| // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "preamble_patcher.h" |
| #include "memory_hook.h" |
| #include "mini_disassembler.h" |
| |
| // compatibility shims |
| #include "base/logging.h" |
| |
| // Definitions of assembly statements we need |
| #define ASM_JMP32REL 0xE9 |
| #define ASM_INT3 0xCC |
| |
| namespace sidestep { |
| |
| SideStepError PreamblePatcher::RawPatchWithStubAndProtections( |
| void* target_function, void *replacement_function, |
| unsigned char* preamble_stub, unsigned long stub_size, |
| unsigned long* bytes_needed) { |
| // We need to be able to write to a process-local copy of the first |
| // MAX_PREAMBLE_STUB_SIZE bytes of target_function. We may be giving execute |
| // privilege to something that doesn't have it, but that's the price to pay |
| // for tools. |
| DWORD old_target_function_protect = 0; |
| BOOL succeeded = ::VirtualProtect(reinterpret_cast<void*>(target_function), |
| MAX_PREAMBLE_STUB_SIZE, |
| PAGE_EXECUTE_READWRITE, |
| &old_target_function_protect); |
| if (!succeeded) { |
| ASSERT(false, "Failed to make page containing target function " |
| "copy-on-write."); |
| return SIDESTEP_ACCESS_DENIED; |
| } |
| |
| SideStepError error_code = RawPatchWithStub(target_function, |
| replacement_function, |
| preamble_stub, |
| stub_size, |
| bytes_needed); |
| if (SIDESTEP_SUCCESS != error_code) { |
| ASSERT1(false); |
| return error_code; |
| } |
| |
| // Restore the protection of the first MAX_PREAMBLE_STUB_SIZE bytes of |
| // pTargetFunction to what they were before we started goofing around. |
| succeeded = ::VirtualProtect(reinterpret_cast<void*>(target_function), |
| MAX_PREAMBLE_STUB_SIZE, |
| old_target_function_protect, |
| &old_target_function_protect); |
| if (!succeeded) { |
| ASSERT(false, "Failed to restore protection to target function."); |
| // We must not return an error here because the function has actually |
| // been patched, and returning an error would likely cause our client |
| // code not to unpatch it. So we just keep going. |
| } |
| |
| // Flush the instruction cache to make sure the processor doesn't execute the |
| // old version of the instructions (before our patch). |
| // |
| // FlushInstructionCache is actually a no-op at least on single-processor |
| // XP machines. I'm not sure why this is so, but it is, yet I want to keep |
| // the call to the API here for correctness in case there is a difference in |
| // some variants of Windows/hardware. |
| succeeded = ::FlushInstructionCache(::GetCurrentProcess(), |
| target_function, |
| MAX_PREAMBLE_STUB_SIZE); |
| if (!succeeded) { |
| ASSERT(false, "Failed to flush instruction cache."); |
| // We must not return an error here because the function has actually |
| // been patched, and returning an error would likely cause our client |
| // code not to unpatch it. So we just keep going. |
| } |
| |
| return SIDESTEP_SUCCESS; |
| } |
| |
| SideStepError PreamblePatcher::RawPatch(void* target_function, |
| void* replacement_function, |
| void** original_function_stub) { |
| if (!target_function || !replacement_function || !original_function_stub || |
| (*original_function_stub) || target_function == replacement_function) { |
| ASSERT(false, "Preconditions not met"); |
| return SIDESTEP_INVALID_PARAMETER; |
| } |
| |
| // @see MAX_PREAMBLE_STUB_SIZE for an explanation of how we arrives at |
| // this size |
| unsigned char* preamble_stub = |
| reinterpret_cast<unsigned char*>( |
| MemoryHook::Alloc(sizeof(unsigned char) * MAX_PREAMBLE_STUB_SIZE)); |
| if (!preamble_stub) { |
| ASSERT(false, "Unable to allocate preamble-stub."); |
| return SIDESTEP_INSUFFICIENT_BUFFER; |
| } |
| |
| // Change the protection of the newly allocated preamble stub to |
| // PAGE_EXECUTE_READWRITE. This is required to work with DEP (Data |
| // Execution Prevention) which will cause an exception if code is executed |
| // from a page on which you do not have read access. |
| DWORD old_stub_protect = 0; |
| BOOL succeeded = VirtualProtect(preamble_stub, MAX_PREAMBLE_STUB_SIZE, |
| PAGE_EXECUTE_READWRITE, &old_stub_protect); |
| if (!succeeded) { |
| ASSERT(false, "Failed to make page preamble stub read-write-execute."); |
| delete[] preamble_stub; |
| return SIDESTEP_ACCESS_DENIED; |
| } |
| |
| SideStepError error_code = RawPatchWithStubAndProtections(target_function, |
| replacement_function, |
| preamble_stub, |
| MAX_PREAMBLE_STUB_SIZE, |
| NULL); |
