1 //===-- interception_linux.cc -----------------------------------*- C++ -*-===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file is a part of AddressSanitizer, an address sanity checker.
11 //
12 // Windows-specific interception methods.
13 //===----------------------------------------------------------------------===//
14
15 #ifdef _WIN32
16
17 #include "interception.h"
18 #include <windows.h>
19
20 namespace __interception {
21
22 // FIXME: internal_str* and internal_mem* functions should be moved from the
23 // ASan sources into interception/.
24
_memset(void * p,int value,size_t sz)25 static void _memset(void *p, int value, size_t sz) {
26 for (size_t i = 0; i < sz; ++i)
27 ((char*)p)[i] = (char)value;
28 }
29
_memcpy(void * dst,void * src,size_t sz)30 static void _memcpy(void *dst, void *src, size_t sz) {
31 char *dst_c = (char*)dst,
32 *src_c = (char*)src;
33 for (size_t i = 0; i < sz; ++i)
34 dst_c[i] = src_c[i];
35 }
36
WriteJumpInstruction(char * jmp_from,char * to)37 static void WriteJumpInstruction(char *jmp_from, char *to) {
38 // jmp XXYYZZWW = E9 WW ZZ YY XX, where XXYYZZWW is an offset fromt jmp_from
39 // to the next instruction to the destination.
40 ptrdiff_t offset = to - jmp_from - 5;
41 *jmp_from = '\xE9';
42 *(ptrdiff_t*)(jmp_from + 1) = offset;
43 }
44
GetMemoryForTrampoline(size_t size)45 static char *GetMemoryForTrampoline(size_t size) {
46 // Trampolines are allocated from a common pool.
47 const int POOL_SIZE = 1024;
48 static char *pool = NULL;
49 static size_t pool_used = 0;
50 if (!pool) {
51 pool = (char *)VirtualAlloc(NULL, POOL_SIZE, MEM_RESERVE | MEM_COMMIT,
52 PAGE_EXECUTE_READWRITE);
53 // FIXME: Might want to apply PAGE_EXECUTE_READ access after all the
54 // interceptors are in place.
55 if (!pool)
56 return NULL;
57 _memset(pool, 0xCC /* int 3 */, POOL_SIZE);
58 }
59
60 if (pool_used + size > POOL_SIZE)
61 return NULL;
62
63 char *ret = pool + pool_used;
64 pool_used += size;
65 return ret;
66 }
67
68 // Returns 0 on error.
RoundUpToInstrBoundary(size_t size,char * code)69 static size_t RoundUpToInstrBoundary(size_t size, char *code) {
70 size_t cursor = 0;
71 while (cursor < size) {
72 switch (code[cursor]) {
73 case '\x51': // push ecx
74 case '\x52': // push edx
75 case '\x53': // push ebx
76 case '\x54': // push esp
77 case '\x55': // push ebp
78 case '\x56': // push esi
79 case '\x57': // push edi
80 case '\x5D': // pop ebp
81 cursor++;
82 continue;
83 case '\x6A': // 6A XX = push XX
84 cursor += 2;
85 continue;
86 case '\xE9': // E9 XX YY ZZ WW = jmp WWZZYYXX
87 case '\xB8': // B8 XX YY ZZ WW = mov eax, WWZZYYXX
88 cursor += 5;
89 continue;
90 }
91 switch (*(unsigned short*)(code + cursor)) { // NOLINT
92 case 0xFF8B: // 8B FF = mov edi, edi
93 case 0xEC8B: // 8B EC = mov ebp, esp
94 case 0xC033: // 33 C0 = xor eax, eax
95 cursor += 2;
96 continue;
97 case 0x458B: // 8B 45 XX = mov eax, dword ptr [ebp+XXh]
98 case 0x5D8B: // 8B 5D XX = mov ebx, dword ptr [ebp+XXh]
99 case 0xEC83: // 83 EC XX = sub esp, XX
100 case 0x75FF: // FF 75 XX = push dword ptr [ebp+XXh]
101 cursor += 3;
102 continue;
103 case 0xC1F7: // F7 C1 XX YY ZZ WW = test ecx, WWZZYYXX
104 case 0x25FF: // FF 25 XX YY ZZ WW = jmp dword ptr ds:[WWZZYYXX]
105 cursor += 6;
106 continue;
107 case 0x3D83: // 83 3D XX YY ZZ WW TT = cmp TT, WWZZYYXX
108 cursor += 7;
109 continue;
110 }
111 switch (0x00FFFFFF & *(unsigned int*)(code + cursor)) {
112 case 0x24448A: // 8A 44 24 XX = mov eal, dword ptr [esp+XXh]
113 case 0x24448B: // 8B 44 24 XX = mov eax, dword ptr [esp+XXh]
114 case 0x244C8B: // 8B 4C 24 XX = mov ecx, dword ptr [esp+XXh]
115 case 0x24548B: // 8B 54 24 XX = mov edx, dword ptr [esp+XXh]
116 case 0x24748B: // 8B 74 24 XX = mov esi, dword ptr [esp+XXh]
117 case 0x247C8B: // 8B 7C 24 XX = mov edi, dword ptr [esp+XXh]
118 cursor += 4;
119 continue;
120 }
121
122 // Unknown instruction!
