static dr_emit_flags_t
event_basic_block(void *drcontext, void *tag, instrlist_t *bb,
bool for_trace, bool translating)
{
instr_t *instr;
for (instr = instrlist_first_app(bb);
instr != NULL;
instr = instr_get_next_app(instr)) {
if (instr_is_cbr(instr)) {
dr_insert_cbr_instrumentation_ex
(drcontext, bb, instr, (void *)at_cbr,
OPND_CREATE_INTPTR(dr_fragment_app_pc(tag)));
}
}
return DR_EMIT_DEFAULT;
}
static dr_emit_flags_t
bb_event(void *drcontext, void *tag, instrlist_t *bb, bool for_trace, bool translating)
{
instr_t *instr, *next_instr;
for (instr = instrlist_first(bb); instr != NULL; instr = next_instr) {
next_instr = instr_get_next(instr);
if (instr_is_cbr(instr)) {
/* Conditional branch. We can determine the target and
* fallthrough addresses here, but we want to note the
* edge if and when it actually executes at runtime.
* Instead of using dr_insert_cbr_instrumentation(), we'll
* insert separate instrumentation for the taken and not
* taken cases and remove the instrumentation for an edge
* after it executes.
*/
cbr_state_t state;
bool insert_taken, insert_not_taken;
app_pc src = instr_get_app_pc(instr);
/* First look up the state of this branch so we
* know what instrumentation to insert, if any.
*/
elem_t *elem = lookup(table, src);
if (elem == NULL) {
state = CBR_NEITHER;
insert(table, src, CBR_NEITHER);
}
else {
state = elem->state;
}
insert_taken = (state & CBR_TAKEN) == 0;
insert_not_taken = (state & CBR_NOT_TAKEN) == 0;
if (insert_taken || insert_not_taken) {
app_pc fall = (app_pc)decode_next_pc(drcontext, (byte *)src);
app_pc targ = instr_get_branch_target_pc(instr);
/* Redirect the existing cbr to jump to a callout for
* the 'taken' case. We'll insert a 'not-taken'
* callout at the fallthrough address.
*/
instr_t *label = INSTR_CREATE_label(drcontext);
/* should be meta, and meta-instrs shouldn't have translations */
instr_set_meta_no_translation(instr);
/* it may not reach (in particular for x64) w/ our added clean call */
if (instr_is_cti_short(instr)) {
/* if jecxz/loop we want to set the target of the long-taken
* so set instr to the return value
*/
instr = instr_convert_short_meta_jmp_to_long(drcontext, bb, instr);
}
instr_set_target(instr, opnd_create_instr(label));
if (insert_not_taken) {
/* Callout for the not-taken case. Insert after
* the cbr (i.e., 3rd argument is NULL).
*/
dr_insert_clean_call(drcontext, bb, NULL,
(void*)at_not_taken,
false /* don't save fp state */,
2 /* 2 args for at_not_taken */,
OPND_CREATE_INTPTR(src),
OPND_CREATE_INTPTR(fall));
}
/* After the callout, jump to the original fallthrough
* address. Note that this is an exit cti, and should
* not be a meta-instruction. Therefore, we use
* preinsert instead of meta_preinsert, and we must
* set the translation field. On Windows, this jump
* and the final jump below never execute since the
* at_taken and at_not_taken callouts redirect
* execution and never return. However, since the API
* expects clients to produced well-formed code, we
* insert explicit exits from the block for Windows as
* well as Linux.
*/
instrlist_preinsert(bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp
(drcontext, opnd_create_pc(fall)), fall));
/* label goes before the 'taken' callout */
MINSERT(bb, NULL, label);
if (insert_taken) {
/* Callout for the taken case */
dr_insert_clean_call(drcontext, bb, NULL,
(void*)at_taken,
false /* don't save fp state */,
2 /* 2 args for at_taken */,
OPND_CREATE_INTPTR(src),
OPND_CREATE_INTPTR(targ));
}
/* After the callout, jump to the original target
* block (this should not be a meta-instruction).
