp 0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp 0x8B, 0xEC, // mov ebp,esp
0x33, 0xC0, // xor eax,eax 0x33, 0xC0, // xor eax,eax
0x5D, // pop ebp 0x5D, // pop ebp
0xC3, // ret 0xC3, // ret
}; };
const u8 kPatchableCode3[] = { const u8 kPatchableCode3[] = {
0x55, // push ebp 0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp 0x8B, 0xEC, // mov ebp,esp
0x6A, 0x00, // push 0 0x6A, 0x00, // push 0
0xE8, 0x3D, 0xFF, 0xFF, 0xFF, // call <func> 0xE8, 0x3D, 0xFF, 0xFF, 0xFF, // call <func>
}; };
const u8 kPatchableCode4[] = {
0xE9, 0xCC, 0xCC, 0xCC, 0xCC, // jmp <label>
0x90, 0x90, 0x90, 0x90,
};
const u8 kUnpatchableCode1[] = { const u8 kUnpatchableCode1[] = {
0xC3, // ret 0xC3, // ret
}; };
const u8 kUnpatchableCode2[] = { const u8 kUnpatchableCode2[] = {
0x33, 0xC9, // xor ecx,ecx 0x33, 0xC9, // xor ecx,ecx
0xC3, // ret 0xC3, // ret
}; };
Show All 12 Lines
const u8 kUnpatchableCode5[] = { const u8 kUnpatchableCode5[] = {
0xEB, 0x02, // jmp <label> 0xEB, 0x02, // jmp <label>
0x33, 0xC9, // xor ecx,ecx 0x33, 0xC9, // xor ecx,ecx
0xC3, // ret 0xC3, // ret
}; };
const u8 kUnpatchableCode6[] = { const u8 kUnpatchableCode6[] = {
0xE9, 0xCC, 0xCC, 0xCC, 0xCC, // jmp <label>
0x90, 0x90, 0x90, 0x90,
};
const u8 kUnpatchableCode7[] = {
0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call <func> 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call <func>
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
}; };
#endif
// A buffer holding the dynamically generated code under test. // A buffer holding the dynamically generated code under test.
u8* ActiveCode; u8* ActiveCode;
size_t ActiveCodeLength = 4096; size_t ActiveCodeLength = 4096;
template<class T> template<class T>
void LoadActiveCode(const T &Code, uptr *EntryPoint) { static void LoadActiveCode(
const T &code,
uptr *entry_point,
FunctionPrefixKind prefix_kind = FunctionPrefixNone) {
if (ActiveCode == nullptr) { if (ActiveCode == nullptr) {
ActiveCode = ActiveCode =
(u8*)::VirtualAlloc(nullptr, ActiveCodeLength, MEM_COMMIT | MEM_RESERVE, (u8*)::VirtualAlloc(nullptr, ActiveCodeLength,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE); PAGE_EXECUTE_READWRITE);
ASSERT_NE(ActiveCode, nullptr); ASSERT_NE(ActiveCode, nullptr);
} }
size_t Position = 0; size_t position = 0;
*EntryPoint = (uptr)&ActiveCode[0];
// Add padding to avoid memory violation when scanning the prefix.
for (int i = 0; i < 16; ++i)
ActiveCode[position++] = 0xC3; // Instruction 'ret'.
// Add function padding.
size_t padding = 0;
if (prefix_kind == FunctionPrefixPadding)
padding = 16;
else if (prefix_kind == FunctionPrefixDetour ||
prefix_kind == FunctionPrefixHotPatch)
padding = FIRST_32_SECOND_64(5, 6);
// Insert |padding| instructions 'nop'.
for (size_t i = 0; i < padding; ++i)
ActiveCode[position++] = 0x90;
// Keep track of the entry point.
*entry_point = (uptr)&ActiveCode[position];
// Add the detour instruction (i.e. mov edi, edi)
if (prefix_kind == FunctionPrefixDetour) {
ActiveCode[position++] = 0x8B;
ActiveCode[position++] = 0xFF;
}
// Copy the function body. // Copy the function body.
for (size_t i = 0; i < sizeof(T); ++i) for (size_t i = 0; i < sizeof(T); ++i)
ActiveCode[Position++] = Code[i]; ActiveCode[position++] = code[i];
} }
int InterceptorFunctionCalled; int InterceptorFunctionCalled;
IdentityFunction InterceptedRealFunction;
NOINLINE int InterceptorFunction(int x) { int InterceptorFunction(int x) {
++InterceptorFunctionCalled; ++InterceptorFunctionCalled;
return x; return InterceptedRealFunction(x);
} }
} // namespace } // namespace
namespace __interception {
// Tests for interception_win.h // Tests for interception_win.h
TEST(Interception, InternalGetProcAddress) { TEST(Interception, InternalGetProcAddress) {
HMODULE ntdll_handle = ::GetModuleHandle("ntdll"); HMODULE ntdll_handle = ::GetModuleHandle("ntdll");
ASSERT_NE(nullptr, ntdll_handle); ASSERT_NE(nullptr, ntdll_handle);
uptr DbgPrint_expected = (uptr)::GetProcAddress(ntdll_handle, "DbgPrint"); uptr DbgPrint_expected = (uptr)::GetProcAddress(ntdll_handle, "DbgPrint");
uptr isdigit_expected = (uptr)::GetProcAddress(ntdll_handle, "isdigit"); uptr isdigit_expected = (uptr)::GetProcAddress(ntdll_handle, "isdigit");
uptr DbgPrint_adddress = InternalGetProcAddress(ntdll_handle, "DbgPrint"); uptr DbgPrint_adddress = InternalGetProcAddress(ntdll_handle, "DbgPrint");
uptr isdigit_address = InternalGetProcAddress(ntdll_handle, "isdigit"); uptr isdigit_address = InternalGetProcAddress(ntdll_handle, "isdigit");
EXPECT_EQ(DbgPrint_expected, DbgPrint_adddress); EXPECT_EQ(DbgPrint_expected, DbgPrint_adddress);
EXPECT_EQ(isdigit_expected, isdigit_address); EXPECT_EQ(isdigit_expected, isdigit_address);
EXPECT_NE(DbgPrint_adddress, isdigit_address); EXPECT_NE(DbgPrint_adddress, isdigit_address);
} }
template<class T> template<class Overrider, class T>
bool TestFunctionPatching(const T &Code) { static void TestIdentityFunctionPatching(
uptr Address; const T &code,
rnkUnsubmitted
Not Done
ReplyInline Actions

