static void
test_x86_mode(void *dc)
{
byte *pc, *end;
instr_t *instr;
/* create instr that looks different in x86 vs x64 */
instr = INSTR_CREATE_add(dc, opnd_create_reg(REG_RAX), OPND_CREATE_INT32(42));
end = instr_encode(dc, instr, buf);
ASSERT(end - buf < BUFFER_SIZE_ELEMENTS(buf));
/* read back in */
set_x86_mode(dc, false/*64-bit*/);
instr_reset(dc, instr);
pc = decode(dc, buf, instr);
ASSERT(pc != NULL);
ASSERT(instr_get_opcode(instr) == OP_add);
/* now interpret as 32-bit where rex will be an inc */
set_x86_mode(dc, true/*32-bit*/);
instr_reset(dc, instr);
pc = decode(dc, buf, instr);
ASSERT(pc != NULL);
ASSERT(instr_get_opcode(instr) == OP_dec);
instr_free(dc, instr);
set_x86_mode(dc, false/*64-bit*/);
}
static void
test_disp_control_helper(void *dc, int disp,
bool encode_zero_disp, bool force_full_disp, bool disp16,
uint len_expect)
{
byte *pc;
uint len;
instr_t *instr = INSTR_CREATE_mov_ld
(dc, opnd_create_reg(REG_ECX),
opnd_create_base_disp_ex(disp16 ? IF_X64_ELSE(REG_EBX, REG_BX) :
REG_XBX, REG_NULL, 0,
disp, OPSZ_4,
encode_zero_disp, force_full_disp, disp16));
pc = instr_encode(dc, instr, buf);
len = (int) (pc - (byte *)buf);
#if VERBOSE
pc = disassemble_with_info(dc, buf, STDOUT, true, true);
#endif
ASSERT(len == len_expect);
instr_reset(dc, instr);
decode(dc, buf, instr);
ASSERT(instr_num_srcs(instr) == 1 &&
opnd_is_base_disp(instr_get_src(instr, 0)) &&
BOOLS_MATCH(encode_zero_disp,
opnd_is_disp_encode_zero(instr_get_src(instr, 0))) &&
BOOLS_MATCH(force_full_disp,
opnd_is_disp_force_full(instr_get_src(instr, 0))) &&
BOOLS_MATCH(disp16,
opnd_is_disp_short_addr(instr_get_src(instr, 0))));
instr_destroy(dc, instr);
}
/* returns false on failure */
static bool
decode_function(void *dcontext, byte *entry)
{
byte *pc, *pre_pc;
int num_instr = 0;
bool found_ret = false;
instr_t *instr;
if (entry == NULL)
return false;
instr = instr_create(dcontext);
pc = entry;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
if (instr_is_return(instr)) {
found_ret = true;
break;
}
num_instr++;
if (num_instr > MAX_INSTRS_IN_FUNCTION) {
print("ERROR: hit max instr limit %d\n", MAX_INSTRS_IN_FUNCTION);
break;
}
}
instr_destroy(dcontext, instr);
return found_ret;
}
/* XXX: exporting this so drwrap can use it but I might prefer to have
* this in drutil or the upcoming drsys
*/
DR_EXPORT
int
drmgr_decode_sysnum_from_wrapper(app_pc entry)
{
void *drcontext = dr_get_current_drcontext();
int num = -1;
byte *pc = entry;
uint opc;
instr_t instr;
instr_init(drcontext, &instr);
do {
instr_reset(drcontext, &instr);
pc = decode(drcontext, pc, &instr);
if (!instr_valid(&instr))
break; /* unknown system call sequence */
opc = instr_get_opcode(&instr);
/* sanity check: wrapper should be short */
if (pc - entry > 20)
break; /* unknown system call sequence */
if (opc == OP_mov_imm && opnd_is_reg(instr_get_dst(&instr, 0)) &&
opnd_get_reg(instr_get_dst(&instr, 0)) == DR_REG_EAX &&
opnd_is_immed_int(instr_get_src(&instr, 0))) {
num = (int) opnd_get_immed_int(instr_get_src(&instr, 0));
break; /* success */
}
/* stop at call to vsyscall (wow64) or at int itself */
