static void test_x86_mode(void *dc) { byte *pc, *end; instr_t *instr; /* create instr that looks different in x86 vs x64 */ instr = INSTR_CREATE_add(dc, opnd_create_reg(REG_RAX), OPND_CREATE_INT32(42)); end = instr_encode(dc, instr, buf); ASSERT(end - buf < BUFFER_SIZE_ELEMENTS(buf)); /* read back in */ set_x86_mode(dc, false/*64-bit*/); instr_reset(dc, instr); pc = decode(dc, buf, instr); ASSERT(pc != NULL); ASSERT(instr_get_opcode(instr) == OP_add); /* now interpret as 32-bit where rex will be an inc */ set_x86_mode(dc, true/*32-bit*/); instr_reset(dc, instr); pc = decode(dc, buf, instr); ASSERT(pc != NULL); ASSERT(instr_get_opcode(instr) == OP_dec); instr_free(dc, instr); set_x86_mode(dc, false/*64-bit*/); }
static void test_disp_control_helper(void *dc, int disp, bool encode_zero_disp, bool force_full_disp, bool disp16, uint len_expect) { byte *pc; uint len; instr_t *instr = INSTR_CREATE_mov_ld (dc, opnd_create_reg(REG_ECX), opnd_create_base_disp_ex(disp16 ? IF_X64_ELSE(REG_EBX, REG_BX) : REG_XBX, REG_NULL, 0, disp, OPSZ_4, encode_zero_disp, force_full_disp, disp16)); pc = instr_encode(dc, instr, buf); len = (int) (pc - (byte *)buf); #if VERBOSE pc = disassemble_with_info(dc, buf, STDOUT, true, true); #endif ASSERT(len == len_expect); instr_reset(dc, instr); decode(dc, buf, instr); ASSERT(instr_num_srcs(instr) == 1 && opnd_is_base_disp(instr_get_src(instr, 0)) && BOOLS_MATCH(encode_zero_disp, opnd_is_disp_encode_zero(instr_get_src(instr, 0))) && BOOLS_MATCH(force_full_disp, opnd_is_disp_force_full(instr_get_src(instr, 0))) && BOOLS_MATCH(disp16, opnd_is_disp_short_addr(instr_get_src(instr, 0)))); instr_destroy(dc, instr); }
/* returns false on failure */ static bool decode_function(void *dcontext, byte *entry) { byte *pc, *pre_pc; int num_instr = 0; bool found_ret = false; instr_t *instr; if (entry == NULL) return false; instr = instr_create(dcontext); pc = entry; while (true) { instr_reset(dcontext, instr); pre_pc = pc; pc = decode(dcontext, pc, instr); instr_set_translation(instr, pre_pc); dr_print_instr(dcontext, STDOUT, instr, ""); if (instr_is_return(instr)) { found_ret = true; break; } num_instr++; if (num_instr > MAX_INSTRS_IN_FUNCTION) { print("ERROR: hit max instr limit %d\n", MAX_INSTRS_IN_FUNCTION); break; } } instr_destroy(dcontext, instr); return found_ret; }
/* XXX: exporting this so drwrap can use it but I might prefer to have * this in drutil or the upcoming drsys */ DR_EXPORT int drmgr_decode_sysnum_from_wrapper(app_pc entry) { void *drcontext = dr_get_current_drcontext(); int num = -1; byte *pc = entry; uint opc; instr_t instr; instr_init(drcontext, &instr); do { instr_reset(drcontext, &instr); pc = decode(drcontext, pc, &instr); if (!instr_valid(&instr)) break; /* unknown system call sequence */ opc = instr_get_opcode(&instr); /* sanity check: wrapper should be short */ if (pc - entry > 20) break; /* unknown system call sequence */ if (opc == OP_mov_imm && opnd_is_reg(instr_get_dst(&instr, 0)) && opnd_get_reg(instr_get_dst(&instr, 0)) == DR_REG_EAX && opnd_is_immed_int(instr_get_src(&instr, 0))) { num = (int) opnd_get_immed_int(instr_get_src(&instr, 0)); break; /* success */ } /* stop at call to vsyscall (wow64) or at int itself */ } while (opc != OP_call_ind && opc != OP_int && opc != OP_sysenter && opc != OP_syscall); instr_free(drcontext, &instr); return num; }
