|  | /* Copyright (c) 2007, Google Inc. | 
|  | * All rights reserved. | 
|  | * | 
|  | * Redistribution and use in source and binary forms, with or without | 
|  | * modification, are permitted provided that the following conditions are | 
|  | * met: | 
|  | * | 
|  | *     * Redistributions of source code must retain the above copyright | 
|  | * notice, this list of conditions and the following disclaimer. | 
|  | *     * Redistributions in binary form must reproduce the above | 
|  | * copyright notice, this list of conditions and the following disclaimer | 
|  | * in the documentation and/or other materials provided with the | 
|  | * distribution. | 
|  | *     * Neither the name of Google Inc. nor the names of its | 
|  | * contributors may be used to endorse or promote products derived from | 
|  | * this software without specific prior written permission. | 
|  | * | 
|  | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | 
|  | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | 
|  | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | 
|  | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | 
|  | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | 
|  | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | 
|  | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | 
|  | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | 
|  | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 
|  | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 
|  | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 
|  | * | 
|  | * --- | 
|  | * Author: Joi Sigurdsson | 
|  | * Author: Scott Francis | 
|  | * | 
|  | * Implementation of PreamblePatcher | 
|  | */ | 
|  |  | 
|  | #include "preamble_patcher.h" | 
|  |  | 
|  | #include "mini_disassembler.h" | 
|  |  | 
|  | // compatibility shims | 
|  | #include "base/logging.h" | 
|  |  | 
|  | // Definitions of assembly statements we need | 
|  | #define ASM_JMP32REL 0xE9 | 
|  | #define ASM_INT3 0xCC | 
|  | #define ASM_JMP32ABS_0 0xFF | 
|  | #define ASM_JMP32ABS_1 0x25 | 
|  | #define ASM_JMP8REL 0xEB | 
|  | #define ASM_JCC32REL_0 0x0F | 
|  | #define ASM_JCC32REL_1_MASK 0x80 | 
|  | #define ASM_NOP 0x90 | 
|  | // X64 opcodes | 
|  | #define ASM_REXW 0x48 | 
|  | #define ASM_MOVRAX_IMM 0xB8 | 
|  | #define ASM_JMP 0xFF | 
|  | #define ASM_JMP_RAX 0xE0 | 
|  |  | 
|  | namespace sidestep { | 
|  |  | 
|  | PreamblePatcher::PreamblePage* PreamblePatcher::preamble_pages_ = NULL; | 
|  | long PreamblePatcher::granularity_ = 0; | 
|  | long PreamblePatcher::pagesize_ = 0; | 
|  | bool PreamblePatcher::initialized_ = false; | 
|  |  | 
|  | static const unsigned int kPreamblePageMagic = 0x4347414D; // "MAGC" | 
|  |  | 
|  | // Handle a special case that we see with functions that point into an | 
|  | // IAT table (including functions linked statically into the | 
|  | // application): these function already starts with ASM_JMP32*.  For | 
|  | // instance, malloc() might be implemented as a JMP to __malloc(). | 
|  | // This function follows the initial JMPs for us, until we get to the | 
|  | // place where the actual code is defined.  If we get to STOP_BEFORE, | 
|  | // we return the address before stop_before.  The stop_before_trampoline | 
|  | // flag is used in 64-bit mode.  If true, we will return the address | 
|  | // before a trampoline is detected.  Trampolines are defined as: | 
|  | // | 
|  | //    nop | 
|  | //    mov rax, <replacement_function> | 
|  | //    jmp rax | 
|  | // | 
|  | // See PreamblePatcher::RawPatchWithStub for more information. | 