} while (opc != OP_call_ind && opc != OP_int &&
opc != OP_sysenter && opc != OP_syscall);
instr_free(drcontext, &instr);
return num;
}
static void
look_for_usercall(void *dcontext, byte *entry, const char *sym, LOADED_IMAGE *img,
const char *modpath)
{
bool found_push_imm = false;
int imm = 0;
app_pc pc, pre_pc;
instr_t *instr;
if (entry == NULL)
return;
instr = instr_create(dcontext);
pc = entry;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
if (verbose) {
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
}
if (pc == NULL || !instr_valid(instr))
break;
if (instr_get_opcode(instr) == OP_push_imm) {
found_push_imm = true;
imm = (int) opnd_get_immed_int(instr_get_src(instr, 0));
} else if (instr_is_call_direct(instr) && found_push_imm) {
app_pc tgt = opnd_get_pc(instr_get_target(instr));
bool found = false;
int i;
for (i = 0; i < NUM_USERCALL; i++) {
if (tgt == usercall_addr[i]) {
dr_printf("Call #0x%02x to %s at %s+0x%x\n", imm, usercall_names[i],
sym, pre_pc - entry);
found = true;
break;
}
}
if (found)
break;
} else if (instr_is_return(instr))
break;
if (pc - entry > MAX_BYTES_BEFORE_USERCALL)
break;
}
instr_destroy(dcontext, instr);
}
static void
test_strict_invalid(void *dc)
{
instr_t instr;
byte *pc;
const byte buf[] = { 0xf2, 0x0f, 0xd8, 0xe9 }; /* psubusb w/ invalid prefix */
instr_init(dc, &instr);
/* The instr should be valid by default and invalid if decode_strict */
pc = decode(dc, (byte *)buf, &instr);
ASSERT(pc != NULL);
disassemble_set_syntax(DR_DISASM_STRICT_INVALID);
instr_reset(dc, &instr);
pc = decode(dc, (byte *)buf, &instr);
ASSERT(pc == NULL);
instr_free(dc, &instr);
}
static void
test_instr_opnds(void *dc)
{
/* Verbose disasm looks like this:
* 32-bit:
* 0x080f1ae0 ff 25 e7 1a 0f 08 jmp 0x080f1ae7
* 0x080f1ae6 b8 ef be ad de mov $0xdeadbeef -> %eax
* 0x080f1ae0 a0 e6 1a 0f 08 mov 0x080f1ae6 -> %al
* 0x080f1ae5 b8 ef be ad de mov $0xdeadbeef -> %eax
* 64-bit:
* 0x00000000006b8de0 ff 25 02 00 00 00 jmp <rel> 0x00000000006b8de8
* 0x00000000006b8de6 48 b8 ef be ad de 00 mov $0x00000000deadbeef -> %rax
* 00 00 00
* 0x00000000006b8de0 8a 05 02 00 00 00 mov <rel> 0x00000000006b8de8 -> %al
* 0x00000000006b8de6 48 b8 ef be ad de 00 mov $0x00000000deadbeef -> %rax
* 00 00 00
*/
instrlist_t *ilist;
instr_t *tgt, *instr;
byte *pc;
short disp;
ilist = instrlist_create(dc);
/* test mem instr as ind jmp target */
tgt = INSTR_CREATE_mov_imm(dc, opnd_create_reg(DR_REG_XAX),
opnd_create_immed_int(0xdeadbeef, OPSZ_PTR));
/* skip rex+opcode */
disp = IF_X64_ELSE(2,1);
instrlist_append(ilist, INSTR_CREATE_jmp_ind
(dc, opnd_create_mem_instr(tgt, disp, OPSZ_PTR)));
instrlist_append(ilist, tgt);
pc = instrlist_encode(dc, ilist, buf, true/*instr targets*/);
ASSERT(pc != NULL);
instrlist_clear(dc, ilist);
#if VERBOSE
pc = disassemble_with_info(dc, buf, STDOUT, true, true);
pc = disassemble_with_info(dc, pc, STDOUT, true, true);
#endif
pc = buf;
instr = instr_create(dc);
pc = decode(dc, pc, instr);
ASSERT(pc != NULL);
ASSERT(instr_get_opcode(instr) == OP_jmp_ind);
#ifdef X64
ASSERT(opnd_is_rel_addr(instr_get_src(instr, 0)));
