static dr_emit_flags_t
event_basic_block(void *drcontext, void *tag, instrlist_t *bb, bool for_trace, bool translating)
{
instr_t *instr;
trace_head_entry_t *e = NULL;
if (translating)
return DR_EMIT_DEFAULT;
for (instr = instrlist_first(bb); instr != NULL; instr = instr_get_next(instr)) {
/* blocks containing calls are trace heads */
if (instr_is_call(instr)) {
dr_mark_trace_head(drcontext, tag);
dr_mutex_lock(htable_mutex);
e = add_trace_head_entry(NULL, tag);
e->is_trace_head = true;
dr_mutex_unlock(htable_mutex);
#ifdef VERBOSE
dr_log(drcontext, LOG_ALL, 3,
"inline: marking bb "PFX" as trace head\n", tag);
#endif
/* doesn't matter what's in rest of bb */
return DR_EMIT_DEFAULT;
} else if (instr_is_return(instr)) {
dr_mutex_lock(htable_mutex);
e = add_trace_head_entry(NULL, tag);
e->has_ret = true;
dr_mutex_unlock(htable_mutex);
}
}
return DR_EMIT_DEFAULT;
}
/* return the branch type of the (branch) inst */
uint
instr_branch_type(instr_t *cti_instr)
{
instr_get_opcode(cti_instr); /* ensure opcode is valid */
if (instr_get_opcode(cti_instr) == OP_blx) {
/* To handle the mode switch we go through the ibl.
* FIXME i#1551: once we have far linking through stubs we should
* remove this and have a faster link through the stub.
*/
return LINK_INDIRECT|LINK_CALL;
}
/* We treate a predicated call as a cbr, not a call */
else if (instr_is_cbr_arch(cti_instr) || instr_is_ubr_arch(cti_instr))
return LINK_DIRECT|LINK_JMP;
else if (instr_is_call_direct(cti_instr))
return LINK_DIRECT|LINK_CALL;
else if (instr_is_call_indirect(cti_instr))
return LINK_INDIRECT|LINK_CALL;
else if (instr_is_return(cti_instr))
return LINK_INDIRECT|LINK_RETURN;
else if (instr_is_mbr_arch(cti_instr))
return LINK_INDIRECT|LINK_JMP;
else
CLIENT_ASSERT(false, "instr_branch_type: unknown opcode");
return LINK_INDIRECT;
}
/* returns false on failure */
static bool
decode_function(void *dcontext, byte *entry)
{
byte *pc, *pre_pc;
int num_instr = 0;
bool found_ret = false;
instr_t *instr;
if (entry == NULL)
return false;
instr = instr_create(dcontext);
pc = entry;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
if (instr_is_return(instr)) {
found_ret = true;
break;
}
num_instr++;
if (num_instr > MAX_INSTRS_IN_FUNCTION) {
print("ERROR: hit max instr limit %d\n", MAX_INSTRS_IN_FUNCTION);
break;
}
}
instr_destroy(dcontext, instr);
return found_ret;
}
/* This event is called separately for each individual instruction in the bb. */
static dr_emit_flags_t
event_insert_instrumentation(void *drcontext, void *tag, instrlist_t *bb, instr_t *instr,
bool for_trace, bool translating, void *user_data)
{
bool bb_in_app;
if (dr_fragment_app_pc(tag) >= app_base && dr_fragment_app_pc(tag) < app_end)
bb_in_app = true;
else
bb_in_app = false;
if (drmgr_is_first_instr(drcontext, instr)) {
uint num_instrs = (uint)(ptr_uint_t)user_data;
dr_insert_clean_call(drcontext, bb, instr,
(void *)(bb_in_app ? app_update : lib_update),
false /* save fpstate */, 1, OPND_CREATE_INT32(num_instrs));
}
if (instr_is_mbr(instr) && !instr_is_return(instr)) {
/* Assuming most of the transfers between app and lib are paired, we
* instrument indirect branches but not returns for better performance.
