static int get_sysnum(const char *wrapper) { byte *entry; module_data_t *data = dr_lookup_module_by_name("ntdll.dll"); ASSERT(data != NULL); entry = (byte *) dr_get_proc_address(data->handle, wrapper); dr_free_module_data(data); if (entry == NULL) return -1; return drmgr_decode_sysnum_from_wrapper(entry); }
static int get_write_sysnum(void) { #ifdef LINUX return SYS_write; #else byte *entry; module_data_t *data = dr_lookup_module_by_name("ntdll.dll"); DR_ASSERT(data != NULL); entry = (byte *) dr_get_proc_address(data->handle, "NtWriteFile"); DR_ASSERT(entry != NULL); dr_free_module_data(data); return drmgr_decode_sysnum_from_wrapper(entry); #endif }
static bool drmgr_cls_init(void) { /* For callback init we watch for KiUserCallbackDispatcher. * For callback exit we watch for NtCallbackReturn or int 0x2b. */ static int cls_initialized; /* 0=not tried; >0=success; <0=failure */ module_data_t *data; module_handle_t ntdll_lib; app_pc addr_cbret; drmgr_priority_t priority = {sizeof(priority), "drmgr_cls", NULL, NULL, 0}; if (cls_initialized > 0) return true; else if (cls_initialized < 0) return false; cls_initialized = -1; if (!drmgr_register_bb_instrumentation_event(drmgr_event_bb_analysis, drmgr_event_bb_insert, &priority)) return false; dr_register_filter_syscall_event(drmgr_event_filter_syscall); data = dr_lookup_module_by_name("ntdll.dll"); if (data == NULL) { /* fatal error: something is really wrong w/ underlying DR */ return false; } ntdll_lib = data->handle; dr_free_module_data(data); addr_KiCallback = (app_pc) dr_get_proc_address(ntdll_lib, "KiUserCallbackDispatcher"); if (addr_KiCallback == NULL) return false; /* should not happen */ /* the wrapper is not good enough for two reasons: one, we want to swap * contexts at the last possible moment, not prior to executing a few * instrs; second, we'll miss hand-rolled syscalls */ addr_cbret = (app_pc) dr_get_proc_address(ntdll_lib, "NtCallbackReturn"); if (addr_cbret == NULL) return false; /* should not happen */ sysnum_NtCallbackReturn = drmgr_decode_sysnum_from_wrapper(addr_cbret); if (sysnum_NtCallbackReturn == -1) return false; /* should not happen */ cls_initialized = 1; return true; }
static int get_write_sysnum(void) { /* XXX: we could use the "drsyscall" Extension from the Dr. Memory Framework * (DRMF) to obtain the number of any system call from the name. */ #ifdef UNIX return SYS_write; #else byte *entry; module_data_t *data = dr_lookup_module_by_name("ntdll.dll"); DR_ASSERT(data != NULL); entry = (byte *) dr_get_proc_address(data->handle, "NtWriteFile"); DR_ASSERT(entry != NULL); dr_free_module_data(data); return drmgr_decode_sysnum_from_wrapper(entry); #endif }