interception_win.cc revision bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82
107bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov//===-- interception_linux.cc -----------------------------------*- C++ -*-===// 207bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// 307bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// The LLVM Compiler Infrastructure 407bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// 507bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// This file is distributed under the University of Illinois Open Source 607bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// License. See LICENSE.TXT for details. 707bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// 807bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov//===----------------------------------------------------------------------===// 907bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// 1007bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// This file is a part of AddressSanitizer, an address sanity checker. 1107bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// 1207bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov// Windows-specific interception methods. 1307bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov//===----------------------------------------------------------------------===// 1407bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov 1507bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov#ifdef _WIN32 1607bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov 17bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov#include "interception.h" 1807bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov#include <windows.h> 1907bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov 2007bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanovnamespace __interception { 2107bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov 22bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonovbool GetRealFunctionAddress(const char *func_name, uptr *func_addr) { 2307bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov const char *DLLS[] = { 2407bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov "msvcr80.dll", 2507bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov "msvcr90.dll", 2607bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov "kernel32.dll", 2707bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov NULL 2807bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov }; 29bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov *func_addr = 0; 30bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov for (size_t i = 0; *func_addr == 0 && DLLS[i]; ++i) { 3107bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov *func_addr = GetProcAddress(GetModuleHandleA(DLLS[i]), func_name); 3207bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov } 33bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov return (*func_addr != 0); 3407bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov} 352716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 362716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov// FIXME: internal_str* and internal_mem* functions should be moved from the 372716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov// ASan sources into interception/. 382716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 392716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanovstatic void _memset(void *p, int value, size_t sz) { 402716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov for (size_t i = 0; i < sz; ++i) 412716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov ((char*)p)[i] = (char)value; 422716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov} 432716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 442716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanovstatic void _memcpy(void *dst, void *src, size_t sz) { 452716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov char *dst_c = (char*)dst, 462716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov *src_c = (char*)src; 472716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov for (size_t i = 0; i < sz; ++i) 482716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov dst_c[i] = src_c[i]; 492716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov} 502716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 512716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanovstatic void WriteJumpInstruction(char *jmp_from, char *to) { 522716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // jmp XXYYZZWW = E9 WW ZZ YY XX, where XXYYZZWW is an offset fromt jmp_from 532716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // to the next instruction to the destination. 542716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov ptrdiff_t offset = to - jmp_from - 5; 552716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov *jmp_from = '\xE9'; 562716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov *(ptrdiff_t*)(jmp_from + 1) = offset; 572716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov} 582716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 59bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonovbool OverrideFunction(uptr old_func, uptr new_func, uptr *orig_old_func) { 602716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov#ifdef _WIN64 612716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov# error OverrideFunction was not tested on x64 622716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov#endif 632716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // Basic idea: 642716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // We write 5 bytes (jmp-to-new_func) at the beginning of the 'old_func' 652716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // to override it. We want to be able to execute the original 'old_func' from 662716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // the wrapper, so we need to keep the leading 5+ bytes ('head') of the 672716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // original instructions somewhere with a "jmp old_func+head". 682716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // We call these 'head'+5 bytes of instructions a "trampoline". 692716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 702716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // Trampolines are allocated from a common pool. 712716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov const int POOL_SIZE = 1024; 722716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov static char *pool = NULL; 732716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov static size_t pool_used = 0; 742716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov if (pool == NULL) { 752716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov pool = (char*)VirtualAlloc(NULL, POOL_SIZE, 762716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov MEM_RESERVE | MEM_COMMIT, 772716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov PAGE_EXECUTE_READWRITE); 782716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // FIXME: set PAGE_EXECUTE_READ access after setting all interceptors? 792716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov if (pool == NULL) 802716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov return false; 812716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov _memset(pool, 0xCC /* int 3 */, POOL_SIZE); 822716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov } 832716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 842716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov char* old_bytes = (char*)old_func; 852716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov char* trampoline = pool + pool_used; 862716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 872716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // Find out the number of bytes of the instructions we need to copy to the 882716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // island and store it in 'head'. 892716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov size_t head = 0; 902716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov while (head < 5) { 912716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov switch (old_bytes[head]) { 922716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case '\x55': // push ebp 932716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case '\x56': // push esi 942716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case '\x57': // push edi 952716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov head++; 962716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov continue; 972716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov } 982716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov switch (*(unsigned short*)(old_bytes + head)) { // NOLINT 992716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0xFF8B: // 8B FF = mov edi, edi 1002716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0xEC8B: // 8B EC = mov ebp, esp 1012716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0xC033: // 33 C0 = xor eax, eax 1022716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov head += 2; 1032716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov continue; 1042716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0xEC83: // 83 EC XX = sub esp, XX 1052716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov head += 3; 1062716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov continue; 1072716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0xC1F7: // F7 C1 XX YY ZZ WW = test ecx, WWZZYYXX 1082716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov head += 6; 1092716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov continue; 1102716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov } 1112716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov switch (0x00FFFFFF & *(unsigned int*)(old_bytes + head)) { 1122716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0x24448A: // 8A 44 24 XX = mov eal, dword ptr [esp+XXh] 1132716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0x244C8B: // 8B 4C 24 XX = mov ecx, dword ptr [esp+XXh] 1142716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0x24548B: // 8B 54 24 XX = mov edx, dword ptr [esp+XXh] 1152716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov case 0x247C8B: // 8B 7C 24 XX = mov edi, dword ptr [esp+XXh] 1162716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov head += 4; 1172716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov continue; 1182716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov } 1192716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 1202716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // Unknown instruction! 1212716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov return false; 1222716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov } 1232716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 1242716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov if (pool_used + head + 5 > POOL_SIZE) 1252716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov return false; 1262716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 1272716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // Now put the "jump to trampoline" instruction into the original code. 1282716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov DWORD old_prot, unused_prot; 129bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov if (!VirtualProtect((void*)old_func, head, PAGE_EXECUTE_READWRITE, 130bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov &old_prot)) 1312716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov return false; 1322716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 1332716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // Put the needed instructions into the trampoline bytes. 1342716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov _memcpy(trampoline, old_bytes, head); 1352716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov WriteJumpInstruction(trampoline + head, old_bytes + head); 136bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov *orig_old_func = (uptr)trampoline; 1372716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov pool_used += head + 5; 1382716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 1392716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov // Intercept the 'old_func'. 1402716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov WriteJumpInstruction(old_bytes, (char*)new_func); 1412716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov _memset(old_bytes + 5, 0xCC /* int 3 */, head - 5); 1422716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 143bfa11b66d2d9e677be00164d44bcc0c9c6bc8f82Alexey Samsonov if (!VirtualProtect((void*)old_func, head, old_prot, &unused_prot)) 1442716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov return false; // not clear if this failure bothers us. 1452716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 1462716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov return true; 1472716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov} 1482716a61d085a8fdf13a099822720e320414cc4dcTimur Iskhodzhanov 14907bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov} // namespace __interception 15007bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov 15107bb9f1e3600195119aec1aae1aa48a6ed2f5febTimur Iskhodzhanov#endif // _WIN32 152