Skip to content

Commit 3ac879f

Browse files
committedJun 20, 2016
Add missing decoding patterns toRoundUpToInstrBoundary
Summary: The RoundUpToInstrBoundary determines intructions boundary and it's used to determine how to patch (intercept) functions. The current x64-bit implementation is incomplete. This patch is adding patterns observed when trying to sanitize a 64-bit executable on my computer. Thw two current functions not intercepted are: ``` RaiseExceptionStub: 000000007720C3B0 EB 06 jmp RaiseException (07720C3B8h) 000000007720C3B2 90 nop 000000007720C3B3 90 nop 000000007720C3B4 90 nop 000000007720C3B5 90 nop 000000007720C3B6 90 nop 000000007720C3B7 90 nop RaiseException: 000000007720C3B8 FF 25 3A 18 09 00 jmp qword ptr [__imp_RaiseException (07729DBF8h)] 000000007720C3BE 8B 44 24 54 mov eax,dword ptr [rsp+54h] 000000007720C3C2 85 C0 test eax,eax 000000007720C3C4 0F 84 F5 05 00 00 je Wow64NtCreateKey+12Fh (07720C9BFh) ``` ``` CreateThreadStub: 0000000077215A10 48 83 EC 48 sub rsp,48h 0000000077215A14 48 8B 44 24 78 mov rax,qword ptr [rsp+78h] 0000000077215A19 48 89 44 24 38 mov qword ptr [rsp+38h],rax 0000000077215A1E 8B 44 24 70 mov eax,dword ptr [rsp+70h] ``` Reviewers: rnk Subscribers: wang0109, chrisha Differential Revision: http://reviews.llvm.org/D21519 llvm-svn: 273176
1 parent a074fe4 commit 3ac879f

File tree

1 file changed

+16
-0
lines changed

1 file changed

+16
-0
lines changed
 

‎compiler-rt/lib/interception/interception_win.cc

+16
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,9 @@ static size_t RoundUpToInstrBoundary(size_t size, char *code) {
121121
case '\x57': // 57 : push rdi
122122
cursor++;
123123
continue;
124+
case '\x90': // 90 : nop
125+
cursor++;
126+
continue;
124127
case '\xb8': // b8 XX XX XX XX : mov eax, XX XX XX XX
125128
cursor += 5;
126129
continue;
@@ -168,6 +171,12 @@ static size_t RoundUpToInstrBoundary(size_t size, char *code) {
168171
continue;
169172
}
170173

174+
switch (*(unsigned int*)(code + cursor)) {
175+
case 0x24448b48: // 48 8b 44 24 XX : mov rax, qword ptr [rsp + 0xXX]
176+
cursor += 5;
177+
continue;
178+
}
179+
171180
// Check first 5 bytes.
172181
switch (0xFFFFFFFFFFull & *(unsigned long long*)(code + cursor)) {
173182
case 0x08245c8948: // 48 89 5c 24 08 : mov QWORD PTR [rsp+0x8], rbx
@@ -176,6 +185,13 @@ static size_t RoundUpToInstrBoundary(size_t size, char *code) {
176185
continue;
177186
}
178187

188+
// Check 8 bytes.
189+
switch (*(unsigned long long*)(code + cursor)) {
190+
case 0x90909090909006EBull: // JMP +6, 6x NOP
191+
cursor += 8;
192+
continue;
193+
}
194+
179195
// Unknown instructions!
180196
__debugbreak();
181197
}

0 commit comments

Comments
 (0)
Please sign in to comment.