*/
dr_insert_mbr_instrumentation(
drcontext, bb, instr, (void *)(bb_in_app ? app_mbr : lib_mbr), SPILL_SLOT_1);
}
return DR_EMIT_DEFAULT;
}
static dr_emit_flags_t
event_basic_block(void *drcontext, void *tag, instrlist_t *bb,
bool for_trace, bool translating)
{
instr_t *instr, *next_instr;
#ifdef VERBOSE
dr_printf("in dr_basic_block(tag="PFX")\n", tag);
# if VERBOSE_VERBOSE
instrlist_disassemble(drcontext, tag, bb, STDOUT);
# endif
#endif
for (instr = instrlist_first_app(bb); instr != NULL; instr = next_instr) {
next_instr = instr_get_next_app(instr);
if (!instr_opcode_valid(instr))
continue;
/* instrument calls and returns -- ignore far calls/rets */
if (instr_is_call_direct(instr)) {
dr_insert_call_instrumentation(drcontext, bb, instr, (app_pc)at_call);
} else if (instr_is_call_indirect(instr)) {
dr_insert_mbr_instrumentation(drcontext, bb, instr, (app_pc)at_call_ind,
SPILL_SLOT_1);
} else if (instr_is_return(instr)) {
dr_insert_mbr_instrumentation(drcontext, bb, instr, (app_pc)at_return,
SPILL_SLOT_1);
}
}
return DR_EMIT_DEFAULT;
}
static void
process_ret(instr_t *instr, syscall_info_t *info)
{
assert(instr_is_return(instr));
if (opnd_is_immed_int(instr_get_src(instr, 0)))
info->num_args = (int) opnd_get_immed_int(instr_get_src(instr, 0));
else
info->num_args = 0;
}
static dr_emit_flags_t
event_basic_block(void *drcontext, void *tag, instrlist_t *bb,
bool for_trace, bool translating)
{
instr_t *instr, *mbr = NULL;
uint num_instrs;
bool bb_in_app;
#ifdef VERBOSE
dr_printf("in dynamorio_basic_block(tag="PFX")\n", tag);
# ifdef VERBOSE_VERBOSE
instrlist_disassemble(drcontext, tag, bb, STDOUT);
# endif
#endif
for (instr = instrlist_first(bb), num_instrs = 0;
instr != NULL;
instr = instr_get_next(instr)) {
/* only care about app instr */
if (!instr_ok_to_mangle(instr))
continue;
num_instrs++;
/* Assuming most of the transfers between app and lib are paired, we
* instrument indirect branches but not returns for better performance.
*/
if (instr_is_mbr(instr) && !instr_is_return(instr))
mbr = instr;
}
if (dr_fragment_app_pc(tag) >= app_base &&
dr_fragment_app_pc(tag) < app_end)
bb_in_app = true;
else
bb_in_app = false;
dr_insert_clean_call(drcontext, bb, instrlist_first(bb),
(void *)(bb_in_app ? app_update : lib_update),
false /* save fpstate */, 1,
OPND_CREATE_INT32(num_instrs));
if (mbr != NULL) {
dr_insert_mbr_instrumentation(drcontext, bb, mbr,
(void *)(bb_in_app ? app_mbr : lib_mbr),
SPILL_SLOT_1);
}
#if defined(VERBOSE) && defined(VERBOSE_VERBOSE)
dr_printf("Finished instrumenting dynamorio_basic_block(tag="PFX")\n", tag);
instrlist_disassemble(drcontext, tag, bb, STDOUT);
#endif
return DR_EMIT_DEFAULT;
}
static dr_emit_flags_t
event_analyze_bb(void *drcontext, void *tag, instrlist_t *bb,
bool for_trace, bool translating, void **user_data)
{
instr_t *instr;
trace_head_entry_t *e = NULL;
if (translating)
return DR_EMIT_DEFAULT;
for (instr = instrlist_first_app(bb);
instr != NULL;
instr = instr_get_next_app(instr)) {
/* Blocks containing calls are trace heads. */
if (instr_is_call(instr)) {
dr_mark_trace_head(drcontext, tag);
hashtable_lock(&head_table);
e = hashtable_lookup(&head_table, tag);
if (e == NULL) {
e = create_trace_head_entry(tag);
