static dr_emit_flags_t
bb_event(void* drcontext, void *tag, instrlist_t *bb, bool for_trace, bool translating)
{
instr_t *instr, *next_instr;
int opcode;
for (instr = instrlist_first(bb); instr != NULL; instr = next_instr) {
next_instr = instr_get_next(instr);
opcode = instr_get_opcode(instr);
if(instr_is_floating(instr)){
// dr_fprintf(logF, "Has seen FPU instruction with opcode %d\n",opcode);
}
else if(is_SIMD_packed(opcode)){
// dr_fprintf(logF, "Has seen SIMD packed instruction with opcode %d\n",opcode);
}
//AVX?rcpps?
else if(is_SIMD_arithm(opcode)){
int is_single = 0;
// printf("opcode is %d\n", opcode);
// printf("number of sources %d\n", instr_num_srcs(instr));
// printf("number of dests %d\n", instr_num_dsts(instr));
//assert(number of sources = 2);
opnd_t source1 = instr_get_src(instr,0);
opnd_t source2 = instr_get_src(instr,1);
opnd_t dest = instr_get_dst(instr,0);
if(opnd_is_memory_reference(source1)){
// dr_print_instr(drcontext, logF, instr, "INSTR: ");
// dr_print_opnd(drcontext, logF, source1, "OPND1: ");
// dr_print_opnd(drcontext, logF, source2, "OPND2: ");
reg_id_t rd = opnd_get_reg(source2);
reg_id_t rs = opnd_get_reg_used(source1, 0);
dr_insert_clean_call(drcontext, bb, instr,
(void*) callback, true, 5,
OPND_CREATE_INTPTR(rs), OPND_CREATE_INTPTR(opnd_get_disp(source1)),
OPND_CREATE_INTPTR(rd), OPND_CREATE_INTPTR(opcode), OPND_CREATE_INTPTR(instr_get_app_pc(instr)));
}
else if(opnd_is_reg(source1) && opnd_is_reg(source2)){
reg_id_t reg1 = opnd_get_reg(source1);
reg_id_t reg2 = opnd_get_reg(source2);
dr_insert_clean_call(drcontext,bb,instr, (void*)getRegReg,
true, 4,
OPND_CREATE_INTPTR(reg1), OPND_CREATE_INTPTR(reg2)
,OPND_CREATE_INTPTR(opcode), OPND_CREATE_INTPTR(instr_get_app_pc(instr))
);
}
else{
//should not be the case, throw an exception
}
fp_count++;
}
}
return DR_EMIT_DEFAULT;
}
/* XXX: exporting this so drwrap can use it but I might prefer to have
* this in drutil or the upcoming drsys
*/
DR_EXPORT
int
drmgr_decode_sysnum_from_wrapper(app_pc entry)
{
void *drcontext = dr_get_current_drcontext();
int num = -1;
byte *pc = entry;
uint opc;
instr_t instr;
instr_init(drcontext, &instr);
do {
instr_reset(drcontext, &instr);
pc = decode(drcontext, pc, &instr);
if (!instr_valid(&instr))
break; /* unknown system call sequence */
opc = instr_get_opcode(&instr);
/* sanity check: wrapper should be short */
if (pc - entry > 20)
break; /* unknown system call sequence */
if (opc == OP_mov_imm && opnd_is_reg(instr_get_dst(&instr, 0)) &&
opnd_get_reg(instr_get_dst(&instr, 0)) == DR_REG_EAX &&
opnd_is_immed_int(instr_get_src(&instr, 0))) {
num = (int) opnd_get_immed_int(instr_get_src(&instr, 0));
break; /* success */
}
/* stop at call to vsyscall (wow64) or at int itself */
} while (opc != OP_call_ind && opc != OP_int &&
opc != OP_sysenter && opc != OP_syscall);
instr_free(drcontext, &instr);
return num;
}
static inline void collect_regs(
unsigned long *regs,
instr_t *instr,
int (*num_ops)(instr_t *),
opnd_t (*get_op)(instr_t *, uint)
) {
int i;
opnd_t opnd;
// make sure these regs are always seen as "used"
*regs |= (1 << DR_REG_NULL);
for(i=0; i < num_ops(instr); i++) {
opnd = get_op(instr, i);
if(opnd_is_reg(opnd)) {
collect_reg(regs, opnd_get_reg(opnd));
} else if(opnd_is_base_disp(opnd)) {
collect_reg(regs, opnd_get_base(opnd));
collect_reg(regs, opnd_get_index(opnd));