ASSERT(opnd_get_addr(instr_get_src(instr, 0)) == pc + disp);
#else
ASSERT(opnd_is_base_disp(instr_get_src(instr, 0)));
ASSERT(opnd_get_base(instr_get_src(instr, 0)) == REG_NULL);
ASSERT(opnd_get_index(instr_get_src(instr, 0)) == REG_NULL);
ASSERT(opnd_get_disp(instr_get_src(instr, 0)) == (ptr_int_t)pc + disp);
#endif
/* test mem instr as TYPE_O */
tgt = INSTR_CREATE_mov_imm(dc, opnd_create_reg(DR_REG_XAX),
opnd_create_immed_int(0xdeadbeef, OPSZ_PTR));
/* skip rex+opcode */
disp = IF_X64_ELSE(2,1);
instrlist_append(ilist, INSTR_CREATE_mov_ld
(dc, opnd_create_reg(DR_REG_AL),
opnd_create_mem_instr(tgt, disp, OPSZ_1)));
instrlist_append(ilist, tgt);
pc = instrlist_encode(dc, ilist, buf, true/*instr targets*/);
ASSERT(pc != NULL);
instrlist_clear(dc, ilist);
#if VERBOSE
pc = disassemble_with_info(dc, buf, STDOUT, true, true);
pc = disassemble_with_info(dc, pc, STDOUT, true, true);
#endif
pc = buf;
instr_reset(dc, instr);
pc = decode(dc, pc, instr);
ASSERT(pc != NULL);
ASSERT(instr_get_opcode(instr) == OP_mov_ld);
#ifdef X64
ASSERT(opnd_is_rel_addr(instr_get_src(instr, 0)));
ASSERT(opnd_get_addr(instr_get_src(instr, 0)) == pc + disp);
#else
ASSERT(opnd_is_base_disp(instr_get_src(instr, 0)));
ASSERT(opnd_get_base(instr_get_src(instr, 0)) == REG_NULL);
ASSERT(opnd_get_index(instr_get_src(instr, 0)) == REG_NULL);
ASSERT(opnd_get_disp(instr_get_src(instr, 0)) == (ptr_int_t)pc + disp);
#endif
instr_free(dc, instr);
instrlist_destroy(dc, ilist);
}
std::string
raw2trace_t::append_bb_entries(uint tidx, offline_entry_t *in_entry, OUT bool *handled)
{
uint instr_count = in_entry->pc.instr_count;
instr_t instr;
trace_entry_t buf_start[MAX_COMBINED_ENTRIES];
app_pc start_pc = modvec[in_entry->pc.modidx].map_base + in_entry->pc.modoffs;
app_pc pc, decode_pc = start_pc;
if ((in_entry->pc.modidx == 0 && in_entry->pc.modoffs == 0) ||
modvec[in_entry->pc.modidx].map_base == NULL) {
// FIXME i#2062: add support for code not in a module (vsyscall, JIT, etc.).
// Once that support is in we can remove the bool return value and handle
// the memrefs up here.
VPRINT(3, "Skipping ifetch for %u instrs not in a module\n", instr_count);
*handled = false;
return "";
} else {
VPRINT(3, "Appending %u instrs in bb " PFX " in mod %u +" PIFX " = %s\n",
instr_count, (ptr_uint_t)start_pc, (uint)in_entry->pc.modidx,
(ptr_uint_t)in_entry->pc.modoffs, modvec[in_entry->pc.modidx].path);
}
bool skip_icache = false;
if (instr_count == 0) {
// L0 filtering adds a PC entry with a count of 0 prior to each memref.
skip_icache = true;
instr_count = 1;
// We set a flag to avoid peeking forward on instr entries.
if (!instrs_are_separate)
instrs_are_separate = true;
}
CHECK(!instrs_are_separate || instr_count == 1, "cannot mix 0-count and >1-count");
instr_init(dcontext, &instr);
for (uint i = 0; i < instr_count; ++i) {
trace_entry_t *buf = buf_start;
app_pc orig_pc = decode_pc - modvec[in_entry->pc.modidx].map_base +
modvec[in_entry->pc.modidx].orig_base;
bool skip_instr = false;
instr_reset(dcontext, &instr);
// We assume the default ISA mode and currently require the 32-bit
// postprocessor for 32-bit applications.