static void look_for_usercall(void *dcontext, byte *entry, const char *sym, LOADED_IMAGE *img, const char *modpath) { bool found_push_imm = false; int imm = 0; app_pc pc, pre_pc; instr_t *instr; if (entry == NULL) return; instr = instr_create(dcontext); pc = entry; while (true) { instr_reset(dcontext, instr); pre_pc = pc; pc = decode(dcontext, pc, instr); if (verbose) { instr_set_translation(instr, pre_pc); dr_print_instr(dcontext, STDOUT, instr, ""); } if (pc == NULL || !instr_valid(instr)) break; if (instr_get_opcode(instr) == OP_push_imm) { found_push_imm = true; imm = (int) opnd_get_immed_int(instr_get_src(instr, 0)); } else if (instr_is_call_direct(instr) && found_push_imm) { app_pc tgt = opnd_get_pc(instr_get_target(instr)); bool found = false; int i; for (i = 0; i < NUM_USERCALL; i++) { if (tgt == usercall_addr[i]) { dr_printf("Call #0x%02x to %s at %s+0x%x\n", imm, usercall_names[i], sym, pre_pc - entry); found = true; break; } } if (found) break; } else if (instr_is_return(instr)) break; if (pc - entry > MAX_BYTES_BEFORE_USERCALL) break; } instr_destroy(dcontext, instr); }
static void test_strict_invalid(void *dc) { instr_t instr; byte *pc; const byte buf[] = { 0xf2, 0x0f, 0xd8, 0xe9 }; /* psubusb w/ invalid prefix */ instr_init(dc, &instr); /* The instr should be valid by default and invalid if decode_strict */ pc = decode(dc, (byte *)buf, &instr); ASSERT(pc != NULL); disassemble_set_syntax(DR_DISASM_STRICT_INVALID); instr_reset(dc, &instr); pc = decode(dc, (byte *)buf, &instr); ASSERT(pc == NULL); instr_free(dc, &instr); }
static void test_instr_opnds(void *dc) { /* Verbose disasm looks like this: * 32-bit: * 0x080f1ae0 ff 25 e7 1a 0f 08 jmp 0x080f1ae7 * 0x080f1ae6 b8 ef be ad de mov $0xdeadbeef -> %eax * 0x080f1ae0 a0 e6 1a 0f 08 mov 0x080f1ae6 -> %al * 0x080f1ae5 b8 ef be ad de mov $0xdeadbeef -> %eax * 64-bit: * 0x00000000006b8de0 ff 25 02 00 00 00 jmp <rel> 0x00000000006b8de8 * 0x00000000006b8de6 48 b8 ef be ad de 00 mov $0x00000000deadbeef -> %rax * 00 00 00 * 0x00000000006b8de0 8a 05 02 00 00 00 mov <rel> 0x00000000006b8de8 -> %al * 0x00000000006b8de6 48 b8 ef be ad de 00 mov $0x00000000deadbeef -> %rax * 00 00 00 */ instrlist_t *ilist; instr_t *tgt, *instr; byte *pc; short disp; ilist = instrlist_create(dc); /* test mem instr as ind jmp target */ tgt = INSTR_CREATE_mov_imm(dc, opnd_create_reg(DR_REG_XAX), opnd_create_immed_int(0xdeadbeef, OPSZ_PTR)); /* skip rex+opcode */ disp = IF_X64_ELSE(2,1); instrlist_append(ilist, INSTR_CREATE_jmp_ind (dc, opnd_create_mem_instr(tgt, disp, OPSZ_PTR))); instrlist_append(ilist, tgt); pc = instrlist_encode(dc, ilist, buf, true/*instr targets*/); ASSERT(pc != NULL); instrlist_clear(dc, ilist); #if VERBOSE pc = disassemble_with_info(dc, buf, STDOUT, true, true); pc = disassemble_with_info(dc, pc, STDOUT, true, true); #endif pc = buf; instr = instr_create(dc); pc = decode(dc, pc, instr); ASSERT(pc != NULL); ASSERT(instr_get_opcode(instr) == OP_jmp_ind); #ifdef X64 ASSERT(opnd_is_rel_addr(instr_get_src(instr, 0))); ASSERT(opnd_get_addr(instr_get_src(instr, 0)) == pc + disp); #else ASSERT(opnd_is_base_disp(instr_get_src(instr, 0))); ASSERT(opnd_get_base(instr_get_src(instr, 0)) == REG_NULL); ASSERT(opnd_get_index(instr_get_src(instr, 0)) == REG_NULL); ASSERT(opnd_get_disp(instr_get_src(instr, 0)) == (ptr_int_t)pc + disp); #endif /* test mem instr as TYPE_O */ tgt = INSTR_CREATE_mov_imm(dc, opnd_create_reg(DR_REG_XAX), opnd_create_immed_int(0xdeadbeef, OPSZ_PTR)); /* skip rex+opcode */ disp = IF_X64_ELSE(2,1); instrlist_append(ilist, INSTR_CREATE_mov_ld (dc, opnd_create_reg(DR_REG_AL), opnd_create_mem_instr(tgt, disp, OPSZ_1))); instrlist_append(ilist, tgt); pc = instrlist_encode(dc, ilist, buf, true/*instr targets*/); ASSERT(pc != NULL); instrlist_clear(dc, ilist); #if VERBOSE pc = disassemble_with_info(dc, buf, STDOUT, true, true); pc = disassemble_with_info(dc, pc, STDOUT, true, true); #endif pc = buf; instr_reset(dc, instr); pc = decode(dc, pc, instr); ASSERT(pc != NULL); ASSERT(instr_get_opcode(instr) == OP_mov_ld); #ifdef X64 ASSERT(opnd_is_rel_addr(instr_get_src(instr, 0))); ASSERT(opnd_get_addr(instr_get_src(instr, 0)) == pc + disp); #else ASSERT(opnd_is_base_disp(instr_get_src(instr, 0))); ASSERT(opnd_get_base(instr_get_src(instr, 0)) == REG_NULL); ASSERT(opnd_get_index(instr_get_src(instr, 0)) == REG_NULL); ASSERT(opnd_get_disp(instr_get_src(instr, 0)) == (ptr_int_t)pc + disp); #endif instr_free(dc, instr); instrlist_destroy(dc, ilist); }
