1From 22ea0cea595e1b44b46c520243f2292bc4e3d943 Mon Sep 17 00:00:00 2001 2From: Toshihito Kikuchi <leamovret@gmail.com> 3Date: Tue, 21 Sep 2021 15:49:03 -0700 4Subject: [PATCH] [compiler-rt] [windows] Add more assembly patterns for 5 interception 6 7To intercept the functions in Win11's ntdll.dll, we need to use the trampoline 8technique because there are bytes other than 0x90 or 0xcc in the gaps between 9exported functions. This patch adds more patterns that appear in ntdll's 10functions. 11 12Bug: https://bugs.llvm.org/show_bug.cgi?id=51721 13 14Reviewed By: rnk 15 16Differential Revision: https://reviews.llvm.org/D109941 17--- 18 .../lib/interception/interception_win.cpp | 46 +++++++++++++++++++ 19 .../tests/interception_win_test.cpp | 45 ++++++++++++++++++ 20 2 files changed, 91 insertions(+) 21 22diff --git a/compiler-rt/lib/interception/interception_win.cpp b/compiler-rt/lib/interception/interception_win.cpp 23index 635499c2b385..38b8c058246a 100644 24--- a/compiler-rt/lib/interception/interception_win.cpp 25+++ b/compiler-rt/lib/interception/interception_win.cpp 26@@ -398,8 +398,42 @@ static uptr AllocateMemoryForTrampoline(uptr image_address, size_t size) { 27 return allocated_space; 28 } 29 30+// The following prologues cannot be patched because of the short jump 31+// jumping to the patching region. 32+ 33+// ntdll!wcslen in Win11 34+// 488bc1 mov rax,rcx 35+// 0fb710 movzx edx,word ptr [rax] 36+// 4883c002 add rax,2 37+// 6685d2 test dx,dx 38+// 75f4 jne -12 39+static const u8 kPrologueWithShortJump1[] = { 40+ 0x48, 0x8b, 0xc1, 0x0f, 0xb7, 0x10, 0x48, 0x83, 41+ 0xc0, 0x02, 0x66, 0x85, 0xd2, 0x75, 0xf4, 42+}; 43+ 44+// ntdll!strrchr in Win11 45+// 4c8bc1 mov r8,rcx 46+// 8a01 mov al,byte ptr [rcx] 47+// 48ffc1 inc rcx 48+// 84c0 test al,al 49+// 75f7 jne -9 50+static const u8 kPrologueWithShortJump2[] = { 51+ 0x4c, 0x8b, 0xc1, 0x8a, 0x01, 0x48, 0xff, 0xc1, 52+ 0x84, 0xc0, 0x75, 0xf7, 53+}; 54+ 55 // Returns 0 on error. 56 static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) { 57+#if SANITIZER_WINDOWS64 58+ if (memcmp((u8*)address, kPrologueWithShortJump1, 59+ sizeof(kPrologueWithShortJump1)) == 0 || 60+ memcmp((u8*)address, kPrologueWithShortJump2, 61+ sizeof(kPrologueWithShortJump2)) == 0) { 62+ return 0; 63+ } 64+#endif 65+ 66 switch (*(u64*)address) { 67 case 0x90909090909006EB: // stub: jmp over 6 x nop. 68 return 8; 69@@ -477,6 +511,14 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) { 70 case 0xA1: // A1 XX XX XX XX XX XX XX XX : 71 // movabs eax, dword ptr ds:[XXXXXXXX] 72 return 9; 73+ 74+ case 0x83: 75+ const u8 next_byte = *(u8*)(address + 1); 76+ const u8 mod = next_byte >> 6; 77+ const u8 rm = next_byte & 7; 78+ if (mod == 1 && rm == 4) 79+ return 5; // 83 ModR/M SIB Disp8 Imm8 80+ // add|or|adc|sbb|and|sub|xor|cmp [r+disp8], imm8 81 } 82 83 switch (*(u16*)address) { 84@@ -493,6 +535,8 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) { 85 case 0x5641: // push r14 86 case 0x5741: // push r15 87 case 0x9066: // Two-byte NOP 88+ case 0xc084: // test al, al 89+ case 0x018a: // mov al, byte ptr [rcx] 90 return 2; 91 92 case 0x058B: // 8B 05 XX XX XX XX : mov eax, dword ptr [XX XX XX XX] 93@@ -509,6 +553,7 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) { 94 case 0xd12b48: // 48 2b d1 : sub rdx, rcx 95 case 0x07c1f6: // f6 c1 07 : test cl, 0x7 96 case 0xc98548: // 48 85 C9 : test rcx, rcx 97+ case 0xd28548: // 48 85 d2 : test rdx, rdx 98 case 0xc0854d: // 4d 85 c0 : test r8, r8 99 case 0xc2b60f: // 0f b6 c2 : movzx eax, dl 100 case 0xc03345: // 45 33 c0 : xor r8d, r8d 101@@ -522,6 +567,7 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) { 102 case 0xca2b48: // 48 2b ca : sub rcx, rdx 103 case 0x10b70f: // 0f b7 10 : movzx edx, WORD PTR [rax] 104 case 0xc00b4d: // 3d 0b c0 : or r8, r8 105+ case 0xc08b41: // 41 8b c0 : mov eax, r8d 106 case 0xd18b48: // 48 8b d1 : mov rdx, rcx 107 case 0xdc8b4c: // 4c 8b dc : mov r11, rsp 108 case 0xd18b4c: // 4c 8b d1 : mov r10, rcx 109diff --git a/compiler-rt/lib/interception/tests/interception_win_test.cpp b/compiler-rt/lib/interception/tests/interception_win_test.cpp 110index f8ab4ec67443..084a98602969 100644 111--- a/compiler-rt/lib/interception/tests/interception_win_test.cpp 112+++ b/compiler-rt/lib/interception/tests/interception_win_test.cpp 113@@ -208,6 +208,28 @@ const u8 kUnpatchableCode6[] = { 114 0x90, 0x90, 0x90, 0x90, 115 }; 116 117+const u8 kUnpatchableCode7[] = { 118+ 0x33, 0xc0, // xor eax,eax 119+ 0x48, 0x85, 0xd2, // test rdx,rdx 120+ 0x74, 0x10, // je +16 (unpatchable) 121+}; 122+ 123+const u8 kUnpatchableCode8[] = { 124+ 0x48, 0x8b, 0xc1, // mov rax,rcx 125+ 0x0f, 0xb7, 0x10, // movzx edx,word ptr [rax] 126+ 0x48, 0x83, 0xc0, 0x02, // add rax,2 127+ 0x66, 0x85, 0xd2, // test dx,dx 128+ 0x75, 0xf4, // jne -12 (unpatchable) 129+}; 130+ 131+const u8 kUnpatchableCode9[] = { 132+ 0x4c, 0x8b, 0xc1, // mov r8,rcx 133+ 0x8a, 0x01, // mov al,byte ptr [rcx] 134+ 0x48, 0xff, 0xc1, // inc rcx 135+ 0x84, 0xc0, // test al,al 136+ 0x75, 0xf7, // jne -9 (unpatchable) 137+}; 138+ 139 const u8 kPatchableCode6[] = { 140 0x48, 0x89, 0x54, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], rdx 141 0x33, 0xC9, // xor ecx,ecx 142@@ -226,6 +248,23 @@ const u8 kPatchableCode8[] = { 143 0xC3, // ret 144 }; 145 146+const u8 kPatchableCode9[] = { 147+ 0x8a, 0x01, // al,byte ptr [rcx] 148+ 0x45, 0x33, 0xc0, // xor r8d,r8d 149+ 0x84, 0xc0, // test al,al 150+}; 151+ 152+const u8 kPatchableCode10[] = { 153+ 0x45, 0x33, 0xc0, // xor r8d,r8d 154+ 0x41, 0x8b, 0xc0, // mov eax,r8d 155+ 0x48, 0x85, 0xd2, // test rdx,rdx 156+}; 157+ 158+const u8 kPatchableCode11[] = { 159+ 0x48, 0x83, 0xec, 0x38, // sub rsp,38h 160+ 0x83, 0x64, 0x24, 0x28, 0x00, // and dword ptr [rsp+28h],0 161+}; 162+ 163 // A buffer holding the dynamically generated code under test. 164 u8* ActiveCode; 165 const size_t ActiveCodeLength = 4096; 166@@ -610,6 +649,12 @@ TEST(Interception, PatchableFunctionWithTrampoline) { 167 EXPECT_TRUE(TestFunctionPatching(kPatchableCode2, override, prefix)); 168 #if SANITIZER_WINDOWS64 169 EXPECT_FALSE(TestFunctionPatching(kPatchableCode3, override, prefix)); 170+ EXPECT_TRUE(TestFunctionPatching(kPatchableCode9, override, prefix)); 171+ EXPECT_TRUE(TestFunctionPatching(kPatchableCode10, override, prefix)); 172+ EXPECT_TRUE(TestFunctionPatching(kPatchableCode11, override, prefix)); 173+ EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode7, override, prefix)); 174+ EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode8, override, prefix)); 175+ EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode9, override, prefix)); 176 #else 177 EXPECT_TRUE(TestFunctionPatching(kPatchableCode3, override, prefix)); 178 #endif 179-- 1802.28.0.windows.1 181 182