1From 22ea0cea595e1b44b46c520243f2292bc4e3d943 Mon Sep 17 00:00:00 2001
2From: Toshihito Kikuchi <leamovret@gmail.com>
3Date: Tue, 21 Sep 2021 15:49:03 -0700
4Subject: [PATCH] [compiler-rt] [windows] Add more assembly patterns for
5 interception
6
7To intercept the functions in Win11's ntdll.dll, we need to use the trampoline
8technique because there are bytes other than 0x90 or 0xcc in the gaps between
9exported functions.  This patch adds more patterns that appear in ntdll's
10functions.
11
12Bug: https://bugs.llvm.org/show_bug.cgi?id=51721
13
14Reviewed By: rnk
15
16Differential Revision: https://reviews.llvm.org/D109941
17---
18 .../lib/interception/interception_win.cpp     | 46 +++++++++++++++++++
19 .../tests/interception_win_test.cpp           | 45 ++++++++++++++++++
20 2 files changed, 91 insertions(+)
21
22diff --git a/compiler-rt/lib/interception/interception_win.cpp b/compiler-rt/lib/interception/interception_win.cpp
23index 635499c2b385..38b8c058246a 100644
24--- a/compiler-rt/lib/interception/interception_win.cpp
25+++ b/compiler-rt/lib/interception/interception_win.cpp
26@@ -398,8 +398,42 @@ static uptr AllocateMemoryForTrampoline(uptr image_address, size_t size) {
27   return allocated_space;
28 }
29
30+// The following prologues cannot be patched because of the short jump
31+// jumping to the patching region.
32+
33+// ntdll!wcslen in Win11
34+//   488bc1          mov     rax,rcx
35+//   0fb710          movzx   edx,word ptr [rax]
36+//   4883c002        add     rax,2
37+//   6685d2          test    dx,dx
38+//   75f4            jne     -12
39+static const u8 kPrologueWithShortJump1[] = {
40+    0x48, 0x8b, 0xc1, 0x0f, 0xb7, 0x10, 0x48, 0x83,
41+    0xc0, 0x02, 0x66, 0x85, 0xd2, 0x75, 0xf4,
42+};
43+
44+// ntdll!strrchr in Win11
45+//   4c8bc1          mov     r8,rcx
46+//   8a01            mov     al,byte ptr [rcx]
47+//   48ffc1          inc     rcx
48+//   84c0            test    al,al
49+//   75f7            jne     -9
50+static const u8 kPrologueWithShortJump2[] = {
51+    0x4c, 0x8b, 0xc1, 0x8a, 0x01, 0x48, 0xff, 0xc1,
52+    0x84, 0xc0, 0x75, 0xf7,
53+};
54+
55 // Returns 0 on error.
56 static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) {
57+#if SANITIZER_WINDOWS64
58+  if (memcmp((u8*)address, kPrologueWithShortJump1,
59+             sizeof(kPrologueWithShortJump1)) == 0 ||
60+      memcmp((u8*)address, kPrologueWithShortJump2,
61+             sizeof(kPrologueWithShortJump2)) == 0) {
62+    return 0;
63+  }
64+#endif
65+
66   switch (*(u64*)address) {
67     case 0x90909090909006EB:  // stub: jmp over 6 x nop.
68       return 8;
69@@ -477,6 +511,14 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) {
70     case 0xA1:  // A1 XX XX XX XX XX XX XX XX :
71                 //   movabs eax, dword ptr ds:[XXXXXXXX]
72       return 9;
73+
74+    case 0x83:
75+      const u8 next_byte = *(u8*)(address + 1);
76+      const u8 mod = next_byte >> 6;
77+      const u8 rm = next_byte & 7;
78+      if (mod == 1 && rm == 4)
79+        return 5;  // 83 ModR/M SIB Disp8 Imm8
80+                   //   add|or|adc|sbb|and|sub|xor|cmp [r+disp8], imm8
81   }
82
83   switch (*(u16*)address) {
84@@ -493,6 +535,8 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) {
85     case 0x5641:  // push r14
86     case 0x5741:  // push r15
87     case 0x9066:  // Two-byte NOP
88+    case 0xc084:  // test al, al
89+    case 0x018a:  // mov al, byte ptr [rcx]
90       return 2;
91
92     case 0x058B:  // 8B 05 XX XX XX XX : mov eax, dword ptr [XX XX XX XX]
93@@ -509,6 +553,7 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) {
94     case 0xd12b48:    // 48 2b d1 : sub rdx, rcx
95     case 0x07c1f6:    // f6 c1 07 : test cl, 0x7
96     case 0xc98548:    // 48 85 C9 : test rcx, rcx
97+    case 0xd28548:    // 48 85 d2 : test rdx, rdx
98     case 0xc0854d:    // 4d 85 c0 : test r8, r8