|  | void* PreamblePatcher::ResolveTargetImpl(unsigned char* target, | 
|  | unsigned char* stop_before, | 
|  | bool stop_before_trampoline) { | 
|  | if (target == NULL) | 
|  | return NULL; | 
|  | while (1) { | 
|  | unsigned char* new_target; | 
|  | if (target[0] == ASM_JMP32REL) { | 
|  | // target[1-4] holds the place the jmp goes to, but it's | 
|  | // relative to the next instruction. | 
|  | int relative_offset;   // Windows guarantees int is 4 bytes | 
|  | SIDESTEP_ASSERT(sizeof(relative_offset) == 4); | 
|  | memcpy(reinterpret_cast<void*>(&relative_offset), | 
|  | reinterpret_cast<void*>(target + 1), 4); | 
|  | new_target = target + 5 + relative_offset; | 
|  | } else if (target[0] == ASM_JMP8REL) { | 
|  | // Visual Studio 7.1 implements new[] as an 8 bit jump to new | 
|  | signed char relative_offset; | 
|  | memcpy(reinterpret_cast<void*>(&relative_offset), | 
|  | reinterpret_cast<void*>(target + 1), 1); | 
|  | new_target = target + 2 + relative_offset; | 
|  | } else if (target[0] == ASM_JMP32ABS_0 && | 
|  | target[1] == ASM_JMP32ABS_1) { | 
|  | // Visual studio seems to sometimes do it this way instead of the | 
|  | // previous way.  Not sure what the rules are, but it was happening | 
|  | // with operator new in some binaries. | 
|  | void** new_target_v; | 
|  | if (kIs64BitBinary) { | 
|  | // In 64-bit mode JMPs are RIP-relative, not absolute | 
|  | int target_offset; | 
|  | memcpy(reinterpret_cast<void*>(&target_offset), | 
|  | reinterpret_cast<void*>(target + 2), 4); | 
|  | new_target_v = reinterpret_cast<void**>(target + target_offset + 6); | 
|  | } else { | 
|  | SIDESTEP_ASSERT(sizeof(new_target) == 4); | 
|  | memcpy(&new_target_v, reinterpret_cast<void*>(target + 2), 4); | 
|  | } | 
|  | new_target = reinterpret_cast<unsigned char*>(*new_target_v); | 
|  | } else { | 
|  | break; | 
|  | } | 
|  | if (new_target == stop_before) | 
|  | break; | 
|  | if (stop_before_trampoline && *new_target == ASM_NOP | 
|  | && new_target[1] == ASM_REXW && new_target[2] == ASM_MOVRAX_IMM) | 
|  | break; | 
|  | target = new_target; | 
|  | } | 
|  | return target; | 
|  | } | 
|  |  | 
|  | // Special case scoped_ptr to avoid dependency on scoped_ptr below. | 
|  | class DeleteUnsignedCharArray { | 
|  | public: | 
|  | DeleteUnsignedCharArray(unsigned char* array) : array_(array) { | 
|  | } | 
|  |  | 
|  | ~DeleteUnsignedCharArray() { | 
|  | if (array_) { | 
|  | PreamblePatcher::FreePreambleBlock(array_); | 
|  | } | 
|  | } | 
|  |  | 
|  | unsigned char* Release() { | 
|  | unsigned char* temp = array_; | 
|  | array_ = NULL; | 
|  | return temp; | 
|  | } | 
|  |  | 
|  | private: | 
|  | unsigned char* array_; | 
|  | }; | 
|  |  | 
|  | SideStepError PreamblePatcher::RawPatchWithStubAndProtections( | 
|  | void* target_function, void *replacement_function, | 
|  | unsigned char* preamble_stub, unsigned long stub_size, | 
|  | unsigned long* bytes_needed) { | 
|  | // We need to be able to write to a process-local copy of the first | 
|  | // MAX_PREAMBLE_STUB_SIZE bytes of target_function | 
|  | DWORD old_target_function_protect = 0; | 
|  | BOOL succeeded = ::VirtualProtect(reinterpret_cast<void*>(target_function), | 
|  | MAX_PREAMBLE_STUB_SIZE, | 
|  | PAGE_EXECUTE_READWRITE, | 
|  | &old_target_function_protect); | 
|  | if (!succeeded) { | 
|  | SIDESTEP_ASSERT(false && "Failed to make page containing target function " | 
|  | "copy-on-write."); | 
|  | return SIDESTEP_ACCESS_DENIED; | 
|  | } | 
|  |  | 
|  | SideStepError error_code = RawPatchWithStub(target_function, | 
|  | replacement_function, | 
|  | preamble_stub, | 
