This is an archive of the discontinued LLVM Phabricator instance.

Differential D23046

[asan] Intercept RtlRaiseException instead of kernel32!RaiseException
ClosedPublic

Authored by rnk on Aug 1 2016, 6:46 PM.

Details

Reviewers
etienneb
Commits
rGd6371ea52a99: [asan] Intercept RtlRaiseException instead of kernel32!RaiseException
rCRT277518: [asan] Intercept RtlRaiseException instead of kernel32!RaiseException
rL277518: [asan] Intercept RtlRaiseException instead of kernel32!RaiseException
Summary

On my install of Windows 10, RaiseException is a tail call to
kernelbase!RaiseException. Obviously, we fail to intercept that.
Instead, try hooking at the ntdll!RtlRaiseException layer. It is
unlikely that this layer will contain control flow.

Intercepting at this level requires adding a decoding for
'LEA ESP, [ESP + 0xXXXXXXXX]', which is a really obscure way to write
'SUB ESP, 0xXXXXXXXX' that avoids clobbering EFLAGS.

Diff Detail

Repository
rL LLVM

Event Timeline

rnk updated this revision to Diff 66416.Aug 1 2016, 6:46 PM
rnk retitled this revision from to [asan] Intercept RtlRaiseException instead of kernel32!RaiseException.
rnk updated this object.
rnk added a reviewer: etienneb.
rnk added a subscriber: llvm-commits.
Herald added a subscriber: kubamracek. · View Herald TranscriptAug 1 2016, 6:46 PM
etienneb accepted this revision.Aug 2 2016, 8:11 AM
etienneb edited edge metadata.

lgtm

This revision is now accepted and ready to land.Aug 2 2016, 8:11 AM
Closed by commit rL277518: [asan] Intercept RtlRaiseException instead of kernel32!RaiseException (authored by rnk). · Explain WhyAug 2 2016, 1:44 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
asan/
11 lines
interception/
3 lines
tests/
8 lines
test/
asan/
TestCases/
Windows/
2 lines

Diff 66547

compiler-rt/trunk/lib/asan/asan_win.cc

Show First 20 LinesShow All 65 Lines▼ Show 20 Lines
#pragma comment(linker, "/alternatename:___asan_default_options=___asan_default_default_options") // NOLINT #pragma comment(linker, "/alternatename:___asan_default_options=___asan_default_default_options") // NOLINT
#pragma comment(linker, "/alternatename:___asan_default_suppressions=___asan_default_default_suppressions") // NOLINT #pragma comment(linker, "/alternatename:___asan_default_suppressions=___asan_default_default_suppressions") // NOLINT
#pragma comment(linker, "/alternatename:___asan_on_error=___asan_default_on_error") // NOLINT #pragma comment(linker, "/alternatename:___asan_on_error=___asan_default_on_error") // NOLINT
#endif #endif
// }}} // }}}
} // extern "C" } // extern "C"
// ---------------------- Windows-specific interceptors ---------------- {{{ // ---------------------- Windows-specific interceptors ---------------- {{{
INTERCEPTOR_WINAPI(void, RaiseException, void *a, void *b, void *c, void *d) { INTERCEPTOR_WINAPI(void, RtlRaiseException, void *ExceptionRecord) {
CHECK(REAL(RaiseException)); CHECK(REAL(RtlRaiseException));
__asan_handle_no_return(); __asan_handle_no_return();
REAL(RaiseException)(a, b, c, d); REAL(RtlRaiseException)(ExceptionRecord);
} }
#ifdef _WIN64 #ifdef _WIN64
INTERCEPTOR_WINAPI(int, __C_specific_handler, void *a, void *b, void *c, void *d) { // NOLINT INTERCEPTOR_WINAPI(int, __C_specific_handler, void *a, void *b, void *c, void *d) { // NOLINT
CHECK(REAL(__C_specific_handler)); CHECK(REAL(__C_specific_handler));
__asan_handle_no_return(); __asan_handle_no_return();
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines
} }
// }}} // }}}
namespace __asan { namespace __asan {
void InitializePlatformInterceptors() { void InitializePlatformInterceptors() {
ASAN_INTERCEPT_FUNC(CreateThread); ASAN_INTERCEPT_FUNC(CreateThread);
ASAN_INTERCEPT_FUNC(RaiseException); // RtlRaiseException is always linked dynamically.
CHECK(::__interception::OverrideFunction("RtlRaiseException",
(uptr)WRAP(RtlRaiseException),
(uptr *)&REAL(RtlRaiseException)));
#ifdef _WIN64 #ifdef _WIN64
ASAN_INTERCEPT_FUNC(__C_specific_handler); ASAN_INTERCEPT_FUNC(__C_specific_handler);
#else #else
ASAN_INTERCEPT_FUNC(_except_handler3); ASAN_INTERCEPT_FUNC(_except_handler3);
ASAN_INTERCEPT_FUNC(_except_handler4); ASAN_INTERCEPT_FUNC(_except_handler4);
#endif #endif
} }
▲ Show 20 LinesShow All 162 LinesShow Last 20 Lines