pc = decode(dcontext, decode_pc, &instr);
if (pc == NULL || !instr_valid(&instr)) {
WARN("Encountered invalid/undecodable instr @ %s+" PFX,
modvec[in_entry->pc.modidx].path, (ptr_uint_t)in_entry->pc.modoffs);
break;
}
CHECK(!instr_is_cti(&instr) || i == instr_count - 1, "invalid cti");
if (instr_is_rep_string(&instr)) {
// We want it to look like the original rep string instead of the
// drutil-expanded loop.
if (!prev_instr_was_rep_string)
prev_instr_was_rep_string = true;
else
skip_instr = true;
} else
prev_instr_was_rep_string = false;
// FIXME i#1729: make bundles via lazy accum until hit memref/end.
if (!skip_instr) {
DO_VERBOSE(3, {
instr_set_translation(&instr, orig_pc);
dr_print_instr(dcontext, STDOUT, &instr, "");
});
/* returns false on failure */
static bool
decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info, LOADED_IMAGE *img)
{
/* FIXME: would like to fail gracefully rather than have a DR assertion
* on non-code! => use DEBUG=0 INTERNAL=1 DR build!
*/
bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false;
bool found_ret = false;
byte *pc, *pre_pc;
int num_instr = 0;
instr_t *instr;
byte *preferred = get_preferred_base(img);
if (entry == NULL)
return false;
info->num_args = -1; /* if find sysnum but not args */
info->sysnum = -1;
info->fixup_index = -1;
instr = instr_create(dcontext);
pc = entry;
/* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want
* this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip
* the first instruction (mov r10, rcx) here, the rest should decode ok.
* Xref PR 236203. */
if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1)
pc += 3;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
if (verbose) {
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
}
if (pc == NULL || !instr_valid(instr))
break;
if (instr_is_syscall(instr) || instr_is_call_indirect(instr)) {
/* If we see a syscall instr or an indirect call which is not syscall,
* we assume this is not a syscall wrapper.
*/
found_syscall = process_syscall_instr(dcontext, instr, found_eax, found_edx);
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_return(instr)) {
/* we must break on return to avoid case like win8 x86
* which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*/
if (!found_ret) {
process_ret(instr, info);
found_ret = true;
}
break;
} else if (instr_get_opcode(instr) == OP_call) {
found_syscall = process_syscall_call(dcontext, pc, instr,
found_eax, found_edx);
/* If we see a call and it is not a sysenter callee,
* we assume this is not a syscall wrapper.
*/
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_cti(instr)) {
/* We expect only ctis like ret or ret imm, syscall, and call, which are
* handled above. Give up gracefully if we hit any other cti.
* XXX: what about jmp to shared ret (seen in the past on some syscalls)?
*/
/* Update: win10 TH2 1511 x64 has a cti:
* ntdll!NtContinue:
* 00007ff9`13185630 4c8bd1 mov r10,rcx
* 00007ff9`13185633 b843000000 mov eax,43h
* 00007ff9`13185638 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
* 00007ff9`13185640 7503 jne ntdll!NtContinue+0x15 (00007ff9`13185645)
* 00007ff9`13185642 0f05 syscall
* 00007ff9`13185644 c3 ret
* 00007ff9`13185645 cd2e int 2Eh
* 00007ff9`13185647 c3 ret
*/
if (expect_x64 && instr_is_cbr(instr) &&
opnd_get_pc(instr_get_target(instr)) == pc + 3/*syscall;ret*/) {
/* keep going */
} else
break;
} else if ((!found_eax || !found_edx || !found_ecx) &&
instr_get_opcode(instr) == OP_mov_imm &&
opnd_is_reg(instr_get_dst(instr, 0))) {
if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) {
info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0));
found_eax = true;
} else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) {
uint imm = (uint) opnd_get_immed_int(instr_get_src(instr, 0));
if (imm == 0x7ffe0300 ||
/* On Win10 the immed is ntdll!Wow64SystemServiceCall */
(expect_wow && imm > (ptr_uint_t)preferred &&
imm < (ptr_uint_t)preferred + img->SizeOfImage))
found_edx = true;
} else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
found_ecx = true;
info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0));
}
} else if (instr_get_opcode(instr) == OP_xor &&
opnd_is_reg(instr_get_src(instr, 0)) &&
opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX &&
opnd_is_reg(instr_get_dst(instr, 0)) &&
opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
/* xor to 0 */
found_ecx = true;
info->fixup_index = 0;
}
num_instr++;
if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */
break; /* avoid weird cases like NPXEMULATORTABLE */
}
instr_destroy(dcontext, instr);
return found_syscall;
}
/* returns whether found a syscall
* - found_eax: whether the caller has seen "mov imm => %eax"
* - found_edx: whether the caller has seen "mov $0x7ffe0300 => %edx",
* xref the comment in process_syscall_instr.