std::string raw2trace_t::append_bb_entries(uint tidx, offline_entry_t *in_entry, OUT bool *handled) { uint instr_count = in_entry->pc.instr_count; instr_t instr; trace_entry_t buf_start[MAX_COMBINED_ENTRIES]; app_pc start_pc = modvec[in_entry->pc.modidx].map_base + in_entry->pc.modoffs; app_pc pc, decode_pc = start_pc; if ((in_entry->pc.modidx == 0 && in_entry->pc.modoffs == 0) || modvec[in_entry->pc.modidx].map_base == NULL) { // FIXME i#2062: add support for code not in a module (vsyscall, JIT, etc.). // Once that support is in we can remove the bool return value and handle // the memrefs up here. VPRINT(3, "Skipping ifetch for %u instrs not in a module\n", instr_count); *handled = false; return ""; } else { VPRINT(3, "Appending %u instrs in bb " PFX " in mod %u +" PIFX " = %s\n", instr_count, (ptr_uint_t)start_pc, (uint)in_entry->pc.modidx, (ptr_uint_t)in_entry->pc.modoffs, modvec[in_entry->pc.modidx].path); } bool skip_icache = false; if (instr_count == 0) { // L0 filtering adds a PC entry with a count of 0 prior to each memref. skip_icache = true; instr_count = 1; // We set a flag to avoid peeking forward on instr entries. if (!instrs_are_separate) instrs_are_separate = true; } CHECK(!instrs_are_separate || instr_count == 1, "cannot mix 0-count and >1-count"); instr_init(dcontext, &instr); for (uint i = 0; i < instr_count; ++i) { trace_entry_t *buf = buf_start; app_pc orig_pc = decode_pc - modvec[in_entry->pc.modidx].map_base + modvec[in_entry->pc.modidx].orig_base; bool skip_instr = false; instr_reset(dcontext, &instr); // We assume the default ISA mode and currently require the 32-bit // postprocessor for 32-bit applications. pc = decode(dcontext, decode_pc, &instr); if (pc == NULL || !instr_valid(&instr)) { WARN("Encountered invalid/undecodable instr @ %s+" PFX, modvec[in_entry->pc.modidx].path, (ptr_uint_t)in_entry->pc.modoffs); break; } CHECK(!instr_is_cti(&instr) || i == instr_count - 1, "invalid cti"); if (instr_is_rep_string(&instr)) { // We want it to look like the original rep string instead of the // drutil-expanded loop. if (!prev_instr_was_rep_string) prev_instr_was_rep_string = true; else skip_instr = true; } else prev_instr_was_rep_string = false; // FIXME i#1729: make bundles via lazy accum until hit memref/end. if (!skip_instr) { DO_VERBOSE(3, { instr_set_translation(&instr, orig_pc); dr_print_instr(dcontext, STDOUT, &instr, ""); });
/* returns false on failure */ static bool decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info, LOADED_IMAGE *img) { /* FIXME: would like to fail gracefully rather than have a DR assertion * on non-code! => use DEBUG=0 INTERNAL=1 DR build! */ bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false; bool found_ret = false; byte *pc, *pre_pc; int num_instr = 0; instr_t *instr; byte *preferred = get_preferred_base(img); if (entry == NULL) return false; info->num_args = -1; /* if find sysnum but not args */ info->sysnum = -1; info->fixup_index = -1; instr = instr_create(dcontext); pc = entry; /* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want * this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip * the first instruction (mov r10, rcx) here, the rest should decode