Retro68/gcc/libsanitizer/interception/interception_win.cc

272 lines
9.2 KiB
C++
Raw Normal View History

2014-09-21 17:33:12 +00:00
//===-- interception_linux.cc -----------------------------------*- C++ -*-===//
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file is a part of AddressSanitizer, an address sanity checker.
//
// Windows-specific interception methods.
//===----------------------------------------------------------------------===//
#ifdef _WIN32
#include "interception.h"
2017-04-10 11:32:00 +00:00
#define WIN32_LEAN_AND_MEAN
2014-09-21 17:33:12 +00:00
#include <windows.h>
namespace __interception {
// FIXME: internal_str* and internal_mem* functions should be moved from the
// ASan sources into interception/.
static void _memset(void *p, int value, size_t sz) {
for (size_t i = 0; i < sz; ++i)
((char*)p)[i] = (char)value;
}
static void _memcpy(void *dst, void *src, size_t sz) {
char *dst_c = (char*)dst,
*src_c = (char*)src;
for (size_t i = 0; i < sz; ++i)
dst_c[i] = src_c[i];
}
static void WriteJumpInstruction(char *jmp_from, char *to) {
// jmp XXYYZZWW = E9 WW ZZ YY XX, where XXYYZZWW is an offset fromt jmp_from
// to the next instruction to the destination.
ptrdiff_t offset = to - jmp_from - 5;
*jmp_from = '\xE9';
*(ptrdiff_t*)(jmp_from + 1) = offset;
}
2015-08-28 15:33:40 +00:00
static char *GetMemoryForTrampoline(size_t size) {
2014-09-21 17:33:12 +00:00
// Trampolines are allocated from a common pool.
const int POOL_SIZE = 1024;
static char *pool = NULL;
static size_t pool_used = 0;
2015-08-28 15:33:40 +00:00
if (!pool) {
pool = (char *)VirtualAlloc(NULL, POOL_SIZE, MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
// FIXME: Might want to apply PAGE_EXECUTE_READ access after all the
// interceptors are in place.
if (!pool)
return NULL;
2014-09-21 17:33:12 +00:00
_memset(pool, 0xCC /* int 3 */, POOL_SIZE);
}
2015-08-28 15:33:40 +00:00
if (pool_used + size > POOL_SIZE)
return NULL;
char *ret = pool + pool_used;
pool_used += size;
return ret;
}
2014-09-21 17:33:12 +00:00
2015-08-28 15:33:40 +00:00
// Returns 0 on error.
static size_t RoundUpToInstrBoundary(size_t size, char *code) {
size_t cursor = 0;
while (cursor < size) {
switch (code[cursor]) {
case '\x51': // push ecx
case '\x52': // push edx
case '\x53': // push ebx
case '\x54': // push esp
2014-09-21 17:33:12 +00:00
case '\x55': // push ebp
case '\x56': // push esi
case '\x57': // push edi
2015-08-28 15:33:40 +00:00
case '\x5D': // pop ebp
cursor++;
continue;
case '\x6A': // 6A XX = push XX
cursor += 2;
continue;
case '\xE9': // E9 XX YY ZZ WW = jmp WWZZYYXX
2017-04-10 11:32:00 +00:00
case '\xB8': // B8 XX YY ZZ WW = mov eax, WWZZYYXX
2015-08-28 15:33:40 +00:00
cursor += 5;
2014-09-21 17:33:12 +00:00
continue;
}
2015-08-28 15:33:40 +00:00
switch (*(unsigned short*)(code + cursor)) { // NOLINT
2014-09-21 17:33:12 +00:00
case 0xFF8B: // 8B FF = mov edi, edi
case 0xEC8B: // 8B EC = mov ebp, esp
case 0xC033: // 33 C0 = xor eax, eax
2015-08-28 15:33:40 +00:00
cursor += 2;
2014-09-21 17:33:12 +00:00
continue;
2015-08-28 15:33:40 +00:00
case 0x458B: // 8B 45 XX = mov eax, dword ptr [ebp+XXh]