|  | stub_size, | 
|  | bytes_needed); | 
|  |  | 
|  | // Restore the protection of the first MAX_PREAMBLE_STUB_SIZE bytes of | 
|  | // pTargetFunction to what they were before we started goofing around. | 
|  | // We do this regardless of whether the patch succeeded or not. | 
|  | succeeded = ::VirtualProtect(reinterpret_cast<void*>(target_function), | 
|  | MAX_PREAMBLE_STUB_SIZE, | 
|  | old_target_function_protect, | 
|  | &old_target_function_protect); | 
|  | if (!succeeded) { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "Failed to restore protection to target function."); | 
|  | // We must not return an error here because the function has | 
|  | // likely actually been patched, and returning an error might | 
|  | // cause our client code not to unpatch it.  So we just keep | 
|  | // going. | 
|  | } | 
|  |  | 
|  | if (SIDESTEP_SUCCESS != error_code) {  // Testing RawPatchWithStub, above | 
|  | SIDESTEP_ASSERT(false); | 
|  | return error_code; | 
|  | } | 
|  |  | 
|  | // Flush the instruction cache to make sure the processor doesn't execute the | 
|  | // old version of the instructions (before our patch). | 
|  | // | 
|  | // FlushInstructionCache is actually a no-op at least on | 
|  | // single-processor XP machines.  I'm not sure why this is so, but | 
|  | // it is, yet I want to keep the call to the API here for | 
|  | // correctness in case there is a difference in some variants of | 
|  | // Windows/hardware. | 
|  | succeeded = ::FlushInstructionCache(::GetCurrentProcess(), | 
|  | target_function, | 
|  | MAX_PREAMBLE_STUB_SIZE); | 
|  | if (!succeeded) { | 
|  | SIDESTEP_ASSERT(false && "Failed to flush instruction cache."); | 
|  | // We must not return an error here because the function has actually | 
|  | // been patched, and returning an error would likely cause our client | 
|  | // code not to unpatch it.  So we just keep going. | 
|  | } | 
|  |  | 
|  | return SIDESTEP_SUCCESS; | 
|  | } | 
|  |  | 
|  | SideStepError PreamblePatcher::RawPatch(void* target_function, | 
|  | void* replacement_function, | 
|  | void** original_function_stub) { | 
|  | if (!target_function || !replacement_function || !original_function_stub || | 
|  | (*original_function_stub) || target_function == replacement_function) { | 
|  | SIDESTEP_ASSERT(false && "Preconditions not met"); | 
|  | return SIDESTEP_INVALID_PARAMETER; | 
|  | } | 
|  |  | 
|  | BOOL succeeded = FALSE; | 
|  |  | 
|  | // First, deal with a special case that we see with functions that | 
|  | // point into an IAT table (including functions linked statically | 
|  | // into the application): these function already starts with | 
|  | // ASM_JMP32REL.  For instance, malloc() might be implemented as a | 
|  | // JMP to __malloc().  In that case, we replace the destination of | 
|  | // the JMP (__malloc), rather than the JMP itself (malloc).  This | 
|  | // way we get the correct behavior no matter how malloc gets called. | 
|  | void* new_target = ResolveTarget(target_function); | 
|  | if (new_target != target_function) { | 
|  | target_function = new_target; | 
|  | } | 
|  |  | 
|  | // In 64-bit mode, preamble_stub must be within 2GB of target function | 
|  | // so that if target contains a jump, we can translate it. | 
|  | unsigned char* preamble_stub = AllocPreambleBlockNear(target_function); | 
|  | if (!preamble_stub) { | 
|  | SIDESTEP_ASSERT(false && "Unable to allocate preamble-stub."); | 
|  | return SIDESTEP_INSUFFICIENT_BUFFER; | 
|  | } | 
|  |  | 
|  | // Frees the array at end of scope. | 
|  | DeleteUnsignedCharArray guard_preamble_stub(preamble_stub); | 
