Add missing decoding patterns toRoundUpToInstrBoundary

bergeret · bergeret · commit 3ac879f9a601 · 2016-06-20T18:00:03.000Z
Summary: The RoundUpToInstrBoundary determines intructions boundary and it's used to determine how to patch (intercept) functions. The current x64-bit implementation is incomplete. This patch is adding patterns observed when trying to sanitize a 64-bit executable on my computer. Thw two current functions not intercepted are: ``` RaiseExceptionStub: 000000007720C3B0 EB 06 jmp RaiseException (07720C3B8h) 000000007720C3B2 90 nop 000000007720C3B3 90 nop 000000007720C3B4 90 nop 000000007720C3B5 90 nop 000000007720C3B6 90 nop 000000007720C3B7 90 nop RaiseException: 000000007720C3B8 FF 25 3A 18 09 00 jmp qword ptr [__imp_RaiseException (07729DBF8h)] 000000007720C3BE 8B 44 24 54 mov eax,dword ptr [rsp+54h] 000000007720C3C2 85 C0 test eax,eax 000000007720C3C4 0F 84 F5 05 00 00 je Wow64NtCreateKey+12Fh (07720C9BFh) ``` ``` CreateThreadStub: 0000000077215A10 48 83 EC 48 sub rsp,48h 0000000077215A14 48 8B 44 24 78 mov rax,qword ptr [rsp+78h] 0000000077215A19 48 89 44 24 38 mov qword ptr [rsp+38h],rax 0000000077215A1E 8B 44 24 70 mov eax,dword ptr [rsp+70h] ``` Reviewers: rnk Subscribers: wang0109, chrisha Differential Revision: http://reviews.llvm.org/D21519 llvm-svn: 273176
diff --git a/compiler-rt/lib/interception/interception_win.cc b/compiler-rt/lib/interception/interception_win.cc
@@ -121,6 +121,9 @@ static size_t RoundUpToInstrBoundary(size_t size, char *code) {
       case '\x57':  // 57 : push rdi
         cursor++;
         continue;
+      case '\x90':  // 90 : nop
+        cursor++;
+        continue;
       case '\xb8':  // b8 XX XX XX XX : mov eax, XX XX XX XX
         cursor += 5;
         continue;
@@ -168,6 +171,12 @@ static size_t RoundUpToInstrBoundary(size_t size, char *code) {
         continue;
     }
 
+    switch (*(unsigned int*)(code + cursor)) {
+      case 0x24448b48:  // 48 8b 44 24 XX : mov rax, qword ptr [rsp + 0xXX]
+        cursor += 5;
+        continue;
+    }
+
     // Check first 5 bytes.
     switch (0xFFFFFFFFFFull & *(unsigned long long*)(code + cursor)) {
       case 0x08245c8948:    // 48 89 5c 24 08 : mov QWORD PTR [rsp+0x8], rbx
@@ -176,6 +185,13 @@ static size_t RoundUpToInstrBoundary(size_t size, char *code) {
         continue;
     }
 
+    // Check 8 bytes.
+    switch (*(unsigned long long*)(code + cursor)) {
+      case 0x90909090909006EBull:  // JMP +6,  6x NOP
+        cursor += 8;
+        continue;
+    }
+
     // Unknown instructions!
     __debugbreak();
   }