case 0x5D8B: // 8B 5D XX = mov ebx, dword ptr [ebp+XXh]
2014-09-21 17:33:12 +00:00
case 0xEC83: // 83 EC XX = sub esp, XX
2015-08-28 15:33:40 +00:00
case 0x75FF: // FF 75 XX = push dword ptr [ebp+XXh]
cursor += 3;
2014-09-21 17:33:12 +00:00
continue;
case 0xC1F7: // F7 C1 XX YY ZZ WW = test ecx, WWZZYYXX
2015-08-28 15:33:40 +00:00
case 0x25FF: // FF 25 XX YY ZZ WW = jmp dword ptr ds:[WWZZYYXX]
cursor += 6;
continue;
case 0x3D83: // 83 3D XX YY ZZ WW TT = cmp TT, WWZZYYXX
cursor += 7;
2014-09-21 17:33:12 +00:00
continue;
}
2015-08-28 15:33:40 +00:00
switch (0x00FFFFFF & *(unsigned int*)(code + cursor)) {
2014-09-21 17:33:12 +00:00
case 0x24448A: // 8A 44 24 XX = mov eal, dword ptr [esp+XXh]
2015-08-28 15:33:40 +00:00
case 0x24448B: // 8B 44 24 XX = mov eax, dword ptr [esp+XXh]
2014-09-21 17:33:12 +00:00
case 0x244C8B: // 8B 4C 24 XX = mov ecx, dword ptr [esp+XXh]
case 0x24548B: // 8B 54 24 XX = mov edx, dword ptr [esp+XXh]
2015-08-28 15:33:40 +00:00
case 0x24748B: // 8B 74 24 XX = mov esi, dword ptr [esp+XXh]
2014-09-21 17:33:12 +00:00
case 0x247C8B: // 8B 7C 24 XX = mov edi, dword ptr [esp+XXh]
2015-08-28 15:33:40 +00:00
cursor += 4;
2014-09-21 17:33:12 +00:00
continue;
}
// Unknown instruction!
2015-08-28 15:33:40 +00:00
// FIXME: Unknown instruction failures might happen when we add a new
// interceptor or a new compiler version. In either case, they should result
// in visible and readable error messages. However, merely calling abort()
// leads to an infinite recursion in CheckFailed.
// Do we have a good way to abort with an error message here?
__debugbreak();
return 0;
2014-09-21 17:33:12 +00:00
}
2015-08-28 15:33:40 +00:00
return cursor;
}
bool OverrideFunction(uptr old_func, uptr new_func, uptr *orig_old_func) {
#ifdef _WIN64
#error OverrideFunction is not yet supported on x64
#endif
// Function overriding works basically like this:
// We write "jmp <new_func>" (5 bytes) at the beginning of the 'old_func'
// to override it.
// We might want to be able to execute the original 'old_func' from the
// wrapper, in this case we need to keep the leading 5+ bytes ('head')
// of the original code somewhere with a "jmp <old_func+head>".
// We call these 'head'+5 bytes of instructions a "trampoline".
char *old_bytes = (char *)old_func;
// We'll need at least 5 bytes for a 'jmp'.
size_t head = 5;
if (orig_old_func) {
// Find out the number of bytes of the instructions we need to copy
// to the trampoline and store it in 'head'.
head = RoundUpToInstrBoundary(head, old_bytes);
if (!head)
return false;
2014-09-21 17:33:12 +00:00
2015-08-28 15:33:40 +00:00
// Put the needed instructions into the trampoline bytes.
char *trampoline = GetMemoryForTrampoline(head + 5);
if (!trampoline)
return false;
_memcpy(trampoline, old_bytes, head);
WriteJumpInstruction(trampoline + head, old_bytes + head);
*orig_old_func = (uptr)trampoline;
}
// Now put the "jmp <new_func>" instruction at the original code location.
// We should preserve the EXECUTE flag as some of our own code might be
// located in the same page (sic!). FIXME: might consider putting the
// __interception code into a separate section or something?