compiler-rt/trunk/lib/interception/interception_win.cc

Show First 20 LinesShow All 559 Lines▼ Show 20 Lines#else
switch (0x00FFFFFF & *(u32*)address) { switch (0x00FFFFFF & *(u32*)address) {
case 0x24448A: // 8A 44 24 XX : mov eal, dword ptr [esp + XX] case 0x24448A: // 8A 44 24 XX : mov eal, dword ptr [esp + XX]
case 0x24448B: // 8B 44 24 XX : mov eax, dword ptr [esp + XX] case 0x24448B: // 8B 44 24 XX : mov eax, dword ptr [esp + XX]
case 0x244C8B: // 8B 4C 24 XX : mov ecx, dword ptr [esp + XX] case 0x244C8B: // 8B 4C 24 XX : mov ecx, dword ptr [esp + XX]
case 0x24548B: // 8B 54 24 XX : mov edx, dword ptr [esp + XX] case 0x24548B: // 8B 54 24 XX : mov edx, dword ptr [esp + XX]
case 0x24748B: // 8B 74 24 XX : mov esi, dword ptr [esp + XX] case 0x24748B: // 8B 74 24 XX : mov esi, dword ptr [esp + XX]
case 0x247C8B: // 8B 7C 24 XX : mov edi, dword ptr [esp + XX] case 0x247C8B: // 8B 7C 24 XX : mov edi, dword ptr [esp + XX]
return 4; return 4;
case 0x24A48D: // 8D A4 24 XX XX XX XX : lea esp, [esp + XX XX XX XX]
return 7;
} }
switch (*(u32*)address) { switch (*(u32*)address) {
case 0x2444B60F: // 0F B6 44 24 XX : movzx eax, byte ptr [esp + XX] case 0x2444B60F: // 0F B6 44 24 XX : movzx eax, byte ptr [esp + XX]
return 5; return 5;
} }
#endif #endif
▲ Show 20 LinesShow All 415 LinesShow Last 20 Lines