ok. * Xref PR 236203. */ if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1) pc += 3; while (true) { instr_reset(dcontext, instr); pre_pc = pc; pc = decode(dcontext, pc, instr); if (verbose) { instr_set_translation(instr, pre_pc); dr_print_instr(dcontext, STDOUT, instr, ""); } if (pc == NULL || !instr_valid(instr)) break; if (instr_is_syscall(instr) || instr_is_call_indirect(instr)) { /* If we see a syscall instr or an indirect call which is not syscall, * we assume this is not a syscall wrapper. */ found_syscall = process_syscall_instr(dcontext, instr, found_eax, found_edx); if (!found_syscall) break; /* assume not a syscall wrapper, give up gracefully */ } else if (instr_is_return(instr)) { /* we must break on return to avoid case like win8 x86 * which has sysenter callee adjacent-"inlined" * ntdll!NtYieldExecution: * 77d7422c b801000000 mov eax,1 * 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237) * 77d74236 c3 ret * 77d74237 8bd4 mov edx,esp * 77d74239 0f34 sysenter * 77d7423b c3 ret */ if (!found_ret) { process_ret(instr, info); found_ret = true; } break; } else if (instr_get_opcode(instr) == OP_call) { found_syscall = process_syscall_call(dcontext, pc, instr, found_eax, found_edx); /* If we see a call and it is not a sysenter callee, * we assume this is not a syscall wrapper. */ if (!found_syscall) break; /* assume not a syscall wrapper, give up gracefully */ } else if (instr_is_cti(instr)) { /* We expect only ctis like ret or ret imm, syscall, and call, which are * handled above. Give up gracefully if we hit any other cti. * XXX: what about jmp to shared ret (seen in the past on some syscalls)? */ /* Update: win10 TH2 1511 x64 has a cti: * ntdll!NtContinue: * 00007ff9`13185630 4c8bd1 mov r10,rcx * 00007ff9`13185633 b843000000 mov eax,43h * 00007ff9`13185638 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1 * 00007ff9`13185640 7503 jne ntdll!NtContinue+0x15 (00007ff9`13185645) * 00007ff9`13185642 0f05 syscall * 00007ff9`13185644 c3 ret * 00007ff9`13185645 cd2e int 2Eh * 00007ff9`13185647 c3 ret */ if (expect_x64 && instr_is_cbr(instr) && opnd_get_pc(instr_get_target(instr)) == pc + 3/*syscall;ret*/) { /* keep going */ } else break; } else if ((!found_eax || !found_edx || !found_ecx) && instr_get_opcode(instr) == OP_mov_imm && opnd_is_reg(instr_get_dst(instr, 0))) { if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) { info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0)); found_eax = true; } else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) { uint imm = (uint) opnd_get_immed_int(instr_get_src(instr, 0)); if (imm == 0x7ffe0300 || /* On Win10 the immed is ntdll!Wow64SystemServiceCall */ (expect_wow && imm > (ptr_uint_t)preferred && imm < (ptr_uint_t)preferred + img->SizeOfImage)) found_edx = true; } else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) { found_ecx = true; info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0)); } } else if (instr_get_opcode(instr) == OP_xor && opnd_is_reg(instr_get_src(instr, 0)) && opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX && opnd_is_reg(instr_get_dst(instr, 0)) && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) { /* xor to 0 */ found_ecx = true; info->fixup_index = 0; } num_instr++; if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */ break; /* avoid weird cases like NPXEMULATORTABLE */ } instr_destroy(dcontext, instr); return found_syscall; }
