static u8 * alt_strcpy8 (u8 * dest, u8 * src)
{
u64 * d64 = (u64 *) dest;
u64 * s64 = (u64 *) src;
while (1)
{
if (has_zero_byte (s64[0]))
{
u8 * d = (u8 *) d64;
u8 * s = (u8 *) s64;
while ((*d++ = *s++) != '\0')
; /* Nothing */
return dest;
}
else
{
*d64++ = *s64++;
}
}
/* Should not get here. */
return dest;
}
// Work backwards from an instruction to find the instructions that come before it.
// gadgets - the gadget_t for the instruction that comes next.
// buffer - the buffer of program code.
// offset - the virtual memory address that buffer starts at.
// position - the index into buffer of the previously-located instruction.
// count - the number of instructions to find (recursively).
void
work_backwards(gadget_t *gadgets, unsigned char *buffer, uint32_t offset, int position, int count)
{
if (count <= 0) {
return;
}
int instr_start;
int instr_size, instr_actual_size;
x86_insn_t instr;
// Work back from the known instruction one byte at a time.
for (instr_size = 1; instr_size <= MAX_INSTRUCTION_BYTES; instr_size++) {
// Disassemble the bytes between our position and the first byte of the
// known instruction.
instr_start = position - instr_size;
if (instr_start < 0)
break;
instr_actual_size = x86_disasm(buffer + instr_start, instr_size, 0, 0, &instr);
/*
* If *all* of those bytes make up one instruction, and it's not
* a return (gadgets should not contain a RET other than at the end),
* add it to the tree.
*/
if (instr_actual_size == instr_size &&
!(instr_size == 1 && *(buffer + instr_start) == RET)) {
// If we've already seen this sequence of instructions...
gadget_t *g;
if ((g = gadget_list_find_instr(&gadgets->previous, buffer + instr_start, instr_actual_size)) != NULL) {
// ...see if the address of this one is better.
if (has_zero_byte(g->virtual_address)) {
g->virtual_address = offset + instr_start;
}
continue;
}
// Otherwise, add it to the list.
gadget_t *newgadget = malloc(sizeof(gadget_t));
gadget_init(newgadget);
memcpy(newgadget->instr, buffer + instr_start, instr_actual_size);
newgadget->instr_len = instr_size;
newgadget->virtual_address = offset + instr_start;
// The next instruction (in execution order) is the one this one
// comes before.
newgadget->next = gadgets;
// The instruction we just found is previous (in execution order) to
// the one we already know about.
gadget_list_add(&gadgets->previous, newgadget);
work_backwards(newgadget, buffer, offset, instr_start, count - 1);
}
}
}
void gadget_add(gadget_t *gadgets, unsigned char *buffer, size_t buffer_len, uint32_t offset)
{
int i;
for (i = 0; i < buffer_len; i++) {
if (buffer[i] == RET) {
if (gadgets->virtual_address == 0 || has_zero_byte(gadgets->virtual_address)) {
gadgets->virtual_address = offset + i;
}
work_backwards(gadgets, buffer, offset, i, MAX_BACKWARD_INSTRUCTIONS);
}
}
}