}
}
collect_reg(regs, DR_REG_RSP);
collect_reg(regs, DR_REG_RBP);
collect_reg(regs, DR_REG_RAX);
collect_reg(regs, DR_REG_RDX);
}
static dr_emit_flags_t
event_app_analysis(void *drcontext, void *tag, instrlist_t *bb,
bool for_trace, bool translating, OUT void **user_data)
{
instr_t *inst, *label;
bool prev_was_mov_const = false;
ptr_int_t val1, val2;
*user_data = NULL;
/* Look for duplicate mov immediates telling us which subtest we're in */
for (inst = instrlist_first_app(bb); inst != NULL; inst = instr_get_next_app(inst)) {
if (instr_is_mov_constant(inst, prev_was_mov_const ? &val2 : &val1)) {
if (prev_was_mov_const && val1 == val2 &&
val1 != 0 && /* rule out xor w/ self */
opnd_is_reg(instr_get_dst(inst, 0)) &&
opnd_get_reg(instr_get_dst(inst, 0)) == TEST_REG) {
*user_data = (void *) val1;
label = INSTR_CREATE_label(drcontext);
instr_set_translation(label, instr_get_app_pc(inst));
instrlist_meta_postinsert(bb, inst, label);
} else
prev_was_mov_const = true;
} else
prev_was_mov_const = false;
}
return DR_EMIT_DEFAULT;
}
static print_base_disp_for_lea(file_t file, opnd_t opnd){
/* [base + index * scale + disp] */
dr_fprintf(file, " base - %d %s\n", opnd_get_base(opnd), get_register_name(opnd_get_base(opnd)));
dr_fprintf(file, " index - %d %s\n", opnd_get_index(opnd), get_register_name(opnd_get_index(opnd)));
dr_fprintf(file, "reg - %d\n", opnd_is_reg(opnd_create_reg(opnd_get_index(opnd))));
dr_fprintf(file, " scale - %d\n", opnd_get_scale(opnd));
dr_fprintf(file, " disp - %d\n", opnd_get_disp(opnd));
}
static uint calculate_operands(instr_t * instr,uint dst_or_src){
opnd_t op;
int i;
int ret = 0;
if(dst_or_src == DST_TYPE){
for(i=0; i<instr_num_dsts(instr); i++){
op = instr_get_dst(instr,i);
if(opnd_is_immed(op) ||
opnd_is_memory_reference(op) ||
opnd_is_reg(op)){
ret++;
}
}
}
else if(dst_or_src == SRC_TYPE){
for(i=0; i<instr_num_srcs(instr); i++){
op = instr_get_src(instr,i);
if (instr_get_opcode(instr) == OP_lea && opnd_is_base_disp(op)){
ret += 4;
}
else if (opnd_is_immed(op) ||
opnd_is_memory_reference(op) ||
opnd_is_reg(op)){
ret++;
}
}
}
return ret;
}
static bool
instr_is_reg_restore(instr_t *instr, reg_id_t reg, umbra_info_t *info)
{
opnd_t opnd;
int slot;
if (instr_get_opcode(instr) != OP_mov_ld)
return false;
opnd = instr_get_dst(instr, 0);
if (!opnd_is_reg(opnd) || opnd_get_reg(opnd) != reg)
return false;
slot = reg - REG_SPILL_START;
opnd = OPND_CREATE_ABSMEM(&info->spill_regs[slot], OPSZ_PTR);
if (opnd_same(opnd, instr_get_src(instr, 0)))
return true;
return false;
}
/* returns whether found a syscall
* - found_eax: whether the caller has seen "mov imm => %eax"
* - found_edx: whether the caller has seen "mov $0x7ffe0300 => %edx",
* xref the comment below about "mov $0x7ffe0300 => %edx".
*/
static bool
process_syscall_instr(void *dcontext, instr_t *instr, bool found_eax, bool found_edx)
{
/* ASSUMPTION: a mov imm of 0x7ffe0300 into edx followed by an
* indirect call via edx is a system call on XP and later
* On XP SP1 it's call *edx, while on XP SP2 it's call *(edx)
* For wow it's a call through fs.
* FIXME - core exports various is_*_syscall routines (such as
* instr_is_wow64_syscall()) which we could use here instead of
* duplicating if they were more flexible about when they could
* be called (instr_is_wow64_syscall() for ex. asserts if not
* in a wow process).