This should be 'override' instead of 'Override', since it's a variable. Also below.

rnk: This should be 'override' instead of 'Override', since it's a variable. Also below.
int x = sizeof(T); FunctionPrefixKind prefix_kind = FunctionPrefixNone) {
uptr identity_address;
LoadActiveCode<T>(Code, &Address); LoadActiveCode(code, &identity_address, prefix_kind);
uptr UnusedRealAddress = 0; IdentityFunction identity = (IdentityFunction)identity_address;
return OverrideFunction(Address, (uptr)&InterceptorFunction,
&UnusedRealAddress);
}
template<class T>
void TestIdentityFunctionPatching(const T &IdentityCode) {
uptr IdentityAddress;
LoadActiveCode<T>(IdentityCode, &IdentityAddress);
IdentityFunction Identity = (IdentityFunction)IdentityAddress;
// Validate behavior before dynamic patching. // Validate behavior before dynamic patching.
InterceptorFunctionCalled = 0; InterceptorFunctionCalled = 0;
EXPECT_EQ(0, Identity(0)); EXPECT_EQ(0, identity(0));
EXPECT_EQ(42, Identity(42)); EXPECT_EQ(42, identity(42));
EXPECT_EQ(0, InterceptorFunctionCalled); EXPECT_EQ(0, InterceptorFunctionCalled);
// Patch the function. // Patch the function.
uptr RealIdentityAddress = 0; uptr real_identity_address = 0;
EXPECT_TRUE(OverrideFunction(IdentityAddress, (uptr)&InterceptorFunction, bool success = Overrider().Override(identity_address,
&RealIdentityAddress)); (uptr)&InterceptorFunction,
IdentityFunction RealIdentity = (IdentityFunction)RealIdentityAddress; &real_identity_address);
EXPECT_TRUE(success);
EXPECT_NE(0U, real_identity_address);
IdentityFunction real_identity = (IdentityFunction)real_identity_address;
InterceptedRealFunction = real_identity;
// Do not run other tests if the function was not generated.
if (!success || !real_identity_address)
return;
// Calling the redirected function. // Calling the redirected function.
InterceptorFunctionCalled = 0; InterceptorFunctionCalled = 0;
EXPECT_EQ(0, Identity(0)); EXPECT_EQ(0, identity(0));
EXPECT_EQ(42, Identity(42)); EXPECT_EQ(42, identity(42));
EXPECT_EQ(2, InterceptorFunctionCalled); EXPECT_EQ(2, InterceptorFunctionCalled);
// Calling the real function. // Calling the real function.
InterceptorFunctionCalled = 0; InterceptorFunctionCalled = 0;
EXPECT_EQ(0, RealIdentity(0)); EXPECT_EQ(0, real_identity(0));
EXPECT_EQ(42, RealIdentity(42)); EXPECT_EQ(42, real_identity(42));
EXPECT_EQ(0, InterceptorFunctionCalled); EXPECT_EQ(0, InterceptorFunctionCalled);
TestOnlyReleaseTrampolineRegions();
} }
#if !SANITIZER_WINDOWS64 #if !SANITIZER_WINDOWS64
TEST(Interception, OverrideFunctionWithDetour) {
typedef TestOverrideFunctionWithDetour T;
FunctionPrefixKind prefix = FunctionPrefixDetour;
TestIdentityFunctionPatching<T>(kIdentityCodeWithPrologue, prefix);
rnkUnsubmitted
Not Done
ReplyInline Actions