2014-09-21 17:33:12 +00:00
DWORD old_prot, unused_prot;
2015-08-28 15:33:40 +00:00
if (!VirtualProtect((void *)old_bytes, head, PAGE_EXECUTE_READWRITE,
2014-09-21 17:33:12 +00:00
&old_prot))
return false;
2015-08-28 15:33:40 +00:00
WriteJumpInstruction(old_bytes, (char *)new_func);
2014-09-21 17:33:12 +00:00
_memset(old_bytes + 5, 0xCC /* int 3 */, head - 5);
2015-08-28 15:33:40 +00:00
// Restore the original permissions.
if (!VirtualProtect((void *)old_bytes, head, old_prot, &unused_prot))
2014-09-21 17:33:12 +00:00
return false; // not clear if this failure bothers us.
return true;
}
2017-04-10 11:32:00 +00:00
static void **InterestingDLLsAvailable() {
const char *InterestingDLLs[] = {
"kernel32.dll",
"msvcr110.dll", // VS2012
"msvcr120.dll", // VS2013
// NTDLL should go last as it exports some functions that we should override
// in the CRT [presumably only used internally].
"ntdll.dll", NULL
};
2015-08-28 15:33:40 +00:00
static void *result[ARRAY_SIZE(InterestingDLLs)] = { 0 };
if (!result[0]) {
for (size_t i = 0, j = 0; InterestingDLLs[i]; ++i) {
if (HMODULE h = GetModuleHandleA(InterestingDLLs[i]))
result[j++] = (void *)h;
}
}
2017-04-10 11:32:00 +00:00
return &result[0];
}
namespace {
// Utility for reading loaded PE images.
template <typename T> class RVAPtr {
public:
RVAPtr(void *module, uptr rva)
: ptr_(reinterpret_cast<T *>(reinterpret_cast<char *>(module) + rva)) {}
operator T *() { return ptr_; }
T *operator->() { return ptr_; }
T *operator++() { return ++ptr_; }
private:
T *ptr_;
};
} // namespace
// Internal implementation of GetProcAddress. At least since Windows 8,
// GetProcAddress appears to initialize DLLs before returning function pointers
// into them. This is problematic for the sanitizers, because they typically
// want to intercept malloc *before* MSVCRT initializes. Our internal
// implementation walks the export list manually without doing initialization.
uptr InternalGetProcAddress(void *module, const char *func_name) {
// Check that the module header is full and present.
RVAPtr<IMAGE_DOS_HEADER> dos_stub(module, 0);
RVAPtr<IMAGE_NT_HEADERS> headers(module, dos_stub->e_lfanew);
if (!module || dos_stub->e_magic != IMAGE_DOS_SIGNATURE || // "MZ"
headers->Signature != IMAGE_NT_SIGNATURE || // "PE\0\0"
headers->FileHeader.SizeOfOptionalHeader <
sizeof(IMAGE_OPTIONAL_HEADER)) {
return 0;
}
IMAGE_DATA_DIRECTORY *export_directory =
&headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
RVAPtr<IMAGE_EXPORT_DIRECTORY> exports(module,
export_directory->VirtualAddress);
RVAPtr<DWORD> functions(module, exports->AddressOfFunctions);
RVAPtr<DWORD> names(module, exports->AddressOfNames);
RVAPtr<WORD> ordinals(module, exports->AddressOfNameOrdinals);
for (DWORD i = 0; i < exports->NumberOfNames; i++) {
RVAPtr<char> name(module, names[i]);
if (!strcmp(func_name, name)) {
DWORD index = ordinals[i];
RVAPtr<char> func(module, functions[index]);
return (uptr)(char *)func;
}
}
return 0;
2015-08-28 15:33:40 +00:00
}
static bool GetFunctionAddressInDLLs(const char *func_name, uptr *func_addr) {
*func_addr = 0;
2017-04-10 11:32:00 +00:00
void **DLLs = InterestingDLLsAvailable();
2015-08-28 15:33:40 +00:00
for (size_t i = 0; *func_addr == 0 && DLLs[i]; ++i)
2017-04-10 11:32:00 +00:00
*func_addr = InternalGetProcAddress(DLLs[i], func_name);
2015-08-28 15:33:40 +00:00
return (*func_addr != 0);
}
bool OverrideFunction(const char *name, uptr new_func, uptr *orig_old_func) {
uptr orig_func;
if (!GetFunctionAddressInDLLs(name, &orig_func))
return false;
return OverrideFunction(orig_func, new_func, orig_old_func);
}
2014-09-21 17:33:12 +00:00
} // namespace __interception
#endif // _WIN32