*/
if (/* int 2e or x64 or win8 sysenter */
(instr_is_syscall(instr) &&
found_eax && (expect_int2e || expect_x64 || expect_sysenter)) ||
/* sysenter case */
(expect_sysenter && found_edx && found_eax &&
instr_is_call_indirect(instr) &&
/* XP SP{0,1}, 2003 SP0: call *edx */
((opnd_is_reg(instr_get_target(instr)) &&
opnd_get_reg(instr_get_target(instr)) == REG_EDX) ||
/* XP SP2, 2003 SP1: call *(edx) */
(opnd_is_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_EDX &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_disp(instr_get_target(instr)) == 0))) ||
/* wow case
* we don't require found_ecx b/c win8 does not use ecx
*/
(expect_wow && found_eax &&
instr_is_call_indirect(instr) &&
((opnd_is_far_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_NULL &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_segment(instr_get_target(instr)) == SEG_FS) ||
/* win10 has imm in edx and a near call */
found_edx)))
return true;
return false;
}
/* prints out the operands / populates the operands in the instrace mode */
static void output_populator_printer(void * drcontext, opnd_t opnd, instr_t * instr, uint64 addr, uint mem_type, operand_t * output){
int value;
float float_value;
uint width;
int i;
per_thread_t * data = drmgr_get_tls_field(drcontext,tls_index);
if(opnd_is_reg(opnd)){
value = opnd_get_reg(opnd);
if (value != DR_REG_NULL){
width = opnd_size_in_bytes(reg_get_size(value));
}
else{
width = 0;
}
#ifdef READABLE_TRACE
dr_fprintf(data->outfile,",%u,%u,%u",REG_TYPE, width, value);
#else
output->type = REG_TYPE;
output->width = width;
output->value = value;
#endif
}
else if(opnd_is_immed(opnd)){
//DR_ASSERT(opnd_is_immed_float(opnd) == false);
if(opnd_is_immed_float(opnd)){
width = opnd_size_in_bytes(opnd_get_size(opnd));
if (instr_get_opcode(instr) == OP_fld1){
dr_fprintf(data->outfile, ",%u,%u,1", IMM_FLOAT_TYPE, width);
}
else if (instr_get_opcode(instr) == OP_fldz){
dr_fprintf(data->outfile, ",%u,%u,0", IMM_FLOAT_TYPE, width);
}
else{
dr_messagebox("immediate float unknown\n");
dr_abort();
}
//float_value = opnd_get_immed_float(opnd);
#ifdef READABLE_TRACE
//dr_fprintf(data->outfile,",%u,%u,%.4f",IMM_FLOAT_TYPE,width,float_value);
#else
output->type = IMM_FLOAT_TYPE;
output->width = width;
output->float_value = float_value;
#endif
}
if(opnd_is_immed_int(opnd)){
width = opnd_size_in_bytes(opnd_get_size(opnd));
value = opnd_get_immed_int(opnd);
#ifdef READABLE_TRACE
dr_fprintf(data->outfile,",%u,%u,%d",IMM_INT_TYPE,width,value);
#else
output->type = IMM_INT_TYPE;
output->width = width;
output->value = value;
#endif
}
}
else if(opnd_is_memory_reference(opnd)){
width = drutil_opnd_mem_size_in_bytes(opnd,instr);
#ifdef READABLE_TRACE
dr_fprintf(data->outfile, ",%u,%u,%llu",mem_type,width,addr);
#else
output->type = mem_type;
output->width = width;
output->float_value = addr;
#endif
}
}
/* returns false on failure */
static bool
decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info, LOADED_IMAGE *img)
{
/* FIXME: would like to fail gracefully rather than have a DR assertion
* on non-code! => use DEBUG=0 INTERNAL=1 DR build!
*/
bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false;
bool found_ret = false;
byte *pc, *pre_pc;
int num_instr = 0;
instr_t *instr;
byte *preferred = get_preferred_base(img);
if (entry == NULL)
return false;
info->num_args = -1; /* if find sysnum but not args */
info->sysnum = -1;
info->fixup_index = -1;
instr = instr_create(dcontext);
pc = entry;
/* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want
* this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip
* the first instruction (mov r10, rcx) here, the rest should decode ok.
* Xref PR 236203. */
if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1)
pc += 3;
while (true) {
instr_reset(dcontext, instr);
pre_pc = pc;
pc = decode(dcontext, pc, instr);
if (verbose) {
instr_set_translation(instr, pre_pc);
dr_print_instr(dcontext, STDOUT, instr, "");
}
if (pc == NULL || !instr_valid(instr))
break;
if (instr_is_syscall(instr) || instr_is_call_indirect(instr)) {
/* If we see a syscall instr or an indirect call which is not syscall,
* we assume this is not a syscall wrapper.