*/
static bool
process_syscall_call(void *dcontext, byte *next_pc, instr_t *call,
bool found_eax, bool found_edx)
{
int num_instr;
byte *pc;
instr_t instr;
bool found_syscall = false;
assert(instr_get_opcode(call) == OP_call && opnd_is_pc(instr_get_target(call)));
pc = opnd_get_pc(instr_get_target(call));
if (pc > next_pc + MAX_SYSENTER_CALLEE_OFFSET ||
pc <= next_pc /* assuming the call won't go backward */)
return false;
/* handle win8 x86 which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*
* or DrMem-i#1366-c#2
* USER32!NtUserCreateWindowStation:
* 75caea7a b841110000 mov eax,0x1141
* 75caea7f e838000000 call user32!...+0xd (75caeabc)
* 75caea84 c22000 ret 0x20
* ...
* USER32!GetWindowStationName:
* 75caea8c 8bff mov edi,edi
* 75caea8e 55 push ebp
* ...
* 75caeabc 8bd4 mov edx,esp
* 75caeabe 0f34 sysenter
* 75caeac0 c3 ret
*/
/* We expect the win8 x86 sysenter adjacent "inlined" callee to be as simple as
* 75caeabc 8bd4 mov edx,esp
* 75caeabe 0f34 sysenter
* 75caeac0 c3 ret
*/
instr_init(dcontext, &instr);
num_instr = 0;
do {
instr_reset(dcontext, &instr);
pc = decode(dcontext, pc, &instr);
if (verbose)
dr_print_instr(dcontext, STDOUT, &instr, "");
if (pc == NULL || !instr_valid(&instr))
break;
if (instr_is_syscall(&instr) || instr_is_call_indirect(&instr)) {
found_syscall = process_syscall_instr(dcontext, &instr, found_eax, found_edx);
break;
} else if (instr_is_cti(&instr)) {
break;
}
num_instr++;
} while (num_instr <= MAX_INSTRS_SYSENTER_CALLEE);
instr_free(dcontext, &instr);
return found_syscall;
}
/* returns false on failure */
static bool
decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info)
{
/* FIXME: would like to fail gracefully rather than have a DR assertion
* on non-code! => use DEBUG=0 INTERNAL=1 DR build!
*/
bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false;
bool found_ret = false;
byte *pc;
int num_instr = 0;
instr_t *instr;
if (entry == NULL)
return false;
info->num_args = -1; /* if find sysnum but not args */
info->sysnum = -1;
info->fixup_index = -1;
instr = instr_create(dcontext);
pc = entry;
/* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want
* this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip
* the first instruction (mov r10, rcx) here, the rest should decode ok.
* Xref PR 236203. */
if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1)
pc += 3;
while (true) {
instr_reset(dcontext, instr);
pc = decode(dcontext, pc, instr);
if (verbose)
dr_print_instr(dcontext, STDOUT, instr, "");
if (pc == NULL || !instr_valid(instr))
break;
/* ASSUMPTION: a mov imm of 0x7ffe0300 into edx followed by an
* indirect call via edx is a system call on XP and later
* On XP SP1 it's call *edx, while on XP SP2 it's call *(edx)
* For wow it's a call through fs.
* FIXME - core exports various is_*_syscall routines (such as
* instr_is_wow64_syscall()) which we could use here instead of
* duplicating if they were more flexible about when they could
* be called (instr_is_wow64_syscall() for ex. asserts if not
* in a wow process).