*/
instrlist_preinsert(bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp
(drcontext, opnd_create_pc(targ)), targ));
}
}
}
/* since our added instrumentation is not constant, we ask to store
* translations now
*/
return DR_EMIT_STORE_TRANSLATIONS;
}
dr_emit_flags_t
bb_event(void *drcontext, void *tag, instrlist_t *bb, bool for_trace, bool translating)
{
instr_t *instr, *next_instr;
app_pc bb_addr = dr_fragment_app_pc(tag);
if (bb_addr == start_pc) {
instrument = true;
} else if (bb_addr == stop_pc) {
instrument = false;
}
if (!instrument) {
return DR_EMIT_DEFAULT;
}
for (instr = instrlist_first(bb); instr != NULL; instr = next_instr) {
next_instr = instr_get_next(instr);
/*
* Conditional branch. We can determine the target and
* fallthrough addresses here, but we need to instrument if we
* want to record the edge only if it actually executes at
* runtime. Instead of using dr_insert_cbr_instrumentation,
* we'll insert separate instrumentation for the taken and not
* taken cases and remove it separately after we see each
* case.
*/
if (instr_is_cbr(instr)) {
app_pc src = instr_get_app_pc(instr);
cbr_state_t state;
bool insert_taken, insert_not_taken;
/* First look up the state of this branch so we
* know what instrumentation to insert, if any.
*/
elem_t *elem = lookup(table, src);
if (elem == NULL) {
state = CBR_NONE;
insert(table, src, CBR_NONE);
} else {
state = elem->state;
}
insert_taken = (state & CBR_TAKEN) == 0;
insert_not_taken = (state & CBR_NOT_TAKEN) == 0;
if (insert_taken || insert_not_taken) {
app_pc fall = (app_pc)decode_next_pc(drcontext, (byte *)src);
app_pc targ = instr_get_branch_target_pc(instr);
/*
* Redirect the cbr to jump to the 'taken' callout.
* We'll insert a 'not-taken' callout at fallthrough
* address.
*/
instr_t *label = INSTR_CREATE_label(drcontext);
instr_set_meta(instr);
instr_set_translation(instr, NULL);
/* If this is a short cti, make sure it can reach its new target */
if (instr_is_cti_short(instr)) {
/* if jecxz/loop we want to set the target of the long-taken
* so set instr to the return value
*/
instr = instr_convert_short_meta_jmp_to_long(drcontext, bb, instr);
}
instr_set_target(instr, opnd_create_instr(label));
if (insert_not_taken) {
/*
* Callout for the not-taken case
*/
dr_insert_clean_call(drcontext, bb, NULL, (void *)at_not_taken,
false /* don't save fp state */,
2 /* 2 args for at_not_taken */,
OPND_CREATE_INTPTR((ptr_uint_t)src),
OPND_CREATE_INTPTR((ptr_uint_t)fall));
}
/*
* Jump to the original fall-through address.
* (This should not be a meta-instruction).
*/
instrlist_preinsert(
bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp(drcontext, opnd_create_pc(fall)), fall));
/* label goes before the 'taken' callout */
MINSERT(bb, NULL, label);
if (insert_taken) {
/*
* Callout for the taken case
*/
dr_insert_clean_call(drcontext, bb, NULL, (void *)at_taken,
false /* don't save fp state */,
2 /* 2 args for at_taken */,
OPND_CREATE_INTPTR((ptr_uint_t)src),
OPND_CREATE_INTPTR((ptr_uint_t)targ));
}
/*
* Jump to the original target block (this should
* not be a meta-instruction).