if (!hashtable_add(&head_table, tag, (void *)e))
DR_ASSERT(false);
} else
e->refcount++;
e->is_trace_head = true;
hashtable_unlock(&head_table);
#ifdef VERBOSE
dr_log(drcontext, DR_LOG_ALL, 3,
"inline: marking bb "PFX" as call trace head\n", tag);
#endif
/* Doesn't matter what's in rest of the bb. */
return DR_EMIT_DEFAULT;
} else if (instr_is_return(instr)) {
hashtable_lock(&head_table);
e = hashtable_lookup(&head_table, tag);
if (e == NULL) {
e = create_trace_head_entry(tag);
if (!hashtable_add(&head_table, tag, (void *)e))
DR_ASSERT(false);
} else
e->refcount++;
e->has_ret = true;
hashtable_unlock(&head_table);
#ifdef VERBOSE
dr_log(drcontext, DR_LOG_ALL, 3,
"inline: marking bb "PFX" as return trace head\n", tag);
#endif
}
}
return DR_EMIT_DEFAULT;
}
static void
look_for_usercall(void *dcontext, byte *entry, const char *sym, LOADED_IMAGE *img,
const char *modpath)
{
bool found_push_imm = false;
int imm = 0;
app_pc pc, pre_pc;
instr_t *instr;
if (entry == NULL)
return;
instr = instr_create(dcontext);
pc = entry;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
if (verbose) {
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
}
if (pc == NULL || !instr_valid(instr))
break;
if (instr_get_opcode(instr) == OP_push_imm) {
found_push_imm = true;
imm = (int) opnd_get_immed_int(instr_get_src(instr, 0));
} else if (instr_is_call_direct(instr) && found_push_imm) {
app_pc tgt = opnd_get_pc(instr_get_target(instr));
bool found = false;
int i;
for (i = 0; i < NUM_USERCALL; i++) {
if (tgt == usercall_addr[i]) {
dr_printf("Call #0x%02x to %s at %s+0x%x\n", imm, usercall_names[i],
sym, pre_pc - entry);
found = true;
break;
}
}
if (found)
break;
} else if (instr_is_return(instr))
break;
if (pc - entry > MAX_BYTES_BEFORE_USERCALL)
break;
}
instr_destroy(dcontext, instr);
}
/* This event is called separately for each individual instruction in the bb. */
static dr_emit_flags_t
event_insert_instrumentation(void *drcontext, void *tag, instrlist_t *bb,
instr_t *instr, bool for_trace, bool translating,
void *user_data)
{
if (drmgr_is_first_instr(drcontext, instr)) {
uint num_instrs = (uint)(ptr_uint_t)user_data;
int i;
app_pc bb_addr = dr_fragment_app_pc(tag);
for (i = 0; i < num_mods; i++) {
if (mod_array[i].loaded &&
mod_array[i].base <= bb_addr &&
mod_array[i].end > bb_addr)
break;
}
if (i == num_mods)
i = UNKNOW_MODULE_IDX;
/* We pass SPILL_SLOT_MAX+1 as drx will use drreg for spilling. */
drx_insert_counter_update(drcontext, bb, instr, SPILL_SLOT_MAX+1,
(void *)&mod_cnt[i], num_instrs, DRX_COUNTER_64BIT);
drx_insert_counter_update(drcontext, bb, instr, SPILL_SLOT_MAX+1,
(void *)&ins_count, num_instrs, DRX_COUNTER_64BIT);
}
if (instr_is_mbr(instr) && !instr_is_return(instr)) {
/* Assuming most of the transfers between modules are paired, we
* instrument indirect branches but not returns for better performance.
* We assume that most cross module transfers happens via indirect
* branches.
* Direct branch with DGC or self-modify may also cross modules, but
* it should be ok to ignore, and we can handle them more efficiently.
*/
/* dr_insert_mbr_instrumentation is going to read app values, so we need a
* drreg lazy restore "barrier" here.