*/
if (/* int 2e or x64 or win8 sysenter */
(instr_is_syscall(instr) && found_eax && (expect_int2e || expect_x64 || expect_sysenter)) ||
/* sysenter case */
(expect_sysenter && found_edx && found_eax &&
instr_is_call_indirect(instr) &&
/* XP SP{0,1}, 2003 SP0: call *edx */
((opnd_is_reg(instr_get_target(instr)) &&
opnd_get_reg(instr_get_target(instr)) == REG_EDX) ||
/* XP SP2, 2003 SP1: call *(edx) */
(opnd_is_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_EDX &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_disp(instr_get_target(instr)) == 0))) ||
/* wow case
* we don't require found_ecx b/c win8 does not use ecx
*/
(expect_wow && found_eax &&
instr_is_call_indirect(instr) &&
opnd_is_far_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_NULL &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_segment(instr_get_target(instr)) == SEG_FS)) {
found_syscall = true;
} else if (instr_is_return(instr)) {
if (!found_ret) {
process_ret(instr, info);
found_ret = true;
}
break;
} else if (instr_is_cti(instr)) {
if (instr_get_opcode(instr) == OP_call) {
/* handle win8 x86 which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*/
byte *tgt;
assert(opnd_is_pc(instr_get_target(instr)));
tgt = opnd_get_pc(instr_get_target(instr));
/* we expect only ret or ret imm, and possibly some nops (in gdi32).
* XXX: what about jmp to shared ret (seen in the past on some syscalls)?
*/
if (tgt > pc && tgt <= pc + 16) {
bool ok = false;
do {
if (pc == tgt) {
ok = true;
break;
}
instr_reset(dcontext, instr);
pc = decode(dcontext, pc, instr);
if (verbose)
dr_print_instr(dcontext, STDOUT, instr, "");
if (instr_is_return(instr)) {
process_ret(instr, info);
found_ret = true;
} else if (!instr_is_nop(instr))
break;
num_instr++;
} while (num_instr <= MAX_INSTRS_BEFORE_SYSCALL);
if (ok)
continue;
}
}
/* assume not a syscall wrapper if we hit a cti */
break; /* give up gracefully */
} else if ((!found_eax || !found_edx || !found_ecx) &&
instr_get_opcode(instr) == OP_mov_imm &&
opnd_is_reg(instr_get_dst(instr, 0))) {
if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) {
info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0));
found_eax = true;
} else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) {
int imm = (int) opnd_get_immed_int(instr_get_src(instr, 0));
if (imm == 0x7ffe0300)
found_edx = true;
} else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
found_ecx = true;
info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0));
}
} else if (instr_get_opcode(instr) == OP_xor &&
opnd_is_reg(instr_get_src(instr, 0)) &&
opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX &&
opnd_is_reg(instr_get_dst(instr, 0)) &&
opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
/* xor to 0 */
found_ecx = true;
info->fixup_index = 0;
}
num_instr++;
if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */
break; /* avoid weird cases like NPXEMULATORTABLE */
}
instr_destroy(dcontext, instr);
return found_syscall;
}
static void
module_load_event(void *drcontext, const module_data_t *mod, bool loaded)
{
if (strstr(dr_module_preferred_name(mod),
"client.drwrap-test.appdll.") != NULL) {
bool ok;
instr_t inst;
app_pc init_pc, pc, next_pc;
load_count++;
if (load_count == 2) {
/* test no-frills */
drwrap_set_global_flags(DRWRAP_NO_FRILLS);
}
addr_replace = (app_pc) dr_get_proc_address(mod->handle, "replaceme");
CHECK(addr_replace != NULL, "cannot find lib export");
ok = drwrap_replace(addr_replace, (app_pc) replacewith, false);
CHECK(ok, "replace failed");
addr_replace2 = (app_pc) dr_get_proc_address(mod->handle, "replaceme2");
CHECK(addr_replace2 != NULL, "cannot find lib export");
ok = drwrap_replace_native(addr_replace2, (app_pc) replacewith2, true/*at entry*/,
0, (void *)(ptr_int_t)DRWRAP_NATIVE_PARAM, false);
CHECK(ok, "replace_native failed");
init_pc = (app_pc) dr_get_proc_address(mod->handle, "replace_callsite");
CHECK(init_pc != NULL, "cannot find lib export");
/* Find callsite: we assume we'll linearly hit a ret. We take final call
* to skip any PIC call.