| if (SIDESTEP_SUCCESS != error_code) { |
| ASSERT1(false); |
| delete[] preamble_stub; |
| return error_code; |
| } |
| |
| *original_function_stub = reinterpret_cast<void*>(preamble_stub); |
| |
| // NOTE: For hooking malloc/free, we don't want to use streams which |
| // allocate. Basically, we've hooked malloc, but not necessarily |
| // hooked free yet. To do anything which uses the heap could crash |
| // with a mismatched malloc/free! |
| //VLOG(1) << "PreamblePatcher::RawPatch successfully patched 0x" |
| // << target_function; |
| |
| return SIDESTEP_SUCCESS; |
| } |
| |
| SideStepError PreamblePatcher::Unpatch(void* target_function, |
| void* replacement_function, |
| void* original_function_stub) { |
| ASSERT1(target_function && original_function_stub); |
| if (!target_function || !original_function_stub) { |
| return SIDESTEP_INVALID_PARAMETER; |
| } |
| |
| // We disassemble the preamble of the _stub_ to see how many bytes we |
| // originally copied to the stub. |
| MiniDisassembler disassembler; |
| unsigned int preamble_bytes = 0; |
| while (preamble_bytes < 5) { |
| InstructionType instruction_type = disassembler.Disassemble( |
| reinterpret_cast<unsigned char*>(original_function_stub) + |
| preamble_bytes, preamble_bytes); |
| if (IT_GENERIC != instruction_type) { |
| ASSERT(false, "Should only have generic instructions in stub!!"); |
| return SIDESTEP_UNSUPPORTED_INSTRUCTION; |
| } |
| } |
| |
| // Before unpatching, target_function should be a JMP to |
| // replacement_function. If it's not, then either it's an error, or |
| // we're falling into the case where the original instruction was a |
| // JMP, and we patched the jumped_to address rather than the JMP |
| // itself. (For instance, if malloc() is just a JMP to __malloc(), |
| // we patched __malloc() and not malloc().) |
| unsigned char* target = reinterpret_cast<unsigned char*>(target_function); |
| while (1) { // we stop when target is a JMP to replacement_function |
| if (target[0] != ASM_JMP32REL) { |
| ASSERT(false, "target_function does not look like it was patched."); |
| return SIDESTEP_INVALID_PARAMETER; |
| } |
| int relative_offset; // Windows guarantees int is 4 bytes |
| ASSERT1(sizeof(relative_offset) == 4); |
| memcpy(reinterpret_cast<void*>(&relative_offset), |
| reinterpret_cast<void*>(target + 1), 4); |
| unsigned char* jump_to = target + 5 + relative_offset; |
| if (jump_to == replacement_function) |
| break; |
| target = jump_to; // follow the jmp |
| } |
| |
| // We need to be able to write to a process-local copy of the first |
| // MAX_PREAMBLE_STUB_SIZE bytes of target_function. We may be giving execute |
| // privilege to something that doesn't have it, but that's the price to pay |
| // for tools. |
| DWORD old_target_function_protect = 0; |
| BOOL succeeded = ::VirtualProtect(reinterpret_cast<void*>(target), |
| MAX_PREAMBLE_STUB_SIZE, |
| PAGE_EXECUTE_READWRITE, |
| &old_target_function_protect); |
| if (!succeeded) { |
| ASSERT(false, "Failed to make page containing target function " |
| "copy-on-write."); |
| return SIDESTEP_ACCESS_DENIED; |
| } |
| |
| // Replace the first few bytes of the original function with the bytes we |
| // previously moved to the preamble stub. |
| memcpy(reinterpret_cast<void*>(target), |
| original_function_stub, preamble_bytes); |
| |
| // Stub is now useless so delete it. |
| // [csilvers: Commented out for perftools because it causes big problems |
| // when we're unpatching malloc. We just let this live on as a leak.] |
| //delete original_function_stub; |
| |
| // Restore the protection of the first MAX_PREAMBLE_STUB_SIZE bytes of |
| // target to what they were before we started goofing around. |
| succeeded = ::VirtualProtect(reinterpret_cast<void*>(target), |
| MAX_PREAMBLE_STUB_SIZE, |
| old_target_function_protect, |
| &old_target_function_protect); |
| |
| // Flush the instruction cache to make sure the processor doesn't execute the |
| // old version of the instructions (before our patch). |
| // |
| // See comment on FlushInstructionCache elsewhere in this file. |
| succeeded = ::FlushInstructionCache(::GetCurrentProcess(), |
| target, |
| MAX_PREAMBLE_STUB_SIZE); |
| if (!succeeded) { |
| ASSERT(false, "Failed to flush instruction cache."); |
| return SIDESTEP_UNEXPECTED; |
| } |
| |
| VLOG(1) << "PreamblePatcher::Unpatch successfully unpatched 0x" |
| << target_function; |
| return SIDESTEP_SUCCESS; |
| } |
| |
| }; // namespace sidestep |