|  |  | 
|  | SideStepError error_code = RawPatchWithStubAndProtections( | 
|  | target_function, replacement_function, preamble_stub, | 
|  | MAX_PREAMBLE_STUB_SIZE, NULL); | 
|  |  | 
|  | if (SIDESTEP_SUCCESS != error_code) { | 
|  | SIDESTEP_ASSERT(false); | 
|  | return error_code; | 
|  | } | 
|  |  | 
|  | // Flush the instruction cache to make sure the processor doesn't execute the | 
|  | // old version of the instructions (before our patch). | 
|  | // | 
|  | // FlushInstructionCache is actually a no-op at least on | 
|  | // single-processor XP machines.  I'm not sure why this is so, but | 
|  | // it is, yet I want to keep the call to the API here for | 
|  | // correctness in case there is a difference in some variants of | 
|  | // Windows/hardware. | 
|  | succeeded = ::FlushInstructionCache(::GetCurrentProcess(), | 
|  | target_function, | 
|  | MAX_PREAMBLE_STUB_SIZE); | 
|  | if (!succeeded) { | 
|  | SIDESTEP_ASSERT(false && "Failed to flush instruction cache."); | 
|  | // We must not return an error here because the function has actually | 
|  | // been patched, and returning an error would likely cause our client | 
|  | // code not to unpatch it.  So we just keep going. | 
|  | } | 
|  |  | 
|  | SIDESTEP_LOG("PreamblePatcher::RawPatch successfully patched."); | 
|  |  | 
|  | // detach the scoped pointer so the memory is not freed | 
|  | *original_function_stub = | 
|  | reinterpret_cast<void*>(guard_preamble_stub.Release()); | 
|  | return SIDESTEP_SUCCESS; | 
|  | } | 
|  |  | 
|  | SideStepError PreamblePatcher::Unpatch(void* target_function, | 
|  | void* replacement_function, | 
|  | void* original_function_stub) { | 
|  | SIDESTEP_ASSERT(target_function && replacement_function && | 
|  | original_function_stub); | 
|  | if (!target_function || !replacement_function || | 
|  | !original_function_stub) { | 
|  | return SIDESTEP_INVALID_PARAMETER; | 
|  | } | 
|  |  | 
|  | // Before unpatching, target_function should be a JMP to | 
|  | // replacement_function.  If it's not, then either it's an error, or | 
|  | // we're falling into the case where the original instruction was a | 
|  | // JMP, and we patched the jumped_to address rather than the JMP | 
|  | // itself.  (For instance, if malloc() is just a JMP to __malloc(), | 
|  | // we patched __malloc() and not malloc().) | 
|  | unsigned char* target = reinterpret_cast<unsigned char*>(target_function); | 
|  | target = reinterpret_cast<unsigned char*>( | 
|  | ResolveTargetImpl( | 
|  | target, reinterpret_cast<unsigned char*>(replacement_function), | 
|  | true)); | 
|  | // We should end at the function we patched.  When we patch, we insert | 
|  | // a ASM_JMP32REL instruction, so look for that as a sanity check. | 
|  | if (target[0] != ASM_JMP32REL) { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "target_function does not look like it was patched."); | 
|  | return SIDESTEP_INVALID_PARAMETER; | 
|  | } | 
|  |  | 
|  | const unsigned int kRequiredTargetPatchBytes = 5; | 
|  |  | 
|  | // We need to be able to write to a process-local copy of the first | 
|  | // kRequiredTargetPatchBytes bytes of target_function | 
|  | DWORD old_target_function_protect = 0; | 
|  | BOOL succeeded = ::VirtualProtect(reinterpret_cast<void*>(target), | 
|  | kRequiredTargetPatchBytes, | 
|  | PAGE_EXECUTE_READWRITE, | 
|  | &old_target_function_protect); | 
|  | if (!succeeded) { | 
|  | SIDESTEP_ASSERT(false && "Failed to make page containing target function " | 
|  | "copy-on-write."); | 
|  | return SIDESTEP_ACCESS_DENIED; | 
|  | } | 
|  |  | 
