search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2016-09-25 François Dumont <fdumont@gcc.gnu.org>
[official-gcc.git] / libsanitizer / interception / interception_win.cc
blobdf51fa21ead808b0700a09c42d6be4d41951d979
1 //===-- interception_linux.cc -----------------------------------*- C++ -*-===//
2 //
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
5 //
6 //===----------------------------------------------------------------------===//
7 //
8 // This file is a part of AddressSanitizer, an address sanity checker.
9 //
10 // Windows-specific interception methods.
11 //===----------------------------------------------------------------------===//
12
13 #ifdef _WIN32
14
15 #include "interception.h"
16 #define WIN32_LEAN_AND_MEAN
17 #include <windows.h>
18
19 namespace __interception {
20
21 // FIXME: internal_str* and internal_mem* functions should be moved from the
22 // ASan sources into interception/.
23
24 static void _memset(void *p, int value, size_t sz) {
25 for (size_t i = 0; i < sz; ++i)
26 ((char*)p)[i] = (char)value;
27 }
28
29 static void _memcpy(void *dst, void *src, size_t sz) {
30 char *dst_c = (char*)dst,
31 *src_c = (char*)src;
32 for (size_t i = 0; i < sz; ++i)
33 dst_c[i] = src_c[i];
34 }
35
36 static void WriteJumpInstruction(char *jmp_from, char *to) {
37 // jmp XXYYZZWW = E9 WW ZZ YY XX, where XXYYZZWW is an offset fromt jmp_from
38 // to the next instruction to the destination.
39 ptrdiff_t offset = to - jmp_from - 5;
40 *jmp_from = '\xE9';
41 *(ptrdiff_t*)(jmp_from + 1) = offset;
42 }
43
44 static char *GetMemoryForTrampoline(size_t size) {
45 // Trampolines are allocated from a common pool.
46 const int POOL_SIZE = 1024;
47 static char *pool = NULL;
48 static size_t pool_used = 0;
49 if (!pool) {
50 pool = (char *)VirtualAlloc(NULL, POOL_SIZE, MEM_RESERVE | MEM_COMMIT,
51 PAGE_EXECUTE_READWRITE);
52 // FIXME: Might want to apply PAGE_EXECUTE_READ access after all the
53 // interceptors are in place.
54 if (!pool)
55 return NULL;
56 _memset(pool, 0xCC /* int 3 */, POOL_SIZE);
57 }
58
59 if (pool_used + size > POOL_SIZE)
60 return NULL;
61
62 char *ret = pool + pool_used;
63 pool_used += size;
64 return ret;
65 }
66
67 // Returns 0 on error.
68 static size_t RoundUpToInstrBoundary(size_t size, char *code) {
69 size_t cursor = 0;
70 while (cursor < size) {
71 switch (code[cursor]) {
72 case '\x51': // push ecx
73 case '\x52': // push edx
74 case '\x53': // push ebx
75 case '\x54': // push esp
76 case '\x55': // push ebp
77 case '\x56': // push esi
78 case '\x57': // push edi
79 case '\x5D': // pop ebp
80 cursor++;
81 continue;
82 case '\x6A': // 6A XX = push XX
83 cursor += 2;
84 continue;
85 case '\xE9': // E9 XX YY ZZ WW = jmp WWZZYYXX
86 case '\xB8': // B8 XX YY ZZ WW = mov eax, WWZZYYXX
87 cursor += 5;
88 continue;
89 }
90 switch (*(unsigned short*)(code + cursor)) { // NOLINT
91 case 0xFF8B: // 8B FF = mov edi, edi
92 case 0xEC8B: // 8B EC = mov ebp, esp
93 case 0xC033: // 33 C0 = xor eax, eax
94 cursor += 2;
95 continue;
96 case 0x458B: // 8B 45 XX = mov eax, dword ptr [ebp+XXh]
97 case 0x5D8B: // 8B 5D XX = mov ebx, dword ptr [ebp+XXh]
98 case 0xEC83: // 83 EC XX = sub esp, XX
99 case 0x75FF: // FF 75 XX = push dword ptr [ebp+XXh]