*/
drreg_status_t res =
drreg_restore_app_values(drcontext, bb, instr, instr_get_target(instr), NULL);
DR_ASSERT(res == DRREG_SUCCESS || res == DRREG_ERROR_NO_APP_VALUE);
dr_insert_mbr_instrumentation(drcontext, bb, instr,
(void *)mbr_update, SPILL_SLOT_1);
}
return DR_EMIT_DEFAULT;
}
static dr_emit_flags_t
event_instruction(void *drcontext, void *tag, instrlist_t *bb, instr_t *instr,
bool for_trace, bool translating, void *user_data)
{
/* ignore tool-inserted instrumentation */
if (!instr_is_app(instr))
return DR_EMIT_DEFAULT;
/* instrument calls and returns -- ignore far calls/rets */
if (instr_is_call_direct(instr)) {
insert_counter_update(drcontext, bb, instr,
offsetof(per_thread_t, num_direct_calls));
} else if (instr_is_call_indirect(instr)) {
insert_counter_update(drcontext, bb, instr,
offsetof(per_thread_t, num_indirect_calls));
} else if (instr_is_return(instr)) {
insert_counter_update(drcontext, bb, instr, offsetof(per_thread_t, num_returns));
}
return DR_EMIT_DEFAULT;
}
static dr_emit_flags_t
event_basic_block(void *drcontext, void *tag, instrlist_t *bb,
bool for_trace, bool translating)
{
instr_t *instr, *next_instr;
#ifdef VERBOSE
dr_printf("in dynamorio_basic_block(tag="PFX")\n", tag);
# ifdef VERBOSE_VERBOSE
instrlist_disassemble(drcontext, tag, bb, STDOUT);
# endif
#endif
for (instr = instrlist_first(bb); instr != NULL; instr = next_instr) {
/* grab next now so we don't go over instructions we insert */
next_instr = instr_get_next(instr);
/* instrument calls and returns -- ignore far calls/rets */
if (instr_is_call_direct(instr)) {
insert_counter_update(drcontext, bb, instr,
offsetof(per_thread_t, num_direct_calls));
} else if (instr_is_call_indirect(instr)) {
insert_counter_update(drcontext, bb, instr,
offsetof(per_thread_t, num_indirect_calls));
} else if (instr_is_return(instr)) {
insert_counter_update(drcontext, bb, instr,
offsetof(per_thread_t, num_returns));
}
}
#if defined(VERBOSE) && defined(VERBOSE_VERBOSE)
dr_printf("Finished instrumenting dynamorio_basic_block(tag="PFX")\n", tag);
instrlist_disassemble(drcontext, tag, bb, STDOUT);
#endif
return DR_EMIT_DEFAULT;
}
/* returns false on failure */
static bool
decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info, LOADED_IMAGE *img)
{
/* FIXME: would like to fail gracefully rather than have a DR assertion
* on non-code! => use DEBUG=0 INTERNAL=1 DR build!
*/
bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false;
bool found_ret = false;
byte *pc, *pre_pc;
int num_instr = 0;
instr_t *instr;
byte *preferred = get_preferred_base(img);
if (entry == NULL)
return false;
info->num_args = -1; /* if find sysnum but not args */
info->sysnum = -1;
info->fixup_index = -1;
instr = instr_create(dcontext);
pc = entry;
/* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want
* this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip
* the first instruction (mov r10, rcx) here, the rest should decode ok.
* Xref PR 236203. */
if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1)
pc += 3;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
if (verbose) {
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
}
if (pc == NULL || !instr_valid(instr))
break;
if (instr_is_syscall(instr) || instr_is_call_indirect(instr)) {
/* If we see a syscall instr or an indirect call which is not syscall,
* we assume this is not a syscall wrapper.
*/
found_syscall = process_syscall_instr(dcontext, instr, found_eax, found_edx);
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_return(instr)) {
/* we must break on return to avoid case like win8 x86
* which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*/
if (!found_ret) {
process_ret(instr, info);
found_ret = true;
}
break;
} else if (instr_get_opcode(instr) == OP_call) {
found_syscall = process_syscall_call(dcontext, pc, instr,
found_eax, found_edx);
/* If we see a call and it is not a sysenter callee,
* we assume this is not a syscall wrapper.
*/
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_cti(instr)) {
/* We expect only ctis like ret or ret imm, syscall, and call, which are
* handled above. Give up gracefully if we hit any other cti.
* XXX: what about jmp to shared ret (seen in the past on some syscalls)?
*/
/* Update: win10 TH2 1511 x64 has a cti:
* ntdll!NtContinue:
* 00007ff9`13185630 4c8bd1 mov r10,rcx
* 00007ff9`13185633 b843000000 mov eax,43h
* 00007ff9`13185638 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
* 00007ff9`13185640 7503 jne ntdll!NtContinue+0x15 (00007ff9`13185645)
* 00007ff9`13185642 0f05 syscall
* 00007ff9`13185644 c3 ret
* 00007ff9`13185645 cd2e int 2Eh
* 00007ff9`13185647 c3 ret
*/
if (expect_x64 && instr_is_cbr(instr) &&
opnd_get_pc(instr_get_target(instr)) == pc + 3/*syscall;ret*/) {
/* keep going */
} else
break;
} else if ((!found_eax || !found_edx || !found_ecx) &&
instr_get_opcode(instr) == OP_mov_imm &&
opnd_is_reg(instr_get_dst(instr, 0))) {
if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) {
info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0));
found_eax = true;
} else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) {
uint imm = (uint) opnd_get_immed_int(instr_get_src(instr, 0));
if (imm == 0x7ffe0300 ||
/* On Win10 the immed is ntdll!Wow64SystemServiceCall */
(expect_wow && imm > (ptr_uint_t)preferred &&
imm < (ptr_uint_t)preferred + img->SizeOfImage))
found_edx = true;
} else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
found_ecx = true;
info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0));
}
} else if (instr_get_opcode(instr) == OP_xor &&
opnd_is_reg(instr_get_src(instr, 0)) &&
opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX &&
opnd_is_reg(instr_get_dst(instr, 0)) &&
opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
/* xor to 0 */
found_ecx = true;
info->fixup_index = 0;
}
num_instr++;
if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */
break; /* avoid weird cases like NPXEMULATORTABLE */
}
instr_destroy(dcontext, instr);
return found_syscall;
}
/* returns false on failure */
static bool
decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info)
{
/* FIXME: would like to fail gracefully rather than have a DR assertion
* on non-code! => use DEBUG=0 INTERNAL=1 DR build!
