1 //===-- interception_linux.cc -----------------------------------*- C++ -*-===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file is a part of AddressSanitizer, an address sanity checker.
12 // Windows-specific interception methods.
13 //===----------------------------------------------------------------------===//
17 #include "interception.h"
18 #define WIN32_LEAN_AND_MEAN
21 namespace __interception
{
23 // FIXME: internal_str* and internal_mem* functions should be moved from the
24 // ASan sources into interception/.
26 static void _memset(void *p
, int value
, size_t sz
) {
27 for (size_t i
= 0; i
< sz
; ++i
)
28 ((char*)p
)[i
] = (char)value
;
31 static void _memcpy(void *dst
, void *src
, size_t sz
) {
32 char *dst_c
= (char*)dst
,
34 for (size_t i
= 0; i
< sz
; ++i
)
38 static void WriteJumpInstruction(char *jmp_from
, char *to
) {
39 // jmp XXYYZZWW = E9 WW ZZ YY XX, where XXYYZZWW is an offset fromt jmp_from
40 // to the next instruction to the destination.
41 ptrdiff_t offset
= to
- jmp_from
- 5;
43 *(ptrdiff_t*)(jmp_from
+ 1) = offset
;
46 static char *GetMemoryForTrampoline(size_t size
) {
47 // Trampolines are allocated from a common pool.
48 const int POOL_SIZE
= 1024;
49 static char *pool
= NULL
;
50 static size_t pool_used
= 0;
52 pool
= (char *)VirtualAlloc(NULL
, POOL_SIZE
, MEM_RESERVE
| MEM_COMMIT
,
53 PAGE_EXECUTE_READWRITE
);
54 // FIXME: Might want to apply PAGE_EXECUTE_READ access after all the
55 // interceptors are in place.
58 _memset(pool
, 0xCC /* int 3 */, POOL_SIZE
);
61 if (pool_used
+ size
> POOL_SIZE
)
64 char *ret
= pool
+ pool_used
;
69 // Returns 0 on error.
70 static size_t RoundUpToInstrBoundary(size_t size
, char *code
) {
72 while (cursor
< size
) {
73 switch (code
[cursor
]) {
74 case '\x51': // push ecx
75 case '\x52': // push edx
76 case '\x53': // push ebx
77 case '\x54': // push esp
78 case '\x55': // push ebp
79 case '\x56': // push esi
80 case '\x57': // push edi
81 case '\x5D': // pop ebp
84 case '\x6A': // 6A XX = push XX
87 case '\xE9': // E9 XX YY ZZ WW = jmp WWZZYYXX
88 case '\xB8': // B8 XX YY ZZ WW = mov eax, WWZZYYXX
92 switch (*(unsigned short*)(code
+ cursor
)) { // NOLINT
93 case 0xFF8B: // 8B FF = mov edi, edi
94 case 0xEC8B: // 8B EC = mov ebp, esp
95 case 0xC033: // 33 C0 = xor eax, eax
98 case 0x458B: // 8B 45 XX = mov eax, dword ptr [ebp+XXh]
99 case 0x5D8B: // 8B 5D XX = mov ebx, dword ptr [ebp+XXh]
100 case 0xEC83: // 83 EC XX = sub esp, XX
101 case 0x75FF: // FF 75 XX = push dword ptr [ebp+XXh]
104 case 0xC1F7: // F7 C1 XX YY ZZ WW = test ecx, WWZZYYXX
105 case 0x25FF: // FF 25 XX YY ZZ WW = jmp dword ptr ds:[WWZZYYXX]
108 case 0x3D83: // 83 3D XX YY ZZ WW TT = cmp TT, WWZZYYXX
112 switch (0x00FFFFFF & *(unsigned int*)(code
+ cursor
)) {
113 case 0x24448A: // 8A 44 24 XX = mov eal, dword ptr [esp+XXh]
114 case 0x24448B: // 8B 44 24 XX = mov eax, dword ptr [esp+XXh]
115 case 0x244C8B: // 8B 4C 24 XX = mov ecx, dword ptr [esp+XXh]
116 case 0x24548B: // 8B 54 24 XX = mov edx, dword ptr [esp+XXh]
117 case 0x24748B: // 8B 74 24 XX = mov esi, dword ptr [esp+XXh]
118 case 0x247C8B: // 8B 7C 24 XX = mov edi, dword ptr [esp+XXh]
123 // Unknown instruction!
124 // FIXME: Unknown instruction failures might happen when we add a new
125 // interceptor or a new compiler version. In either case, they should result
126 // in visible and readable error messages. However, merely calling abort()
127 // leads to an infinite recursion in CheckFailed.
128 // Do we have a good way to abort with an error message here?
136 bool OverrideFunction(uptr old_func
, uptr new_func
, uptr
*orig_old_func
) {
138 #error OverrideFunction is not yet supported on x64
140 // Function overriding works basically like this:
141 // We write "jmp <new_func>" (5 bytes) at the beginning of the 'old_func'
143 // We might want to be able to execute the original 'old_func' from the
144 // wrapper, in this case we need to keep the leading 5+ bytes ('head')
145 // of the original code somewhere with a "jmp <old_func+head>".