100 cursor += 3;
101 continue;
102 case 0xC1F7: // F7 C1 XX YY ZZ WW = test ecx, WWZZYYXX
103 case 0x25FF: // FF 25 XX YY ZZ WW = jmp dword ptr ds:[WWZZYYXX]
104 cursor += 6;
105 continue;
106 case 0x3D83: // 83 3D XX YY ZZ WW TT = cmp TT, WWZZYYXX
107 cursor += 7;
108 continue;
109 }
110 switch (0x00FFFFFF & *(unsigned int*)(code + cursor)) {
111 case 0x24448A: // 8A 44 24 XX = mov eal, dword ptr [esp+XXh]
112 case 0x24448B: // 8B 44 24 XX = mov eax, dword ptr [esp+XXh]
113 case 0x244C8B: // 8B 4C 24 XX = mov ecx, dword ptr [esp+XXh]
114 case 0x24548B: // 8B 54 24 XX = mov edx, dword ptr [esp+XXh]
115 case 0x24748B: // 8B 74 24 XX = mov esi, dword ptr [esp+XXh]
116 case 0x247C8B: // 8B 7C 24 XX = mov edi, dword ptr [esp+XXh]
117 cursor += 4;
118 continue;
119 }
120
121 // Unknown instruction!
122 // FIXME: Unknown instruction failures might happen when we add a new
123 // interceptor or a new compiler version. In either case, they should result
124 // in visible and readable error messages. However, merely calling abort()
125 // leads to an infinite recursion in CheckFailed.
126 // Do we have a good way to abort with an error message here?
127 __debugbreak();
128 return 0;
129 }
130
131 return cursor;
132 }
133
134 bool OverrideFunction(uptr old_func, uptr new_func, uptr *orig_old_func) {
135 #ifdef _WIN64
136 #error OverrideFunction is not yet supported on x64
137 #endif
138 // Function overriding works basically like this:
139 // We write "jmp <new_func>" (5 bytes) at the beginning of the 'old_func'
140 // to override it.
141 // We might want to be able to execute the original 'old_func' from the
142 // wrapper, in this case we need to keep the leading 5+ bytes ('head')
143 // of the original code somewhere with a "jmp <old_func+head>".
144 // We call these 'head'+5 bytes of instructions a "trampoline".
145 char *old_bytes = (char *)old_func;
146
147 // We'll need at least 5 bytes for a 'jmp'.
148 size_t head = 5;
149 if (orig_old_func) {
150 // Find out the number of bytes of the instructions we need to copy
151 // to the trampoline and store it in 'head'.
152 head = RoundUpToInstrBoundary(head, old_bytes);
153 if (!head)
154 return false;
155
156 // Put the needed instructions into the trampoline bytes.
157 char *trampoline = GetMemoryForTrampoline(head + 5);
158 if (!trampoline)
159 return false;
160 _memcpy(trampoline, old_bytes, head);
161 WriteJumpInstruction(trampoline + head, old_bytes + head);
162 *orig_old_func = (uptr)trampoline;
163 }
164
165 // Now put the "jmp <new_func>" instruction at the original code location.
166 // We should preserve the EXECUTE flag as some of our own code might be
167 // located in the same page (sic!). FIXME: might consider putting the
168 // __interception code into a separate section or something?
169 DWORD old_prot, unused_prot;
170 if (!VirtualProtect((void *)old_bytes, head, PAGE_EXECUTE_READWRITE,
171 &old_prot))
172 return false;
173
174 WriteJumpInstruction(old_bytes, (char *)new_func);
175 _memset(old_bytes + 5, 0xCC /* int 3 */, head - 5);
176
177 // Restore the original permissions.
178 if (!VirtualProtect((void *)old_bytes, head, old_prot, &unused_prot))
179 return false; // not clear if this failure bothers us.