*/
bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false;
bool found_ret = false;
byte *pc;
int num_instr = 0;
instr_t *instr;
if (entry == NULL)
return false;
info->num_args = -1; /* if find sysnum but not args */
info->sysnum = -1;
info->fixup_index = -1;
instr = instr_create(dcontext);
pc = entry;
/* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want
* this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip
* the first instruction (mov r10, rcx) here, the rest should decode ok.
* Xref PR 236203. */
if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1)
pc += 3;
while (true) {
instr_reset(dcontext, instr);
pc = decode(dcontext, pc, instr);
if (verbose)
dr_print_instr(dcontext, STDOUT, instr, "");
if (pc == NULL || !instr_valid(instr))
break;
/* ASSUMPTION: a mov imm of 0x7ffe0300 into edx followed by an
* indirect call via edx is a system call on XP and later
* On XP SP1 it's call *edx, while on XP SP2 it's call *(edx)
* For wow it's a call through fs.
* FIXME - core exports various is_*_syscall routines (such as
* instr_is_wow64_syscall()) which we could use here instead of
* duplicating if they were more flexible about when they could
* be called (instr_is_wow64_syscall() for ex. asserts if not
* in a wow process).
*/
if (/* int 2e or x64 or win8 sysenter */
(instr_is_syscall(instr) && found_eax && (expect_int2e || expect_x64 || expect_sysenter)) ||
/* sysenter case */
(expect_sysenter && found_edx && found_eax &&
instr_is_call_indirect(instr) &&
/* XP SP{0,1}, 2003 SP0: call *edx */
((opnd_is_reg(instr_get_target(instr)) &&
opnd_get_reg(instr_get_target(instr)) == REG_EDX) ||
/* XP SP2, 2003 SP1: call *(edx) */
(opnd_is_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_EDX &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_disp(instr_get_target(instr)) == 0))) ||
/* wow case
* we don't require found_ecx b/c win8 does not use ecx
*/
(expect_wow && found_eax &&
instr_is_call_indirect(instr) &&
opnd_is_far_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_NULL &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_segment(instr_get_target(instr)) == SEG_FS)) {
found_syscall = true;
} else if (instr_is_return(instr)) {
if (!found_ret) {
process_ret(instr, info);
found_ret = true;
}
break;
} else if (instr_is_cti(instr)) {
if (instr_get_opcode(instr) == OP_call) {
/* handle win8 x86 which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*/
byte *tgt;
assert(opnd_is_pc(instr_get_target(instr)));
tgt = opnd_get_pc(instr_get_target(instr));
/* we expect only ret or ret imm, and possibly some nops (in gdi32).
* XXX: what about jmp to shared ret (seen in the past on some syscalls)?