99     case 0xc2b60f:    // 0f b6 c2 : movzx eax, dl
100     case 0xc03345:    // 45 33 c0 : xor r8d, r8d
101@@ -522,6 +567,7 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) {
102     case 0xca2b48:    // 48 2b ca : sub rcx, rdx
103     case 0x10b70f:    // 0f b7 10 : movzx edx, WORD PTR [rax]
104     case 0xc00b4d:    // 3d 0b c0 : or r8, r8
105+    case 0xc08b41:    // 41 8b c0 : mov eax, r8d
106     case 0xd18b48:    // 48 8b d1 : mov rdx, rcx
107     case 0xdc8b4c:    // 4c 8b dc : mov r11, rsp
108     case 0xd18b4c:    // 4c 8b d1 : mov r10, rcx
109diff --git a/compiler-rt/lib/interception/tests/interception_win_test.cpp b/compiler-rt/lib/interception/tests/interception_win_test.cpp
110index f8ab4ec67443..084a98602969 100644
111--- a/compiler-rt/lib/interception/tests/interception_win_test.cpp
112+++ b/compiler-rt/lib/interception/tests/interception_win_test.cpp
113@@ -208,6 +208,28 @@ const u8 kUnpatchableCode6[] = {
114     0x90, 0x90, 0x90, 0x90,
115 };
116
117+const u8 kUnpatchableCode7[] = {
118+    0x33, 0xc0,                     // xor     eax,eax
119+    0x48, 0x85, 0xd2,               // test    rdx,rdx
120+    0x74, 0x10,                     // je      +16  (unpatchable)
121+};
122+
123+const u8 kUnpatchableCode8[] = {
124+    0x48, 0x8b, 0xc1,               // mov     rax,rcx
125+    0x0f, 0xb7, 0x10,               // movzx   edx,word ptr [rax]
126+    0x48, 0x83, 0xc0, 0x02,         // add     rax,2
127+    0x66, 0x85, 0xd2,               // test    dx,dx
128+    0x75, 0xf4,                     // jne     -12  (unpatchable)
129+};
130+
131+const u8 kUnpatchableCode9[] = {
132+    0x4c, 0x8b, 0xc1,               // mov     r8,rcx
133+    0x8a, 0x01,                     // mov     al,byte ptr [rcx]
134+    0x48, 0xff, 0xc1,               // inc     rcx
135+    0x84, 0xc0,                     // test    al,al
136+    0x75, 0xf7,                     // jne     -9  (unpatchable)
137+};
138+
139 const u8 kPatchableCode6[] = {
140     0x48, 0x89, 0x54, 0x24, 0xBB, // mov QWORD PTR [rsp + 0xBB], rdx
141     0x33, 0xC9,                   // xor ecx,ecx
142@@ -226,6 +248,23 @@ const u8 kPatchableCode8[] = {
143     0xC3,                         // ret
144 };
145
146+const u8 kPatchableCode9[] = {
147+    0x8a, 0x01,                     // al,byte ptr [rcx]
148+    0x45, 0x33, 0xc0,               // xor     r8d,r8d
149+    0x84, 0xc0,                     // test    al,al
150+};
151+
152+const u8 kPatchableCode10[] = {
153+    0x45, 0x33, 0xc0,               // xor     r8d,r8d
154+    0x41, 0x8b, 0xc0,               // mov     eax,r8d
155+    0x48, 0x85, 0xd2,               // test    rdx,rdx
156+};
157+
158+const u8 kPatchableCode11[] = {
159+    0x48, 0x83, 0xec, 0x38,         // sub     rsp,38h
160+    0x83, 0x64, 0x24, 0x28, 0x00,   // and     dword ptr [rsp+28h],0
161+};
162+
163 // A buffer holding the dynamically generated code under test.
164 u8* ActiveCode;
165 const size_t ActiveCodeLength = 4096;
166@@ -610,6 +649,12 @@ TEST(Interception, PatchableFunctionWithTrampoline) {
167   EXPECT_TRUE(TestFunctionPatching(kPatchableCode2, override, prefix));
168 #if SANITIZER_WINDOWS64
169   EXPECT_FALSE(TestFunctionPatching(kPatchableCode3, override, prefix));
170+  EXPECT_TRUE(TestFunctionPatching(kPatchableCode9, override, prefix));
171+  EXPECT_TRUE(TestFunctionPatching(kPatchableCode10, override, prefix));
172+  EXPECT_TRUE(TestFunctionPatching(kPatchableCode11, override, prefix));
173+  EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode7, override, prefix));
174+  EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode8, override, prefix));
175+  EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode9, override, prefix));
176 #else
177   EXPECT_TRUE(TestFunctionPatching(kPatchableCode3, override, prefix));
178 #endif
179--
1802.28.0.windows.1
181
182