*/
instr_init(drcontext, &inst);
pc = init_pc;
do {
instr_reset(drcontext, &inst);
next_pc = decode(drcontext, pc, &inst);
if (!instr_valid(&inst))
break;
/* if initial jmp, follow it to handle ILT-indirection */
if (pc == init_pc && instr_is_ubr(&inst))
next_pc = opnd_get_pc(instr_get_target(&inst));
else if (instr_is_call(&inst))
addr_replace_callsite = pc;
pc = next_pc;
} while (instr_valid(&inst) && !instr_is_return(&inst));
CHECK(addr_replace_callsite != NULL, "cannot find lib export");
ok = drwrap_replace_native(addr_replace_callsite, (app_pc) replace_callsite,
false/*!at entry*/, 0,
(void *)(ptr_int_t)DRWRAP_NATIVE_PARAM, false);
CHECK(ok, "replace_native failed");
instr_free(drcontext, &inst);
wrap_addr(&addr_level0, "level0", mod, true, true);
wrap_addr(&addr_level1, "level1", mod, true, true);
wrap_addr(&addr_level2, "level2", mod, true, true);
wrap_addr(&addr_tailcall, "makes_tailcall", mod, true, true);
wrap_addr(&addr_skipme, "skipme", mod, true, true);
wrap_addr(&addr_repeat, "repeatme", mod, true, true);
wrap_addr(&addr_preonly, "preonly", mod, true, false);
wrap_addr(&addr_postonly, "postonly", mod, false, true);
wrap_addr(&addr_runlots, "runlots", mod, false, true);
/* test longjmp */
wrap_unwindtest_addr(&addr_long0, "long0", mod);
wrap_unwindtest_addr(&addr_long1, "long1", mod);
wrap_unwindtest_addr(&addr_long2, "long2", mod);
wrap_unwindtest_addr(&addr_long3, "long3", mod);
wrap_unwindtest_addr(&addr_longdone, "longdone", mod);
drmgr_set_tls_field(drcontext, tls_idx, (void *)(ptr_uint_t)0);
#ifdef WINDOWS
/* test SEH */
/* we can't do this test for no-frills b/c only one wrap per addr */
if (load_count == 1) {
ok = drwrap_wrap_ex(addr_long0, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_long1, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_long2, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_long3, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
ok = drwrap_wrap_ex(addr_longdone, wrap_unwindtest_seh_pre,
wrap_unwindtest_seh_post,
NULL, DRWRAP_UNWIND_ON_EXCEPTION);
CHECK(ok, "wrap failed");
}
#endif
/* test leaner wrapping */
if (load_count == 2)
drwrap_set_global_flags(DRWRAP_NO_FRILLS | DRWRAP_FAST_CLEANCALLS);
wrap_addr(&addr_skip_flags, "skip_flags", mod, true, false);
}
}
/* Here we attempt to combine a loop involving ldex (load exclusive) and
* stex (store exclusive) into an OP_ldstex macro-instruction. The algorithm
* is roughly this:
*
* Decode up to (2 * N) instructions while:
* - none of them are indirect branches or system calls
* - none of them is a direct branch out of these (2 * N) instructions
* - none of them is OP_xx (to be safe)
* - there is, or might yet be, both ldex and stex in the first N
* - none of them is a non-branch PC-relative instruction: ADR, ADRP,
* PC-relative PRFM, literal load (this last condition could be removed
* if we mangled such instructions as we encountered them)
*
* To save time, give up if the first instruction is neither ldex nor stex
* and there is no branch to it.
* Take a sub-block containing both ldex and stex from the first N instructions.
* Expand this sub-block to a minimal single-entry single-exit block.
* Give up if the sub-block grows beyond N instructions.
* Finally, give up if the sub-block does not contain the first instruction.
* Also give up if the sub-block uses all of X0-X5 and the stolen register
* because we would be unable to mangle such a block.
*
* XXX: This function uses a lot of CPU time. It could be made faster in
* several ways, for example by caching decoded instructions or using a
* custom decoder to recognise the particular instructions that we care
* about here.