180
181 return true;
182 }
183
184 static void **InterestingDLLsAvailable() {
185 const char *InterestingDLLs[] = {
186 "kernel32.dll",
187 "msvcr110.dll", // VS2012
188 "msvcr120.dll", // VS2013
189 // NTDLL should go last as it exports some functions that we should override
190 // in the CRT [presumably only used internally].
191 "ntdll.dll", NULL
192 };
193 static void *result[ARRAY_SIZE(InterestingDLLs)] = { 0 };
194 if (!result[0]) {
195 for (size_t i = 0, j = 0; InterestingDLLs[i]; ++i) {
196 if (HMODULE h = GetModuleHandleA(InterestingDLLs[i]))
197 result[j++] = (void *)h;
198 }
199 }
200 return &result[0];
201 }
202
203 namespace {
204 // Utility for reading loaded PE images.
205 template <typename T> class RVAPtr {
206 public:
207 RVAPtr(void *module, uptr rva)
208 : ptr_(reinterpret_cast<T *>(reinterpret_cast<char *>(module) + rva)) {}
209 operator T *() { return ptr_; }
210 T *operator->() { return ptr_; }
211 T *operator++() { return ++ptr_; }
212
213 private:
214 T *ptr_;
215 };
216 } // namespace
217
218 // Internal implementation of GetProcAddress. At least since Windows 8,
219 // GetProcAddress appears to initialize DLLs before returning function pointers
220 // into them. This is problematic for the sanitizers, because they typically
221 // want to intercept malloc *before* MSVCRT initializes. Our internal
222 // implementation walks the export list manually without doing initialization.
223 uptr InternalGetProcAddress(void *module, const char *func_name) {
224 // Check that the module header is full and present.
225 RVAPtr<IMAGE_DOS_HEADER> dos_stub(module, 0);
226 RVAPtr<IMAGE_NT_HEADERS> headers(module, dos_stub->e_lfanew);
227 if (!module || dos_stub->e_magic != IMAGE_DOS_SIGNATURE || // "MZ"
228 headers->Signature != IMAGE_NT_SIGNATURE || // "PE\0\0"
229 headers->FileHeader.SizeOfOptionalHeader <
230 sizeof(IMAGE_OPTIONAL_HEADER)) {
231 return 0;
232 }
233
234 IMAGE_DATA_DIRECTORY *export_directory =
235 &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
236 RVAPtr<IMAGE_EXPORT_DIRECTORY> exports(module,
237 export_directory->VirtualAddress);
238 RVAPtr<DWORD> functions(module, exports->AddressOfFunctions);
239 RVAPtr<DWORD> names(module, exports->AddressOfNames);
240 RVAPtr<WORD> ordinals(module, exports->AddressOfNameOrdinals);
241
242 for (DWORD i = 0; i < exports->NumberOfNames; i++) {
243 RVAPtr<char> name(module, names[i]);
244 if (!strcmp(func_name, name)) {
245 DWORD index = ordinals[i];
246 RVAPtr<char> func(module, functions[index]);
247 return (uptr)(char *)func;
248 }
249 }
250
251 return 0;
252 }
253
254 static bool GetFunctionAddressInDLLs(const char *func_name, uptr *func_addr) {
255 *func_addr = 0;
256 void **DLLs = InterestingDLLsAvailable();
257 for (size_t i = 0; *func_addr == 0 && DLLs[i]; ++i)
258 *func_addr = InternalGetProcAddress(DLLs[i], func_name);
259 return (*func_addr != 0);
260 }
261
262 bool OverrideFunction(const char *name, uptr new_func, uptr *orig_old_func) {
263 uptr orig_func;
264 if (!GetFunctionAddressInDLLs(name, &orig_func))
265 return false;
266 return OverrideFunction(orig_func, new_func, orig_old_func);
267 }
268
269 } // namespace __interception
270
271 #endif // _WIN32
Mirror of the offical gcc git repository hosted at gcc.gnu.org