|  | unsigned char* preamble_stub = reinterpret_cast<unsigned char*>( | 
|  | original_function_stub); | 
|  |  | 
|  | // Disassemble the preamble of stub and copy the bytes back to target. | 
|  | // If we've done any conditional jumps in the preamble we need to convert | 
|  | // them back to the orignal REL8 jumps in the target. | 
|  | MiniDisassembler disassembler; | 
|  | unsigned int preamble_bytes = 0; | 
|  | unsigned int target_bytes = 0; | 
|  | while (target_bytes < kRequiredTargetPatchBytes) { | 
|  | unsigned int cur_bytes = 0; | 
|  | InstructionType instruction_type = | 
|  | disassembler.Disassemble(preamble_stub + preamble_bytes, cur_bytes); | 
|  | if (IT_JUMP == instruction_type) { | 
|  | unsigned int jump_bytes = 0; | 
|  | SideStepError jump_ret = SIDESTEP_JUMP_INSTRUCTION; | 
|  | if (IsNearConditionalJump(preamble_stub + preamble_bytes, cur_bytes) || | 
|  | IsNearRelativeJump(preamble_stub + preamble_bytes, cur_bytes) || | 
|  | IsNearAbsoluteCall(preamble_stub + preamble_bytes, cur_bytes) || | 
|  | IsNearRelativeCall(preamble_stub + preamble_bytes, cur_bytes)) { | 
|  | jump_ret = PatchNearJumpOrCall(preamble_stub + preamble_bytes, | 
|  | cur_bytes, target + target_bytes, | 
|  | &jump_bytes, MAX_PREAMBLE_STUB_SIZE); | 
|  | } | 
|  | if (jump_ret == SIDESTEP_JUMP_INSTRUCTION) { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "Found unsupported jump instruction in stub!!"); | 
|  | return SIDESTEP_UNSUPPORTED_INSTRUCTION; | 
|  | } | 
|  | target_bytes += jump_bytes; | 
|  | } else if (IT_GENERIC == instruction_type) { | 
|  | if (IsMovWithDisplacement(preamble_stub + preamble_bytes, cur_bytes)) { | 
|  | unsigned int mov_bytes = 0; | 
|  | if (PatchMovWithDisplacement(preamble_stub + preamble_bytes, cur_bytes, | 
|  | target + target_bytes, &mov_bytes, | 
|  | MAX_PREAMBLE_STUB_SIZE) | 
|  | != SIDESTEP_SUCCESS) { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "Found unsupported generic instruction in stub!!"); | 
|  | return SIDESTEP_UNSUPPORTED_INSTRUCTION; | 
|  | } | 
|  | } else { | 
|  | memcpy(reinterpret_cast<void*>(target + target_bytes), | 
|  | reinterpret_cast<void*>(reinterpret_cast<unsigned char*>( | 
|  | original_function_stub) + preamble_bytes), cur_bytes); | 
|  | target_bytes += cur_bytes; | 
|  | } | 
|  | } else { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "Found unsupported instruction in stub!!"); | 
|  | return SIDESTEP_UNSUPPORTED_INSTRUCTION; | 
|  | } | 
|  | preamble_bytes += cur_bytes; | 
|  | } | 
|  |  | 
|  | FreePreambleBlock(reinterpret_cast<unsigned char*>(original_function_stub)); | 
|  |  | 
|  | // Restore the protection of the first kRequiredTargetPatchBytes bytes of | 
|  | // target to what they were before we started goofing around. | 
|  | succeeded = ::VirtualProtect(reinterpret_cast<void*>(target), | 
|  | kRequiredTargetPatchBytes, | 
|  | old_target_function_protect, | 
|  | &old_target_function_protect); | 
|  |  | 
|  | // Flush the instruction cache to make sure the processor doesn't execute the | 
|  | // old version of the instructions (before our patch). | 
|  | // | 
|  | // See comment on FlushInstructionCache elsewhere in this file. | 
|  | succeeded = ::FlushInstructionCache(::GetCurrentProcess(), | 
|  | target, | 
|  | MAX_PREAMBLE_STUB_SIZE); | 
|  | if (!succeeded) { | 
|  | SIDESTEP_ASSERT(false && "Failed to flush instruction cache."); | 
|  | return SIDESTEP_UNEXPECTED; | 
|  | } | 
|  |  | 
|  | SIDESTEP_LOG("PreamblePatcher::Unpatch successfully unpatched."); | 
|  | return SIDESTEP_SUCCESS; | 
|  | } | 
|  |  | 
|  | void PreamblePatcher::Initialize() { | 