Do you think this is cleaner without the functor? Do you think we'll need to put other stuff in the overrider class?

I think you can use plain function pointers like this:

typedef void (*Overrider)(uptr, uptr, uptr*);
Overrider o = &OverrideFunctionWithDetour;
FunctionPrefixKind prefix = FunctionPrefixDetour;
TestIdentityFunctionPatching(kIdenti..., prefix, o);
TestIdentityFunctionPatching(kIdenti..., prefix, o);
TestIdentityFunctionPatching(kIdenti..., prefix, o);
rnk: Do you think this is cleaner without the functor? Do you think we'll need to put other stuff in…
etiennebAuthorUnsubmitted
Not Done
ReplyInline Actions

Both are fine to me.
I do not think we need to put more into the functor.
Moved to function pointer.

etienneb: Both are fine to me. I do not think we need to put more into the functor. Moved to function…
TestIdentityFunctionPatching<T>(kIdentityCodeWithPushPop, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithMov, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithJump, prefix);
}
TEST(Interception, OverrideFunctionWithRedirectJump) {
typedef TestOverrideFunctionWithRedirectJump T;
TestIdentityFunctionPatching<T>(kIdentityCodeWithJump);
}
#endif // !SANITIZER_WINDOWS64
TEST(Interception, OverrideFunctionWithHotPatch) {
typedef TestOverrideFunctionWithHotPatch T;
FunctionPrefixKind prefix = FunctionPrefixHotPatch;
TestIdentityFunctionPatching<T>(kIdentityCodeWithMov, prefix);
}
TEST(Interception, OverrideFunctionWithTrampoline) {
typedef TestOverrideFunctionWithTrampoline T;
FunctionPrefixKind prefix = FunctionPrefixNone;
TestIdentityFunctionPatching<T>(kIdentityCodeWithPrologue, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithPushPop, prefix);
prefix = FunctionPrefixPadding;
TestIdentityFunctionPatching<T>(kIdentityCodeWithPrologue, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithPushPop, prefix);
}
TEST(Interception, OverrideFunction) { TEST(Interception, OverrideFunction) {
TestIdentityFunctionPatching(kIdentityCodeWithPrologue); typedef TestOverrideFunction T;
TestIdentityFunctionPatching(kIdentityCodeWithPushPop); FunctionPrefixKind prefix = FunctionPrefixNone;
TestIdentityFunctionPatching<T>(kIdentityCodeWithPrologue, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithPushPop, prefix);
// TestIdentityFunctionPatching<T>(kIdentityCodeWithJump, prefix); // 64?
prefix = FunctionPrefixPadding;
TestIdentityFunctionPatching<T>(kIdentityCodeWithPrologue, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithPushPop, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithMov, prefix);
// TestIdentityFunctionPatching<T>(kIdentityCodeWithJump, prefix);
prefix = FunctionPrefixHotPatch;
TestIdentityFunctionPatching<T>(kIdentityCodeWithPrologue, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithPushPop, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithMov, prefix);
// TestIdentityFunctionPatching<T>(kIdentityCodeWithJump, prefix);
prefix = FunctionPrefixDetour;
TestIdentityFunctionPatching<T>(kIdentityCodeWithPrologue, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithPushPop, prefix);
TestIdentityFunctionPatching<T>(kIdentityCodeWithMov, prefix);
// TestIdentityFunctionPatching<T>(kIdentityCodeWithJump, prefix);
}
TEST(Interception, OverrideFunctionTwice) {
uptr identity_address1;
LoadActiveCode(kIdentityTwice, &identity_address1);
uptr identity_address2 = identity_address1 + kIdentityTwiceOffset;
IdentityFunction identity1 = (IdentityFunction)identity_address1;
IdentityFunction identity2 = (IdentityFunction)identity_address2;
// Patch the two functions.
uptr real_identity_address = 0;
EXPECT_TRUE(OverrideFunction(identity_address1,
(uptr)&InterceptorFunction,
&real_identity_address));
EXPECT_TRUE(OverrideFunction(identity_address2,
(uptr)&InterceptorFunction,
&real_identity_address));
IdentityFunction real_identity = (IdentityFunction)real_identity_address;
InterceptedRealFunction = real_identity;
// Calling the redirected function.
InterceptorFunctionCalled = 0;
EXPECT_EQ(42, identity1(42));
EXPECT_EQ(42, identity2(42));
EXPECT_EQ(2, InterceptorFunctionCalled);
TestOnlyReleaseTrampolineRegions();
}
template<class Overrider, class T>
static bool TestFunctionPatching(
const T &code,
FunctionPrefixKind prefix_kind = FunctionPrefixNone) {
uptr address;
LoadActiveCode(code, &address, prefix_kind);
uptr unused_real_address = 0;
bool result = Overrider().Override(
address, (uptr)&InterceptorFunction, &unused_real_address);
TestOnlyReleaseTrampolineRegions();
return result;
} }
TEST(Interception, PatchableFunction) { TEST(Interception, PatchableFunction) {
EXPECT_TRUE(TestFunctionPatching(kPatchableCode1)); typedef TestOverrideFunction T;
EXPECT_TRUE(TestFunctionPatching(kPatchableCode2));
EXPECT_TRUE(TestFunctionPatching(kPatchableCode3)); // Test without function padding.
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode1));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode1)); EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode2));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode2)); #if SANITIZER_WINDOWS64
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode3)); EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode3));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode4)); #else
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode5)); EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode3));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode6)); #endif