123 // FIXME: Unknown instruction failures might happen when we add a new
124 // interceptor or a new compiler version. In either case, they should result
125 // in visible and readable error messages. However, merely calling abort()
126 // leads to an infinite recursion in CheckFailed.
127 // Do we have a good way to abort with an error message here?
128 __debugbreak();
129 return 0;
130 }
131
132 return cursor;
133 }
134
OverrideFunction(uptr old_func,uptr new_func,uptr * orig_old_func)135 bool OverrideFunction(uptr old_func, uptr new_func, uptr *orig_old_func) {
136 #ifdef _WIN64
137 #error OverrideFunction is not yet supported on x64
138 #endif
139 // Function overriding works basically like this:
140 // We write "jmp <new_func>" (5 bytes) at the beginning of the 'old_func'
141 // to override it.
142 // We might want to be able to execute the original 'old_func' from the
143 // wrapper, in this case we need to keep the leading 5+ bytes ('head')
144 // of the original code somewhere with a "jmp <old_func+head>".
145 // We call these 'head'+5 bytes of instructions a "trampoline".
146 char *old_bytes = (char *)old_func;
147
148 // We'll need at least 5 bytes for a 'jmp'.
149 size_t head = 5;
150 if (orig_old_func) {
151 // Find out the number of bytes of the instructions we need to copy
152 // to the trampoline and store it in 'head'.
153 head = RoundUpToInstrBoundary(head, old_bytes);
154 if (!head)
155 return false;
156
157 // Put the needed instructions into the trampoline bytes.
158 char *trampoline = GetMemoryForTrampoline(head + 5);
159 if (!trampoline)
160 return false;
161 _memcpy(trampoline, old_bytes, head);
162 WriteJumpInstruction(trampoline + head, old_bytes + head);
163 *orig_old_func = (uptr)trampoline;
164 }
165
166 // Now put the "jmp <new_func>" instruction at the original code location.
167 // We should preserve the EXECUTE flag as some of our own code might be
168 // located in the same page (sic!). FIXME: might consider putting the
169 // __interception code into a separate section or something?
170 DWORD old_prot, unused_prot;
171 if (!VirtualProtect((void *)old_bytes, head, PAGE_EXECUTE_READWRITE,
172 &old_prot))
173 return false;
174
175 WriteJumpInstruction(old_bytes, (char *)new_func);
176 _memset(old_bytes + 5, 0xCC /* int 3 */, head - 5);
177
178 // Restore the original permissions.
179 if (!VirtualProtect((void *)old_bytes, head, old_prot, &unused_prot))
180 return false; // not clear if this failure bothers us.
181
182 return true;
183 }
184
InterestingDLLsAvailable()185 static const void **InterestingDLLsAvailable() {
186 const char *InterestingDLLs[] = {
187 "kernel32.dll",
188 "msvcr110.dll", // VS2012
189 "msvcr120.dll", // VS2013
190 // NTDLL should go last as it exports some functions that we should override
191 // in the CRT [presumably only used internally].
192 "ntdll.dll", NULL
193 };
194 static void *result[ARRAY_SIZE(InterestingDLLs)] = { 0 };
195 if (!result[0]) {
196 for (size_t i = 0, j = 0; InterestingDLLs[i]; ++i) {
197 if (HMODULE h = GetModuleHandleA(InterestingDLLs[i]))
198 result[j++] = (void *)h;
199 }
200 }
201 return (const void **)&result[0];
202 }
203
GetFunctionAddressInDLLs(const char * func_name,uptr * func_addr)204 static bool GetFunctionAddressInDLLs(const char *func_name, uptr *func_addr) {
205 *func_addr = 0;
206 const void **DLLs = InterestingDLLsAvailable();
207 for (size_t i = 0; *func_addr == 0 && DLLs[i]; ++i)
208 *func_addr = (uptr)GetProcAddress((HMODULE)DLLs[i], func_name);
209 return (*func_addr != 0);
210 }
211
OverrideFunction(const char * name,uptr new_func,uptr * orig_old_func)212 bool OverrideFunction(const char *name, uptr new_func, uptr *orig_old_func) {
213 uptr orig_func;
214 if (!GetFunctionAddressInDLLs(name, &orig_func))
215 return false;
216 return OverrideFunction(orig_func, new_func, orig_old_func);
217 }
218
219 } // namespace __interception
220
221 #endif // _WIN32
222