|  | if (!initialized_) { | 
|  | SYSTEM_INFO si = { 0 }; | 
|  | ::GetSystemInfo(&si); | 
|  | granularity_ = si.dwAllocationGranularity; | 
|  | pagesize_ = si.dwPageSize; | 
|  | initialized_ = true; | 
|  | } | 
|  | } | 
|  |  | 
|  | unsigned char* PreamblePatcher::AllocPreambleBlockNear(void* target) { | 
|  | PreamblePage* preamble_page = preamble_pages_; | 
|  | while (preamble_page != NULL) { | 
|  | if (preamble_page->free_ != NULL) { | 
|  | __int64 val = reinterpret_cast<__int64>(preamble_page) - | 
|  | reinterpret_cast<__int64>(target); | 
|  | if ((val > 0 && val + pagesize_ <= INT_MAX) || | 
|  | (val < 0 && val >= INT_MIN)) { | 
|  | break; | 
|  | } | 
|  | } | 
|  | preamble_page = preamble_page->next_; | 
|  | } | 
|  |  | 
|  | // The free_ member of the page is used to store the next available block | 
|  | // of memory to use or NULL if there are no chunks available, in which case | 
|  | // we'll allocate a new page. | 
|  | if (preamble_page == NULL || preamble_page->free_ == NULL) { | 
|  | // Create a new preamble page and initialize the free list | 
|  | preamble_page = reinterpret_cast<PreamblePage*>(AllocPageNear(target)); | 
|  | SIDESTEP_ASSERT(preamble_page != NULL && "Could not allocate page!"); | 
|  | void** pp = &preamble_page->free_; | 
|  | unsigned char* ptr = reinterpret_cast<unsigned char*>(preamble_page) + | 
|  | MAX_PREAMBLE_STUB_SIZE; | 
|  | unsigned char* limit = reinterpret_cast<unsigned char*>(preamble_page) + | 
|  | pagesize_; | 
|  | while (ptr < limit) { | 
|  | *pp = ptr; | 
|  | pp = reinterpret_cast<void**>(ptr); | 
|  | ptr += MAX_PREAMBLE_STUB_SIZE; | 
|  | } | 
|  | *pp = NULL; | 
|  | // Insert the new page into the list | 
|  | preamble_page->magic_ = kPreamblePageMagic; | 
|  | preamble_page->next_ = preamble_pages_; | 
|  | preamble_pages_ = preamble_page; | 
|  | } | 
|  | unsigned char* ret = reinterpret_cast<unsigned char*>(preamble_page->free_); | 
|  | preamble_page->free_ = *(reinterpret_cast<void**>(preamble_page->free_)); | 
|  | return ret; | 
|  | } | 
|  |  | 
|  | void PreamblePatcher::FreePreambleBlock(unsigned char* block) { | 
|  | SIDESTEP_ASSERT(block != NULL); | 
|  | SIDESTEP_ASSERT(granularity_ != 0); | 
|  | uintptr_t ptr = reinterpret_cast<uintptr_t>(block); | 
|  | ptr -= ptr & (granularity_ - 1); | 
|  | PreamblePage* preamble_page = reinterpret_cast<PreamblePage*>(ptr); | 
|  | SIDESTEP_ASSERT(preamble_page->magic_ == kPreamblePageMagic); | 
|  | *(reinterpret_cast<void**>(block)) = preamble_page->free_; | 
|  | preamble_page->free_ = block; | 
|  | } | 
|  |  | 
|  | void* PreamblePatcher::AllocPageNear(void* target) { | 
|  | MEMORY_BASIC_INFORMATION mbi = { 0 }; | 
|  | if (!::VirtualQuery(target, &mbi, sizeof(mbi))) { | 
|  | SIDESTEP_ASSERT(false && "VirtualQuery failed on target address"); | 
|  | return 0; | 
|  | } | 
|  | if (initialized_ == false) { | 
|  | PreamblePatcher::Initialize(); | 
|  | SIDESTEP_ASSERT(initialized_); | 
|  | } | 
|  | void* pv = NULL; | 
|  | unsigned char* allocation_base = reinterpret_cast<unsigned char*>( | 
|  | mbi.AllocationBase); | 
|  | __int64 i = 1; | 
|  | bool high_target = reinterpret_cast<__int64>(target) > UINT_MAX; | 
|  | while (pv == NULL) { | 
|  | __int64 val = reinterpret_cast<__int64>(allocation_base) - | 
|  | (i * granularity_); | 
|  | if (high_target && | 
|  | reinterpret_cast<__int64>(target) - val > INT_MAX) { | 
|  | // We're further than 2GB from the target | 
|  | break; | 
|  | } else if (val <= NULL) { | 
|  | // Less than 0 | 
|  | break; | 
|  | } | 