*/
found_syscall = process_syscall_instr(dcontext, instr, found_eax, found_edx);
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_return(instr)) {
/* we must break on return to avoid case like win8 x86
* which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*/
if (!found_ret) {
process_ret(instr, info);
found_ret = true;
}
break;
} else if (instr_get_opcode(instr) == OP_call) {
found_syscall = process_syscall_call(dcontext, pc, instr,
found_eax, found_edx);
/* If we see a call and it is not a sysenter callee,
* we assume this is not a syscall wrapper.
*/
if (!found_syscall)
break; /* assume not a syscall wrapper, give up gracefully */
} else if (instr_is_cti(instr)) {
/* We expect only ctis like ret or ret imm, syscall, and call, which are
* handled above. Give up gracefully if we hit any other cti.
* XXX: what about jmp to shared ret (seen in the past on some syscalls)?
*/
/* Update: win10 TH2 1511 x64 has a cti:
* ntdll!NtContinue:
* 00007ff9`13185630 4c8bd1 mov r10,rcx
* 00007ff9`13185633 b843000000 mov eax,43h
* 00007ff9`13185638 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
* 00007ff9`13185640 7503 jne ntdll!NtContinue+0x15 (00007ff9`13185645)
* 00007ff9`13185642 0f05 syscall
* 00007ff9`13185644 c3 ret
* 00007ff9`13185645 cd2e int 2Eh
* 00007ff9`13185647 c3 ret
*/
if (expect_x64 && instr_is_cbr(instr) &&
opnd_get_pc(instr_get_target(instr)) == pc + 3/*syscall;ret*/) {
/* keep going */
} else
break;
} else if ((!found_eax || !found_edx || !found_ecx) &&
instr_get_opcode(instr) == OP_mov_imm &&
opnd_is_reg(instr_get_dst(instr, 0))) {
if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) {
info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0));
found_eax = true;
} else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) {
uint imm = (uint) opnd_get_immed_int(instr_get_src(instr, 0));
if (imm == 0x7ffe0300 ||
/* On Win10 the immed is ntdll!Wow64SystemServiceCall */
(expect_wow && imm > (ptr_uint_t)preferred &&
imm < (ptr_uint_t)preferred + img->SizeOfImage))
found_edx = true;
} else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
found_ecx = true;
info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0));
}
} else if (instr_get_opcode(instr) == OP_xor &&
opnd_is_reg(instr_get_src(instr, 0)) &&
opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX &&
opnd_is_reg(instr_get_dst(instr, 0)) &&
opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
/* xor to 0 */
found_ecx = true;
info->fixup_index = 0;
}
num_instr++;
if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */
break; /* avoid weird cases like NPXEMULATORTABLE */
}
instr_destroy(dcontext, instr);
return found_syscall;
}
/* returns false on failure */
static bool
decode_syscall_num(void *dcontext, byte *entry, syscall_info_t *info)
{
/* FIXME: would like to fail gracefully rather than have a DR assertion
* on non-code! => use DEBUG=0 INTERNAL=1 DR build!
*/
bool found_syscall = false, found_eax = false, found_edx = false, found_ecx = false;
bool found_ret = false;
byte *pc;
int num_instr = 0;
instr_t *instr;
if (entry == NULL)
return false;
info->num_args = -1; /* if find sysnum but not args */
info->sysnum = -1;
info->fixup_index = -1;
instr = instr_create(dcontext);
pc = entry;
/* FIXME - we don't support decoding 64bit instructions in 32bit mode, but I want
* this to work on 32bit machines. Hack fix based on the wrapper pattern, we skip
* the first instruction (mov r10, rcx) here, the rest should decode ok.
* Xref PR 236203. */
if (expect_x64 && *pc == 0x4c && *(pc+1) == 0x8b && *(pc+2) == 0xd1)
pc += 3;
while (true) {
instr_reset(dcontext, instr);
pc = decode(dcontext, pc, instr);
if (verbose)
dr_print_instr(dcontext, STDOUT, instr, "");
if (pc == NULL || !instr_valid(instr))
break;
/* ASSUMPTION: a mov imm of 0x7ffe0300 into edx followed by an
* indirect call via edx is a system call on XP and later
* On XP SP1 it's call *edx, while on XP SP2 it's call *(edx)
* For wow it's a call through fs.