compiler-rt/trunk/lib/interception/tests/interception_win_test.cc

Show First 20 LinesShow All 157 Lines▼ Show 20 Linesconst u8 kPatchableCode3[] = {
0xE8, 0x3D, 0xFF, 0xFF, 0xFF, // call <func> 0xE8, 0x3D, 0xFF, 0xFF, 0xFF, // call <func>
}; };
const u8 kPatchableCode4[] = { const u8 kPatchableCode4[] = {
0xE9, 0xCC, 0xCC, 0xCC, 0xCC, // jmp <label> 0xE9, 0xCC, 0xCC, 0xCC, 0xCC, // jmp <label>
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
}; };
const u8 kPatchableCode5[] = {
0x55, // push ebp
0x8b, 0xec, // mov ebp,esp
0x8d, 0xa4, 0x24, 0x30, 0xfd, 0xff, 0xff, // lea esp,[esp-2D0h]
0x54, // push esp
};
const u8 kUnpatchableCode1[] = { const u8 kUnpatchableCode1[] = {
0xC3, // ret 0xC3, // ret
}; };
const u8 kUnpatchableCode2[] = { const u8 kUnpatchableCode2[] = {
0x33, 0xC9, // xor ecx,ecx 0x33, 0xC9, // xor ecx,ecx
0xC3, // ret 0xC3, // ret
}; };
▲ Show 20 LinesShow All 295 Lines▼ Show 20 LinesTEST(Interception, PatchableFunction) {
EXPECT_TRUE(TestFunctionPatching(kPatchableCode1, override)); EXPECT_TRUE(TestFunctionPatching(kPatchableCode1, override));
EXPECT_TRUE(TestFunctionPatching(kPatchableCode2, override)); EXPECT_TRUE(TestFunctionPatching(kPatchableCode2, override));
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
EXPECT_FALSE(TestFunctionPatching(kPatchableCode3, override)); EXPECT_FALSE(TestFunctionPatching(kPatchableCode3, override));
#else #else
EXPECT_TRUE(TestFunctionPatching(kPatchableCode3, override)); EXPECT_TRUE(TestFunctionPatching(kPatchableCode3, override));
#endif #endif
EXPECT_TRUE(TestFunctionPatching(kPatchableCode4, override)); EXPECT_TRUE(TestFunctionPatching(kPatchableCode4, override));
EXPECT_TRUE(TestFunctionPatching(kPatchableCode5, override));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode1, override)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode1, override));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode2, override)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode2, override));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode3, override)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode3, override));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode4, override)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode4, override));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode5, override)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode5, override));
EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode6, override)); EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode6, override));
} }
▲ Show 20 LinesShow All 108 LinesShow Last 20 Lines

compiler-rt/trunk/test/asan/TestCases/Windows/dll_host.cc

Show All 18 Lines
// //
// Add functions interecepted in asan_malloc.win.cc and asan_win.cc. // Add functions interecepted in asan_malloc.win.cc and asan_win.cc.
// RUN: grep '[I]MPORT:' %s | sed -e 's/.*[I]MPORT: //' > %t.dll_imports3 // RUN: grep '[I]MPORT:' %s | sed -e 's/.*[I]MPORT: //' > %t.dll_imports3
// IMPORT: __asan_wrap_HeapAlloc // IMPORT: __asan_wrap_HeapAlloc
// IMPORT: __asan_wrap_HeapFree // IMPORT: __asan_wrap_HeapFree
// IMPORT: __asan_wrap_HeapReAlloc // IMPORT: __asan_wrap_HeapReAlloc
// IMPORT: __asan_wrap_HeapSize // IMPORT: __asan_wrap_HeapSize
// IMPORT: __asan_wrap_CreateThread // IMPORT: __asan_wrap_CreateThread
// IMPORT: __asan_wrap_RaiseException // IMPORT: __asan_wrap_RtlRaiseException
// //
// The exception handlers differ in 32-bit and 64-bit, so we ignore them: // The exception handlers differ in 32-bit and 64-bit, so we ignore them:
// RUN: grep '[E]XPORT:' %s | sed -e 's/.*[E]XPORT: //' > %t.exported_wrappers3 // RUN: grep '[E]XPORT:' %s | sed -e 's/.*[E]XPORT: //' > %t.exported_wrappers3
// EXPORT: __asan_wrap__except_handler3 // EXPORT: __asan_wrap__except_handler3
// EXPORT: __asan_wrap__except_handler4 // EXPORT: __asan_wrap__except_handler4
// EXPORT: __asan_wrap___C_specific_handler // EXPORT: __asan_wrap___C_specific_handler
// //
// RUN: cat %t.dll_imports1 %t.dll_imports2 %t.dll_imports3 | sort | uniq > %t.dll_imports-sorted // RUN: cat %t.dll_imports1 %t.dll_imports2 %t.dll_imports3 | sort | uniq > %t.dll_imports-sorted
Show All 39 Lines