146 // We call these 'head'+5 bytes of instructions a "trampoline".
147 char *old_bytes
= (char *)old_func
;
149 // We'll need at least 5 bytes for a 'jmp'.
152 // Find out the number of bytes of the instructions we need to copy
153 // to the trampoline and store it in 'head'.
154 head
= RoundUpToInstrBoundary(head
, old_bytes
);
158 // Put the needed instructions into the trampoline bytes.
159 char *trampoline
= GetMemoryForTrampoline(head
+ 5);
162 _memcpy(trampoline
, old_bytes
, head
);
163 WriteJumpInstruction(trampoline
+ head
, old_bytes
+ head
);
164 *orig_old_func
= (uptr
)trampoline
;
167 // Now put the "jmp <new_func>" instruction at the original code location.
168 // We should preserve the EXECUTE flag as some of our own code might be
169 // located in the same page (sic!). FIXME: might consider putting the
170 // __interception code into a separate section or something?
171 DWORD old_prot
, unused_prot
;
172 if (!VirtualProtect((void *)old_bytes
, head
, PAGE_EXECUTE_READWRITE
,
176 WriteJumpInstruction(old_bytes
, (char *)new_func
);
177 _memset(old_bytes
+ 5, 0xCC /* int 3 */, head
- 5);
179 // Restore the original permissions.
180 if (!VirtualProtect((void *)old_bytes
, head
, old_prot
, &unused_prot
))
181 return false; // not clear if this failure bothers us.
186 static void **InterestingDLLsAvailable() {
187 const char *InterestingDLLs
[] = {
189 "msvcr110.dll", // VS2012
190 "msvcr120.dll", // VS2013
191 // NTDLL should go last as it exports some functions that we should override
192 // in the CRT [presumably only used internally].
195 static void *result
[ARRAY_SIZE(InterestingDLLs
)] = { 0 };
197 for (size_t i
= 0, j
= 0; InterestingDLLs
[i
]; ++i
) {
198 if (HMODULE h
= GetModuleHandleA(InterestingDLLs
[i
]))
199 result
[j
++] = (void *)h
;
206 // Utility for reading loaded PE images.
207 template <typename T
> class RVAPtr
{
209 RVAPtr(void *module
, uptr rva
)
210 : ptr_(reinterpret_cast<T
*>(reinterpret_cast<char *>(module
) + rva
)) {}
211 operator T
*() { return ptr_
; }
212 T
*operator->() { return ptr_
; }
213 T
*operator++() { return ++ptr_
; }
220 // Internal implementation of GetProcAddress. At least since Windows 8,
221 // GetProcAddress appears to initialize DLLs before returning function pointers
222 // into them. This is problematic for the sanitizers, because they typically
223 // want to intercept malloc *before* MSVCRT initializes. Our internal
224 // implementation walks the export list manually without doing initialization.
225 uptr
InternalGetProcAddress(void *module
, const char *func_name
) {
226 // Check that the module header is full and present.
227 RVAPtr
<IMAGE_DOS_HEADER
> dos_stub(module
, 0);
228 RVAPtr
<IMAGE_NT_HEADERS
> headers(module
, dos_stub
->e_lfanew
);
229 if (!module
|| dos_stub
->e_magic
!= IMAGE_DOS_SIGNATURE
|| // "MZ"
230 headers
->Signature
!= IMAGE_NT_SIGNATURE
|| // "PE\0\0"
231 headers
->FileHeader
.SizeOfOptionalHeader
<
232 sizeof(IMAGE_OPTIONAL_HEADER
)) {
236 IMAGE_DATA_DIRECTORY
*export_directory
=
237 &headers
->OptionalHeader
.DataDirectory
[IMAGE_DIRECTORY_ENTRY_EXPORT
];
238 RVAPtr
<IMAGE_EXPORT_DIRECTORY
> exports(module
,
239 export_directory
->VirtualAddress
);
240 RVAPtr
<DWORD
> functions(module
, exports
->AddressOfFunctions
);
241 RVAPtr
<DWORD
> names(module
, exports
->AddressOfNames
);
242 RVAPtr
<WORD
> ordinals(module
, exports
->AddressOfNameOrdinals
);
244 for (DWORD i
= 0; i
< exports
->NumberOfNames
; i
++) {
245 RVAPtr
<char> name(module
, names
[i
]);
246 if (!strcmp(func_name
, name
)) {
247 DWORD index
= ordinals
[i
];
248 RVAPtr
<char> func(module
, functions
[index
]);
249 return (uptr
)(char *)func
;
256 static bool GetFunctionAddressInDLLs(const char *func_name
, uptr
*func_addr
) {
258 void **DLLs
= InterestingDLLsAvailable();
259 for (size_t i
= 0; *func_addr
== 0 && DLLs
[i
]; ++i
)
260 *func_addr
= InternalGetProcAddress(DLLs
[i
], func_name
);
261 return (*func_addr
!= 0);
264 bool OverrideFunction(const char *name
, uptr new_func
, uptr
*orig_old_func
) {
266 if (!GetFunctionAddressInDLLs(name
, &orig_func
))
268 return OverrideFunction(orig_func
, new_func
, orig_old_func
);
271 } // namespace __interception