/* returns whether found a syscall * - found_eax: whether the caller has seen "mov imm => %eax" * - found_edx: whether the caller has seen "mov $0x7ffe0300 => %edx", * xref the comment in process_syscall_instr. */ static bool process_syscall_call(void *dcontext, byte *next_pc, instr_t *call, bool found_eax, bool found_edx) { int num_instr; byte *pc; instr_t instr; bool found_syscall = false; assert(instr_get_opcode(call) == OP_call && opnd_is_pc(instr_get_target(call))); pc = opnd_get_pc(instr_get_target(call)); if (pc > next_pc + MAX_SYSENTER_CALLEE_OFFSET || pc <= next_pc /* assuming the call won't go backward */) return false; /* handle win8 x86 which has sysenter callee adjacent-"inlined" * ntdll!NtYieldExecution: * 77d7422c b801000000 mov eax,1 * 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237) * 77d74236 c3 ret * 77d74237 8bd4 mov edx,esp * 77d74239 0f34 sysenter * 77d7423b c3 ret * * or DrMem-i#1366-c#2 * USER32!NtUserCreateWindowStation: * 75caea7a b841110000 mov eax,0x1141 * 75caea7f e838000000 call user32!...+0xd (75caeabc) * 75caea84 c22000 ret 0x20 * ... * USER32!GetWindowStationName: * 75caea8c 8bff mov edi,edi * 75caea8e 55 push ebp * ... * 75caeabc 8bd4 mov edx,esp * 75caeabe 0f34 sysenter * 75caeac0 c3 ret */ /* We expect the win8 x86 sysenter adjacent "inlined" callee to be as simple as * 75caeabc 8bd4 mov edx,esp * 75caeabe 0f34 sysenter * 75caeac0 c3 ret */ instr_init(dcontext, &instr); num_instr = 0; do { instr_reset(dcontext, &instr); pc = decode(dcontext, pc, &instr); if (verbose) dr_print_instr(dcontext, STDOUT, &instr, ""); if (pc == NULL || !instr_valid(&instr)) break; if (instr_is_syscall(&instr) || instr_is_call_indirect(&instr)) { found_syscall = process_syscall_instr(dcontext, &instr, found_eax, found_edx); break; } else if (instr_is_cti(&instr)) { break; } num_instr++; } while (num_instr <= MAX_INSTRS_SYSENTER_CALLEE); instr_free(dcontext, &instr); return found_syscall; }
/* returns false on failure */ static bool decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info) { /* FIXME: would like to fail gracefully rather than have a DR assertion * on non-code! => use DEBUG=0 INTERNAL=1 DR build! */ bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false; bool found_ret = false; byte *pc; int num_instr = 0; instr_t *instr; if (entry == NULL) return false; info->num_args = -1; /* if find sysnum but not args */ info->sysnum = -1; info->fixup_index = -1; instr = instr_create(dcontext); pc = entry; /* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want * this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip * the first instruction (mov r10, rcx) here, the rest should decode ok. * Xref PR 236203. */ if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1) pc += 3; while (true) { instr_reset(dcontext, instr); pc = decode(dcontext, pc, instr); if (verbose) dr_print_instr(dcontext, STDOUT, instr, ""); if (pc == NULL || !instr_valid(instr)) break; /* ASSUMPTION: a mov imm of 0x7ffe0300 into edx followed by an * indirect call via edx is a system call on XP and later * On XP SP1 it's call *edx, while on XP SP2 it's call *(edx) * For wow it's a call through fs. * FIXME - core exports various is_*_syscall routines (such as * instr_is_wow64_syscall()) which we could use here instead of * duplicating if they were more flexible about when they could * be called (instr_is_wow64_syscall() for ex. asserts if not * in a wow process). */ if (/* int 2e or x64 or win8 sysenter */ (instr_is_syscall(instr) && found_eax && (expect_int2e || expect_x64 || expect_sysenter)) || /* sysenter case */ (expect_sysenter && found_edx && found_eax && instr_is_call_indirect(instr) && /* XP SP{0,1}, 2003 SP0: call *edx */ ((opnd_is_reg(instr_get_target(instr)) && opnd_get_reg(instr_get_target(instr)) == REG_EDX) || /* XP SP2, 2003 SP1: call *(edx) */ (opnd_is_base_disp(instr_get_target(instr)) && opnd_get_base(instr_get_target(instr)) == REG_EDX && opnd_get_index(instr_get_target(instr)) == REG_NULL && opnd_get_disp(instr_get_target(instr)) == 0))) || /* wow case * we don't require found_ecx b/c win8 does not use ecx */ (expect_wow && found_eax && instr_is_call_indirect(instr) && opnd_is_far_base_disp(instr_get_target(instr)) && opnd_get_base(instr_get_target(instr)) == REG_NULL && opnd_get_index(instr_get_target(instr)) == REG_NULL && opnd_get_segment(instr_get_target(instr)) == SEG_FS)) { found_syscall = true; } else if (instr_is_return(instr)) { if (!found_ret) { process_ret(instr, info); found_ret = true; } break; } else if (instr_is_cti(instr)) { if (instr_get_opcode(instr) == OP_call) { /* handle win8 x86 which has sysenter callee adjacent-"inlined" * ntdll!NtYieldExecution: * 77d7422c b801000000 mov eax,1 * 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237) * 77d74236 c3 ret * 77d74237 8bd4 mov edx,esp * 77d74239 0f34 sysenter * 77d7423b c3 ret */ byte *tgt; assert(opnd_is_pc(instr_get_target(instr))); tgt = opnd_get_pc(instr_get_target(instr)); /* we expect only ret or ret imm, and possibly some nops (in gdi32). * XXX: what about jmp to shared ret (seen in the past on some syscalls)? */ if (tgt > pc && tgt <= pc + 16) { bool ok = false; do { if (pc == tgt) { ok = true; break; } instr_reset(dcontext, instr); pc = decode(dcontext, pc, instr); if (verbose) dr_print_instr(dcontext, STDOUT, instr, ""); if (instr_is_return(instr)) { process_ret(instr, info); found_ret = true; } else if (!instr_is_nop(instr)) break; num_instr++; } while (num_instr <= MAX_INSTRS_BEFORE_SYSCALL); if (ok) continue; } } /* assume not a syscall wrapper if we hit a cti */ break; /* give up gracefully */ } else if ((!found_eax || !found_edx || !found_ecx) && instr_get_opcode(instr) == OP_mov_imm && opnd_is_reg(instr_get_dst(instr, 0))) { if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) { info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0)); found_eax = true; } else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) { int imm = (int) opnd_get_immed_int(instr_get_src(instr, 0)); if (imm == 0x7ffe0300) found_edx = true; } else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) { found_ecx = true; info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0)); } } else if (instr_get_opcode(instr) == OP_xor && opnd_is_reg(instr_get_src(instr, 0)) && opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX && opnd_is_reg(instr_get_dst(instr, 0)) && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) { /* xor to 0 */ found_ecx = true; info->fixup_index = 0; } num_instr++; if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */ break; /* avoid weird cases like NPXEMULATORTABLE */ } instr_destroy(dcontext, instr); return found_syscall; }
static void module_load_event(void *drcontext, const module_data_t *mod, bool loaded) { if (strstr(dr_module_preferred_name(mod), "client.drwrap-test.appdll.") != NULL) { bool ok; instr_t inst; app_pc init_pc, pc, next_pc; load_count++; if (load_count == 2) { /* test no-frills */ drwrap_set_global_flags(DRWRAP_NO_FRILLS); } addr_replace = (app_pc) dr_get_proc_address(mod->handle, "replaceme"); CHECK(addr_replace != NULL, "cannot find lib export"); ok = drwrap_replace(addr_replace, (app_pc) replacewith, false); CHECK(ok, "replace failed"); addr_replace2 = (app_pc) dr_get_proc_address(mod->handle, "replaceme2"); CHECK(addr_replace2 != NULL, "cannot find lib export"); ok = drwrap_replace_native(addr_replace2, (app_pc) replacewith2, true/*at entry*/, 0, (void *)(ptr_int_t)DRWRAP_NATIVE_PARAM, false); CHECK(ok, "replace_native failed"); init_pc = (app_pc) dr_get_proc_address(mod->handle, "replace_callsite"); CHECK(init_pc != NULL, "cannot find lib export"); /* Find callsite: we assume we'll linearly hit a ret. We take final call * to skip any PIC call. */ instr_init(drcontext, &inst); pc = init_pc; do { instr_reset(drcontext, &inst); next_pc = decode(drcontext, pc, &inst); if (!instr_valid(&inst)) break; /* if initial jmp, follow it to handle ILT-indirection */ if (pc == init_pc && instr_is_ubr(&inst)) next_pc = opnd_get_pc(instr_get_target(&inst)); else if (instr_is_call(&inst)) addr_replace_callsite = pc; pc = next_pc; } while (instr_valid(&inst) && !instr_is_return(&inst)); CHECK(addr_replace_callsite != NULL, "cannot find lib export"); ok = drwrap_replace_native(addr_replace_callsite, (app_pc) replace_callsite, false/*!at entry*/, 0, (void *)(ptr_int_t)DRWRAP_NATIVE_PARAM, false); CHECK(ok, "replace_native failed"); instr_free(drcontext, &inst); wrap_addr(&addr_level0, "level0", mod, true, true); wrap_addr(&addr_level1, "level1", mod, true, true); wrap_addr(&addr_level2, "level2", mod, true, true); wrap_addr(&addr_tailcall, "makes_tailcall", mod, true, true); wrap_addr(&addr_skipme, "skipme", mod, true, true); wrap_addr(&addr_repeat, "repeatme", mod, true, true); wrap_addr(&addr_preonly, "preonly", mod, true, false); wrap_addr(&addr_postonly, "postonly", mod, false, true); wrap_addr(&addr_runlots, "runlots", mod, false, true); /* test longjmp */ wrap_unwindtest_addr(&addr_long0, "long0", mod); wrap_unwindtest_addr(&addr_long1, "long1", mod); wrap_unwindtest_addr(&addr_long2, "long2", mod); wrap_unwindtest_addr(&addr_long3, "long3", mod); wrap_unwindtest_addr(&addr_longdone, "longdone", mod); drmgr_set_tls_field(drcontext, tls_idx, (void *)(ptr_uint_t)0); #ifdef WINDOWS /* test SEH */ /* we can't do this test for no-frills b/c only one wrap per addr */ if (load_count == 1) { ok = drwrap_wrap_ex(addr_long0, wrap_unwindtest_seh_pre, wrap_unwindtest_seh_post, NULL, DRWRAP_UNWIND_ON_EXCEPTION); CHECK(ok, "wrap failed"); ok = drwrap_wrap_ex(addr_long1, wrap_unwindtest_seh_pre, wrap_unwindtest_seh_post, NULL, DRWRAP_UNWIND_ON_EXCEPTION); CHECK(ok, "wrap failed"); ok = drwrap_wrap_ex(addr_long2, wrap_unwindtest_seh_pre, wrap_unwindtest_seh_post, NULL, DRWRAP_UNWIND_ON_EXCEPTION); CHECK(ok, "wrap failed"); ok = drwrap_wrap_ex(addr_long3, wrap_unwindtest_seh_pre, wrap_unwindtest_seh_post, NULL, DRWRAP_UNWIND_ON_EXCEPTION); CHECK(ok, "wrap failed"); ok = drwrap_wrap_ex(addr_longdone, wrap_unwindtest_seh_pre, wrap_unwindtest_seh_post, NULL, DRWRAP_UNWIND_ON_EXCEPTION); CHECK(ok, "wrap failed"); } #endif /* test leaner wrapping */ if (load_count == 2) drwrap_set_global_flags(DRWRAP_NO_FRILLS | DRWRAP_FAST_CLEANCALLS); wrap_addr(&addr_skip_flags, "skip_flags", mod, true, false); } }
/* Here we attempt to combine a loop involving ldex (load exclusive) and * stex (store exclusive) into an OP_ldstex macro-instruction. The algorithm * is roughly this: * * Decode up to (2 * N) instructions while: * - none of them are indirect branches or system calls * - none of them is a direct branch out of these (2 * N) instructions * - none of them is OP_xx (to be safe) * - there is, or might yet be, both ldex and stex in the first N * - none of them is a non-branch PC-relative instruction: ADR, ADRP, * PC-relative PRFM, literal load (this last condition could be removed * if we mangled such instructions as we encountered them) * * To save time, give up if the first instruction is neither ldex nor stex * and there is no branch to it. * Take a sub-block containing both ldex and stex from the first N instructions. * Expand this sub-block to a minimal single-entry single-exit block. * Give up if the sub-block grows beyond N instructions. * Finally, give