|  | pv = ::VirtualAlloc(reinterpret_cast<void*>(allocation_base - | 
|  | (i++ * granularity_)), | 
|  | pagesize_, MEM_COMMIT | MEM_RESERVE, | 
|  | PAGE_EXECUTE_READWRITE); | 
|  | } | 
|  |  | 
|  | // We couldn't allocate low, try to allocate high | 
|  | if (pv == NULL) { | 
|  | i = 1; | 
|  | // Round up to the next multiple of page granularity | 
|  | allocation_base = reinterpret_cast<unsigned char*>( | 
|  | (reinterpret_cast<__int64>(target) & | 
|  | (~(granularity_ - 1))) + granularity_); | 
|  | while (pv == NULL) { | 
|  | __int64 val = reinterpret_cast<__int64>(allocation_base) + | 
|  | (i * granularity_) - reinterpret_cast<__int64>(target); | 
|  | if (val > INT_MAX || val < 0) { | 
|  | // We're too far or we overflowed | 
|  | break; | 
|  | } | 
|  | pv = ::VirtualAlloc(reinterpret_cast<void*>(allocation_base + | 
|  | (i++ * granularity_)), | 
|  | pagesize_, MEM_COMMIT | MEM_RESERVE, | 
|  | PAGE_EXECUTE_READWRITE); | 
|  | } | 
|  | } | 
|  | return pv; | 
|  | } | 
|  |  | 
|  | bool PreamblePatcher::IsShortConditionalJump( | 
|  | unsigned char* target, | 
|  | unsigned int instruction_size) { | 
|  | return (*(target) & 0x70) == 0x70 && instruction_size == 2; | 
|  | } | 
|  |  | 
|  | bool PreamblePatcher::IsNearConditionalJump( | 
|  | unsigned char* target, | 
|  | unsigned int instruction_size) { | 
|  | return *(target) == 0xf && (*(target + 1) & 0x80) == 0x80 && | 
|  | instruction_size == 6; | 
|  | } | 
|  |  | 
|  | bool PreamblePatcher::IsNearRelativeJump( | 
|  | unsigned char* target, | 
|  | unsigned int instruction_size) { | 
|  | return *(target) == 0xe9 && instruction_size == 5; | 
|  | } | 
|  |  | 
|  | bool PreamblePatcher::IsNearAbsoluteCall( | 
|  | unsigned char* target, | 
|  | unsigned int instruction_size) { | 
|  | return *(target) == 0xff && (*(target + 1) & 0x10) == 0x10 && | 
|  | instruction_size == 6; | 
|  | } | 
|  |  | 
|  | bool PreamblePatcher::IsNearRelativeCall( | 
|  | unsigned char* target, | 
|  | unsigned int instruction_size) { | 
|  | return *(target) == 0xe8 && instruction_size == 5; | 
|  | } | 
|  |  | 
|  | bool PreamblePatcher::IsMovWithDisplacement( | 
|  | unsigned char* target, | 
|  | unsigned int instruction_size) { | 
|  | // In this case, the ModRM byte's mod field will be 0 and r/m will be 101b (5) | 
|  | return instruction_size == 7 && *target == 0x48 && *(target + 1) == 0x8b && | 
|  | (*(target + 2) >> 6) == 0 && (*(target + 2) & 0x7) == 5; | 
|  | } | 
|  |  | 
|  | SideStepError PreamblePatcher::PatchShortConditionalJump( | 
|  | unsigned char* source, | 
|  | unsigned int instruction_size, | 
|  | unsigned char* target, | 
|  | unsigned int* target_bytes, | 
|  | unsigned int target_size) { | 
|  | unsigned char* original_jump_dest = (source + 2) + source[1]; | 
|  | unsigned char* stub_jump_from = target + 6; | 
|  | __int64 fixup_jump_offset = original_jump_dest - stub_jump_from; | 
|  | if (fixup_jump_offset > INT_MAX || fixup_jump_offset < INT_MIN) { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "Unable to fix up short jump because target" | 
|  | " is too far away."); | 
|  | return SIDESTEP_JUMP_INSTRUCTION; | 
|  | } | 
|  |  | 
|  | *target_bytes = 6; | 
|  | if (target_size > *target_bytes) { | 
|  | // Convert the short jump to a near jump. | 
|  | // | 
|  | // 0f 8x xx xx xx xx = Jcc rel32off | 
|  | unsigned short jmpcode = ((0x80 | (source[0] & 0xf)) << 8) | 0x0f; | 
|  | memcpy(reinterpret_cast<void*>(target), | 
|  | reinterpret_cast<void*>(&jmpcode), 2); | 
|  | memcpy(reinterpret_cast<void*>(target + 2), | 
|  | reinterpret_cast<void*>(&fixup_jump_offset), 4); | 