*/
byte *
decode_ldstex(dcontext_t *dcontext, byte *pc_, byte *orig_pc_, instr_t *instr_ldstex)
{
# define N (MAX_INSTR_LENGTH / AARCH64_INSTR_SIZE)
instr_t ibuf[2 * N];
uint *pc = (uint *)pc_;
uint *orig_pc = (uint *)orig_pc_;
bool seen_ldex = false;
bool seen_stex = false;
bool seen_branch_to_start = false;
bool failed = false;
int ldstex_beg = -1;
int ldstex_end = -1;
int i, len;
/* Decode up to 2 * N instructions. */
for (i = 0; i < N; i++) {
instr_t *instr = &ibuf[i];
instr_init(dcontext, instr);
decode_from_copy(dcontext, (byte *)(pc + i), (byte *)(orig_pc + i), instr);
if (instr_is_mbr_arch(instr) || instr_is_syscall(instr) ||
instr_get_opcode(instr) == OP_xx || instr_is_nonbranch_pcrel(instr))
break;
if (instr_is_ubr_arch(instr) || instr_is_cbr_arch(instr)) {
ptr_uint_t target = (ptr_uint_t)instr_get_branch_target_pc(instr);
if (target < (ptr_uint_t)pc || target > (ptr_uint_t)(pc + 2 * N))
break;
if (target == (ptr_uint_t)pc)
seen_branch_to_start = true;
}
if (instr_is_exclusive_load(instr))
seen_ldex = true;
if (instr_is_exclusive_store(instr))
seen_stex = true;
if (i + 1 >= N && !(seen_ldex && seen_stex))
break;
if (ldstex_beg == -1 && (seen_ldex || seen_stex))
ldstex_beg = i;
if (ldstex_end == -1 && (seen_ldex && seen_stex))
ldstex_end = i + 1;
}
if (i < N) {
instr_reset(dcontext, &ibuf[i]);
len = i;
} else
len = N;
/* Quick check for hopeless situations. */
if (len == 0 || !(seen_ldex && seen_stex) ||
!(seen_branch_to_start || (instr_is_exclusive_load(&ibuf[0]) ||
instr_is_exclusive_store(&ibuf[0])))) {
for (i = 0; i < len; i++)
instr_reset(dcontext, &ibuf[i]);
return NULL;
}
/* There are several ways we could choose a sub-block containing both ldex
* and stex from the first N instructions. Investigate further, perhaps.
* We have already set ldstex_beg and ldstex_end.
*/
ASSERT(ldstex_beg != -1 && ldstex_end != -1 && ldstex_beg < ldstex_end);
/* Expand ldstex sub-block until it is a single-entry single-exit block. */
for (;;) {
int new_beg = ldstex_beg;
int new_end = ldstex_end;
for (i = ldstex_beg; i < ldstex_end; i++) {
instr_t *instr = &ibuf[i];
if (instr_is_ubr_arch(instr) || instr_is_cbr_arch(instr)) {
int target = (uint *)instr_get_branch_target_pc(instr) - pc;
if (target > len) {
failed = true;
break;
}
if (target < new_beg)
new_beg = target;
if (target > new_end)
new_end = target;
}
}
if (new_beg == ldstex_beg && new_end == ldstex_end)
break;
ldstex_beg = new_beg;
ldstex_end = new_end;
}
if (ldstex_beg != 0)
failed = true;
if (!failed) {
/* Check whether the sub-block uses the stolen register and all of X0-X5.
* If it does, it would be impossible to mangle it so it is better not to
* create an OP_ldstex.
*/
reg_id_t regs[] = { dr_reg_stolen,
DR_REG_X0, DR_REG_X1, DR_REG_X2,
DR_REG_X3, DR_REG_X4, DR_REG_X5 };
int r;
for (r = 0; r < sizeof(regs) / sizeof(*regs); r++) {
for (i = ldstex_beg; i < ldstex_end; i++) {
if (instr_uses_reg(&ibuf[i], regs[r]))
break;
}
if (i >= ldstex_end)
break;
}
if (r >= sizeof(regs) / sizeof(*regs))
failed = true;
}
if (!failed) {
instr_create_ldstex(dcontext, ldstex_end - ldstex_beg,
pc + ldstex_beg, &ibuf[ldstex_beg], instr_ldstex);
}
for (i = 0; i < len; i++)
instr_reset(dcontext, &ibuf[i]);
return failed ? NULL : (byte *)(pc + ldstex_end);
}