*/
instrlist_preinsert(
bb, NULL,
INSTR_XL8(INSTR_CREATE_jmp(drcontext, opnd_create_pc(targ)), targ));
}
}
}
/* since our added instrumentation is not constant, we ask to store
* translations now
*/
return DR_EMIT_STORE_TRANSLATIONS;
}
bool
instr_is_jcc(instr_t *inst)
{
return instr_is_cbr(inst);
}
/* returns false on failure */
static bool
decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info, LOADED_IMAGE *img)
{
/* FIXME: would like to fail gracefully rather than have a DR assertion
* on non-code! => use DEBUG=0 INTERNAL=1 DR build!
*/
bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false;
bool found_ret = false;
byte *pc, *pre_pc;
int num_instr = 0;
instr_t *instr;
byte *preferred = get_preferred_base(img);
if (entry == NULL)
return false;
info->num_args = -1; /* if find sysnum but not args */
info->sysnum = -1;
info->fixup_index = -1;
instr = instr_create(dcontext);
pc = entry;
/* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want
* this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip
* the first instruction (mov r10, rcx) here, the rest should decode ok.
* Xref PR 236203. */
if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1)
pc += 3;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
if (verbose) {
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
}
if (pc == NULL || !instr_valid(instr))
break;
if (instr_is_syscall(instr) || instr_is_call_indirect(instr)) {
/* If we see a syscall instr or an indirect call which is not syscall,
* we assume this is not a syscall wrapper.
*/
found_syscall = process_syscall_instr(dcontext, instr, found_eax, found_edx);
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_return(instr)) {
/* we must break on return to avoid case like win8 x86
* which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*/
if (!found_ret) {
process_ret(instr, info);
found_ret = true;
}
break;
} else if (instr_get_opcode(instr) == OP_call) {
found_syscall = process_syscall_call(dcontext, pc, instr,
found_eax, found_edx);
/* If we see a call and it is not a sysenter callee,
* we assume this is not a syscall wrapper.
*/
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_cti(instr)) {
/* We expect only ctis like ret or ret imm, syscall, and call, which are
* handled above. Give up gracefully if we hit any other cti.
* XXX: what about jmp to shared ret (seen in the past on some syscalls)?
*/
/* Update: win10 TH2 1511 x64 has a cti:
* ntdll!NtContinue:
* 00007ff9`13185630 4c8bd1 mov r10,rcx
* 00007ff9`13185633 b843000000 mov eax,43h
* 00007ff9`13185638 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
* 00007ff9`13185640 7503 jne ntdll!NtContinue+0x15 (00007ff9`13185645)
* 00007ff9`13185642 0f05 syscall
* 00007ff9`13185644 c3 ret
* 00007ff9`13185645 cd2e int 2Eh
* 00007ff9`13185647 c3 ret
*/
if (expect_x64 && instr_is_cbr(instr) &&
opnd_get_pc(instr_get_target(instr)) == pc + 3/*syscall;ret*/) {
/* keep going */
} else
break;
} else if ((!found_eax || !found_edx || !found_ecx) &&
instr_get_opcode(instr) == OP_mov_imm &&
opnd_is_reg(instr_get_dst(instr, 0))) {
if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) {
info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0));
found_eax = true;
} else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) {
uint imm = (uint) opnd_get_immed_int(instr_get_src(instr, 0));
if (imm == 0x7ffe0300 ||
/* On Win10 the immed is ntdll!Wow64SystemServiceCall */
(expect_wow && imm > (ptr_uint_t)preferred &&
imm < (ptr_uint_t)preferred + img->SizeOfImage))
found_edx = true;
} else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
found_ecx = true;
info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0));
}
} else if (instr_get_opcode(instr) == OP_xor &&
opnd_is_reg(instr_get_src(instr, 0)) &&
opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX &&
opnd_is_reg(instr_get_dst(instr, 0)) &&
opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
/* xor to 0 */
found_ecx = true;
info->fixup_index = 0;
}
num_instr++;
if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */
break; /* avoid weird cases like NPXEMULATORTABLE */
}
instr_destroy(dcontext, instr);
return found_syscall;
}