*/
if (tgt > pc && tgt <= pc + 16) {
bool ok = false;
do {
if (pc == tgt) {
ok = true;
break;
}
instr_reset(dcontext, instr);
pc = decode(dcontext, pc, instr);
if (verbose)
dr_print_instr(dcontext, STDOUT, instr, "");
if (instr_is_return(instr)) {
process_ret(instr, info);
found_ret = true;
} else if (!instr_is_nop(instr))
break;
num_instr++;
} while (num_instr <= MAX_INSTRS_BEFORE_SYSCALL);
if (ok)
continue;
}
}
/* assume not a syscall wrapper if we hit a cti */
break; /* give up gracefully */
} else if ((!found_eax || !found_edx || !found_ecx) &&
instr_get_opcode(instr) == OP_mov_imm &&
opnd_is_reg(instr_get_dst(instr, 0))) {
if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) {
info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0));
found_eax = true;
} else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) {
int imm = (int) opnd_get_immed_int(instr_get_src(instr, 0));
if (imm == 0x7ffe0300)
found_edx = true;
} else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
found_ecx = true;
info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0));
}
} else if (instr_get_opcode(instr) == OP_xor &&
opnd_is_reg(instr_get_src(instr, 0)) &&
opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX &&
opnd_is_reg(instr_get_dst(instr, 0)) &&
opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
/* xor to 0 */
found_ecx = true;
info->fixup_index = 0;
}
num_instr++;
if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */
break; /* avoid weird cases like NPXEMULATORTABLE */
}
instr_destroy(dcontext, instr);
return found_syscall;
}
static void
module_load_event(void *drcontext, const module_data_t *mod, bool loaded)
{
if (strstr(dr_module_preferred_name(mod),
"client.drwrap-test.appdll.") != NULL) {
bool ok;
instr_t inst;
app_pc init_pc, pc, next_pc;
load_count++;
if (load_count == 2) {
/* test no-frills */
drwrap_set_global_flags(DRWRAP_NO_FRILLS);
}
addr_replace = (app_pc) dr_get_proc_address(mod->handle, "replaceme");
CHECK(addr_replace != NULL, "cannot find lib export");
ok = drwrap_replace(addr_replace, (app_pc) replacewith, false);
CHECK(ok, "replace failed");
addr_replace2 = (app_pc) dr_get_proc_address(mod->handle, "replaceme2");
CHECK(addr_replace2 != NULL, "cannot find lib export");
ok = drwrap_replace_native(addr_replace2, (app_pc) replacewith2, true/*at entry*/,
0, (void *)(ptr_int_t)DRWRAP_NATIVE_PARAM, false);
CHECK(ok, "replace_native failed");
init_pc = (app_pc) dr_get_proc_address(mod->handle, "replace_callsite");
CHECK(init_pc != NULL, "cannot find lib export");
/* Find callsite: we assume we'll linearly hit a ret. We take final call
* to skip any PIC call.
*/
instr_init(drcontext, &inst);
pc = init_pc;
do {
instr_reset(drcontext, &inst);
next_pc = decode(drcontext, pc, &inst);
if (!instr_valid(&inst))
break;
/* if initial jmp, follow it to handle ILT-indirection */
if (pc == init_pc && instr_is_ubr(&inst))
next_pc = opnd_get_pc(instr_get_target(&inst));
else if (instr_is_call(&inst))
addr_replace_callsite = pc;
pc = next_pc;
} while (instr_valid(&inst) && !instr_is_return(&inst));
CHECK(addr_replace_callsite != NULL, "cannot find lib export");
ok = drwrap_replace_native(addr_replace_callsite, (app_pc) replace_callsite,
false/*!at entry*/, 0,
(void *)(ptr_int_t)DRWRAP_NATIVE_PARAM, false);
CHECK(ok, "replace_native failed");
instr_free(drcontext, &inst);
wrap_addr(&addr_level0, "level0", mod, true, true);
wrap_addr(&addr_level1, "level1", mod, true, true);
wrap_addr(&addr_level2, "level2", mod, true, true);
wrap_addr(&addr_tailcall, "makes_tailcall", mod, true, true);
wrap_addr(&addr_skipme, "skipme", mod, true, true);
wrap_addr(&addr_repeat, "repeatme", mod, true, true);
wrap_addr(&addr_preonly, "preonly", mod, true, false);
wrap_addr(&addr_postonly, "postonly", mod, false, true);
wrap_addr(&addr_runlots, "runlots", mod, false, true);
/* test longjmp */
wrap_unwindtest_addr(&addr_long0, "long0", mod);
wrap_unwindtest_addr(&addr_long1, "long1", mod);
wrap_unwindtest_addr(&addr_long2, "long2", mod);
wrap_unwindtest_addr(&addr_long3, "long3", mod);
wrap_unwindtest_addr(&addr_longdone, "longdone", mod);
drmgr_set_tls_field(drcontext, tls_idx, (void *)(ptr_uint_t)0);
#ifdef WINDOWS
/* test SEH */
/* we can't do this test for no-frills b/c only one wrap per addr */
if (load_count == 1) {
ok = drwrap_wrap_ex(addr_long0, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_long1, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_long2, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_long3, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_longdone, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
}
#endif
/* test leaner wrapping */
if (load_count == 2)
drwrap_set_global_flags(DRWRAP_NO_FRILLS | DRWRAP_FAST_CLEANCALLS);
wrap_addr(&addr_skip_flags, "skip_flags", mod, true, false);
}
}