|  | } | 
|  |  | 
|  | return SIDESTEP_SUCCESS; | 
|  | } | 
|  |  | 
|  | SideStepError PreamblePatcher::PatchNearJumpOrCall( | 
|  | unsigned char* source, | 
|  | unsigned int instruction_size, | 
|  | unsigned char* target, | 
|  | unsigned int* target_bytes, | 
|  | unsigned int target_size) { | 
|  | SIDESTEP_ASSERT(instruction_size == 5 || instruction_size == 6); | 
|  | unsigned int jmp_offset_in_instruction = instruction_size == 5 ? 1 : 2; | 
|  | unsigned char* original_jump_dest = reinterpret_cast<unsigned char *>( | 
|  | reinterpret_cast<__int64>(source + instruction_size) + | 
|  | *(reinterpret_cast<int*>(source + jmp_offset_in_instruction))); | 
|  | unsigned char* stub_jump_from = target + instruction_size; | 
|  | __int64 fixup_jump_offset = original_jump_dest - stub_jump_from; | 
|  | if (fixup_jump_offset > INT_MAX || fixup_jump_offset < INT_MIN) { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "Unable to fix up near jump because target" | 
|  | " is too far away."); | 
|  | return SIDESTEP_JUMP_INSTRUCTION; | 
|  | } | 
|  |  | 
|  | if ((fixup_jump_offset < SCHAR_MAX && fixup_jump_offset > SCHAR_MIN)) { | 
|  | *target_bytes = 2; | 
|  | if (target_size > *target_bytes) { | 
|  | // If the new offset is in range, use a short jump instead of a near jump. | 
|  | if (source[0] == ASM_JCC32REL_0 && | 
|  | (source[1] & ASM_JCC32REL_1_MASK) == ASM_JCC32REL_1_MASK) { | 
|  | unsigned short jmpcode = (static_cast<unsigned char>( | 
|  | fixup_jump_offset) << 8) | (0x70 | (source[1] & 0xf)); | 
|  | memcpy(reinterpret_cast<void*>(target), | 
|  | reinterpret_cast<void*>(&jmpcode), | 
|  | 2); | 
|  | } else { | 
|  | target[0] = ASM_JMP8REL; | 
|  | target[1] = static_cast<unsigned char>(fixup_jump_offset); | 
|  | } | 
|  | } | 
|  | } else { | 
|  | *target_bytes = instruction_size; | 
|  | if (target_size > *target_bytes) { | 
|  | memcpy(reinterpret_cast<void*>(target), | 
|  | reinterpret_cast<void*>(source), | 
|  | jmp_offset_in_instruction); | 
|  | memcpy(reinterpret_cast<void*>(target + jmp_offset_in_instruction), | 
|  | reinterpret_cast<void*>(&fixup_jump_offset), | 
|  | 4); | 
|  | } | 
|  | } | 
|  |  | 
|  | return SIDESTEP_SUCCESS; | 
|  | } | 
|  |  | 
|  | SideStepError PreamblePatcher::PatchMovWithDisplacement( | 
|  | unsigned char* source, | 
|  | unsigned int instruction_size, | 
|  | unsigned char* target, | 
|  | unsigned int* target_bytes, | 
|  | unsigned int target_size) { | 
|  | SIDESTEP_ASSERT(instruction_size == 7); | 
|  | const int mov_offset_in_instruction = 3; // 0x48 0x8b 0x0d <offset> | 
|  | unsigned char* original_mov_dest = reinterpret_cast<unsigned char*>( | 
|  | reinterpret_cast<__int64>(source + instruction_size) + | 
|  | *(reinterpret_cast<int*>(source + mov_offset_in_instruction))); | 
|  | unsigned char* stub_mov_from = target + instruction_size; | 
|  | __int64 fixup_mov_offset = original_mov_dest - stub_mov_from; | 
|  | if (fixup_mov_offset > INT_MAX || fixup_mov_offset < INT_MIN) { | 
|  | SIDESTEP_ASSERT(false && | 
|  | "Unable to fix up near MOV because target is too far away."); | 
|  | return SIDESTEP_UNEXPECTED; | 
|  | } | 
|  | *target_bytes = instruction_size; | 
|  | if (target_size > *target_bytes) { | 
|  | memcpy(reinterpret_cast<void*>(target), | 
|  | reinterpret_cast<void*>(source), | 
|  | mov_offset_in_instruction); | 
|  | memcpy(reinterpret_cast<void*>(target + mov_offset_in_instruction), | 
|  | reinterpret_cast<void*>(&fixup_mov_offset), | 
|  | 4); | 
|  | } | 
|  | return SIDESTEP_SUCCESS; | 
|  | } | 
|  |  | 
|  | };  // namespace sidestep |