up if the sub-block does not contain the first instruction. * Also give up if the sub-block uses all of X0-X5 and the stolen register * because we would be unable to mangle such a block. * * XXX: This function uses a lot of CPU time. It could be made faster in * several ways, for example by caching decoded instructions or using a * custom decoder to recognise the particular instructions that we care * about here. */ byte * decode_ldstex(dcontext_t *dcontext, byte *pc_, byte *orig_pc_, instr_t *instr_ldstex) { # define N (MAX_INSTR_LENGTH / AARCH64_INSTR_SIZE) instr_t ibuf[2 * N]; uint *pc = (uint *)pc_; uint *orig_pc = (uint *)orig_pc_; bool seen_ldex = false; bool seen_stex = false; bool seen_branch_to_start = false; bool failed = false; int ldstex_beg = -1; int ldstex_end = -1; int i, len; /* Decode up to 2 * N instructions. */ for (i = 0; i < N; i++) { instr_t *instr = &ibuf[i]; instr_init(dcontext, instr); decode_from_copy(dcontext, (byte *)(pc + i), (byte *)(orig_pc + i), instr); if (instr_is_mbr_arch(instr) || instr_is_syscall(instr) || instr_get_opcode(instr) == OP_xx || instr_is_nonbranch_pcrel(instr)) break; if (instr_is_ubr_arch(instr) || instr_is_cbr_arch(instr)) { ptr_uint_t target = (ptr_uint_t)instr_get_branch_target_pc(instr); if (target < (ptr_uint_t)pc || target > (ptr_uint_t)(pc + 2 * N)) break; if (target == (ptr_uint_t)pc) seen_branch_to_start = true; } if (instr_is_exclusive_load(instr)) seen_ldex = true; if (instr_is_exclusive_store(instr)) seen_stex = true; if (i + 1 >= N && !(seen_ldex && seen_stex)) break; if (ldstex_beg == -1 && (seen_ldex || seen_stex)) ldstex_beg = i; if (ldstex_end == -1 && (seen_ldex && seen_stex)) ldstex_end = i + 1; } if (i < N) { instr_reset(dcontext, &ibuf[i]); len = i; } else len = N; /* Quick check for hopeless situations. */ if (len == 0 || !(seen_ldex && seen_stex) || !(seen_branch_to_start || (instr_is_exclusive_load(&ibuf[0]) || instr_is_exclusive_store(&ibuf[0])))) { for (i = 0; i < len; i++) instr_reset(dcontext, &ibuf[i]); return NULL; } /* There are several ways we could choose a sub-block containing both ldex * and stex from the first N instructions. Investigate further, perhaps. * We have already set ldstex_beg and ldstex_end. */ ASSERT(ldstex_beg != -1 && ldstex_end != -1 && ldstex_beg < ldstex_end); /* Expand ldstex sub-block until it is a single-entry single-exit block. */ for (;;) { int new_beg = ldstex_beg; int new_end = ldstex_end; for (i = ldstex_beg; i < ldstex_end; i++) { instr_t *instr = &ibuf[i]; if (instr_is_ubr_arch(instr) || instr_is_cbr_arch(instr)) { int target = (uint *)instr_get_branch_target_pc(instr) - pc; if (target > len) { failed = true; break; } if (target < new_beg) new_beg = target; if (target > new_end) new_end = target; } } if (new_beg == ldstex_beg && new_end == ldstex_end) break; ldstex_beg = new_beg; ldstex_end = new_end; } if (ldstex_beg != 0) failed = true; if (!failed) { /* Check whether the sub-block uses the stolen register and all of X0-X5. * If it does, it would be impossible to mangle it so it is better not to * create an OP_ldstex. */ reg_id_t regs[] = { dr_reg_stolen, DR_REG_X0, DR_REG_X1, DR_REG_X2, DR_REG_X3, DR_REG_X4, DR_REG_X5 }; int r; for (r = 0; r < sizeof(regs) / sizeof(*regs); r++) { for (i = ldstex_beg; i < ldstex_end; i++) { if (instr_uses_reg(&ibuf[i], regs[r])) break; } if (i >= ldstex_end) break; } if (r >= sizeof(regs) / sizeof(*regs)) failed = true; } if (!failed) { instr_create_ldstex(dcontext, ldstex_end - ldstex_beg, pc + ldstex_beg, &ibuf[ldstex_beg], instr_ldstex); } for (i = 0; i < len; i++) instr_reset(dcontext, &ibuf[i]); return failed ? NULL : (byte *)(pc + ldstex_end); }