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode7)); EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode4));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode1));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode2));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode3));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode4));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode5));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode6));
} }
#if !SANITIZER_WINDOWS64
TEST(Interception, PatchableFunctionWithDetour) {
typedef TestOverrideFunctionWithDetour T;
// Without the prefix, no function can be detoured.
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode1));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode2));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode3));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode4));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode1));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode2));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode3));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode4));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode5));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode6));
// With the prefix, all functions can be detoured.
FunctionPrefixKind prefix = FunctionPrefixDetour;
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode1, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode2, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode3, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode4, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode1, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode2, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode3, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode4, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode5, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode6, prefix));
}
TEST(Interception, PatchableFunctionWithRedirectJump) {
typedef TestOverrideFunctionWithRedirectJump T;
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode1));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode2));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode3));
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode4));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode1));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode2));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode3));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode4));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode5));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode6));
}
#endif // !SANITIZER_WINDOWS64
TEST(Interception, PatchableFunctionWithHotPatch) {
typedef TestOverrideFunctionWithHotPatch T;
FunctionPrefixKind prefix = FunctionPrefixHotPatch;
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode1, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode2, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode3, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode4, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode1, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode2, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode3, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode4, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode5, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode6, prefix));
}
TEST(Interception, PatchableFunctionWithTrampoline) {
typedef TestOverrideFunctionWithTrampoline T;
FunctionPrefixKind prefix = FunctionPrefixPadding;
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode1, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode2, prefix));
#if SANITIZER_WINDOWS64
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode3, prefix));
#else
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode3, prefix));
#endif #endif
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode4, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode1, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode2, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode3, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode4, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode5, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode6, prefix));
}
TEST(Interception, PatchableFunctionPadding) {
typedef TestOverrideFunction T;
FunctionPrefixKind prefix = FunctionPrefixPadding;
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode1, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode2, prefix));
#if SANITIZER_WINDOWS64
EXPECT_FALSE(TestFunctionPatching<T>(kPatchableCode3, prefix));
#else
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode3, prefix));
#endif
EXPECT_TRUE(TestFunctionPatching<T>(kPatchableCode4, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode1, prefix));
EXPECT_TRUE(TestFunctionPatching<T>(kUnpatchableCode2, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode3, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode4, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode5, prefix));
EXPECT_FALSE(TestFunctionPatching<T>(kUnpatchableCode6, prefix));
}
} // namespace __interception } // namespace __interception
#endif // SANITIZER_WINDOWS #endif // SANITIZER_WINDOWS
#endif // #if !SANITIZER_DEBUG #endif // #if !SANITIZER_DEBUG