* FIXME - core exports various is_*_syscall routines (such as
* instr_is_wow64_syscall()) which we could use here instead of
* duplicating if they were more flexible about when they could
* be called (instr_is_wow64_syscall() for ex. asserts if not
* in a wow process).
*/
if (/* int 2e or x64 or win8 sysenter */
(instr_is_syscall(instr) && found_eax && (expect_int2e || expect_x64 || expect_sysenter)) ||
/* sysenter case */
(expect_sysenter && found_edx && found_eax &&
instr_is_call_indirect(instr) &&
/* XP SP{0,1}, 2003 SP0: call *edx */
((opnd_is_reg(instr_get_target(instr)) &&
opnd_get_reg(instr_get_target(instr)) == REG_EDX) ||
/* XP SP2, 2003 SP1: call *(edx) */
(opnd_is_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_EDX &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_disp(instr_get_target(instr)) == 0))) ||
/* wow case
* we don't require found_ecx b/c win8 does not use ecx
*/
(expect_wow && found_eax &&
instr_is_call_indirect(instr) &&
opnd_is_far_base_disp(instr_get_target(instr)) &&
opnd_get_base(instr_get_target(instr)) == REG_NULL &&
opnd_get_index(instr_get_target(instr)) == REG_NULL &&
opnd_get_segment(instr_get_target(instr)) == SEG_FS)) {
found_syscall = true;
} else if (instr_is_return(instr)) {
if (!found_ret) {
process_ret(instr, info);
found_ret = true;
}
break;
} else if (instr_is_cti(instr)) {
if (instr_get_opcode(instr) == OP_call) {
/* handle win8 x86 which has sysenter callee adjacent-"inlined"
* ntdll!NtYieldExecution:
* 77d7422c b801000000 mov eax,1
* 77d74231 e801000000 call ntdll!NtYieldExecution+0xb (77d74237)
* 77d74236 c3 ret
* 77d74237 8bd4 mov edx,esp
* 77d74239 0f34 sysenter
* 77d7423b c3 ret
*/
byte *tgt;
assert(opnd_is_pc(instr_get_target(instr)));
tgt = opnd_get_pc(instr_get_target(instr));
/* we expect only ret or ret imm, and possibly some nops (in gdi32).
* XXX: what about jmp to shared ret (seen in the past on some syscalls)?
*/
if (tgt > pc && tgt <= pc + 16) {
bool ok = false;
do {
if (pc == tgt) {
ok = true;
break;
}
instr_reset(dcontext, instr);
pc = decode(dcontext, pc, instr);
if (verbose)
dr_print_instr(dcontext, STDOUT, instr, "");
if (instr_is_return(instr)) {
process_ret(instr, info);
found_ret = true;
} else if (!instr_is_nop(instr))
break;
num_instr++;
} while (num_instr <= MAX_INSTRS_BEFORE_SYSCALL);
if (ok)
continue;
}
}
/* assume not a syscall wrapper if we hit a cti */
break; /* give up gracefully */
} else if ((!found_eax || !found_edx || !found_ecx) &&
instr_get_opcode(instr) == OP_mov_imm &&
opnd_is_reg(instr_get_dst(instr, 0))) {
if (!found_eax && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EAX) {
info->sysnum = (int) opnd_get_immed_int(instr_get_src(instr, 0));
found_eax = true;
} else if (!found_edx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_EDX) {
int imm = (int) opnd_get_immed_int(instr_get_src(instr, 0));
if (imm == 0x7ffe0300)
found_edx = true;
} else if (!found_ecx && opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
found_ecx = true;
info->fixup_index = (int) opnd_get_immed_int(instr_get_src(instr, 0));
}
} else if (instr_get_opcode(instr) == OP_xor &&
opnd_is_reg(instr_get_src(instr, 0)) &&
opnd_get_reg(instr_get_src(instr, 0)) == REG_ECX &&
opnd_is_reg(instr_get_dst(instr, 0)) &&
opnd_get_reg(instr_get_dst(instr, 0)) == REG_ECX) {
/* xor to 0 */
found_ecx = true;
info->fixup_index = 0;
}
num_instr++;
if (num_instr > MAX_INSTRS_BEFORE_SYSCALL) /* wrappers should be short! */
break; /* avoid weird cases like NPXEMULATORTABLE */
}
instr_destroy(dcontext, instr);
return found_syscall;
}
