vbox的更動 66794 路徑 trunk/src/VBox/HostDrivers

時間撮記:

2017-5-4 下午01:09:36 (8 年 以前)

作者:

vboxsync

訊息:

Support: Implement strategy for relative call instructions when hooking the dlopen()++ interface

檔案:

• trunk/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp (修改) (6 筆差異)

trunk/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp

@@ -342 +342 @@
      */
     uint32_t cRipRelMovs = 0;
+    uint32_t cRelCalls = 0;
 
     /* Just use the disassembler to skip 12 bytes or more, we might need to
@@ -350 +351 @@
         int rc = DISInstr(pbTarget + offJmpBack, DISCPUMODE_64BIT, &Dis, &cbInstr);
         if (   RT_FAILURE(rc)
-            || (Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
+            || (   Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW
+                && Dis.pCurInstr->uOpcode != OP_CALL)
             || (   Dis.ModRM.Bits.Mod == 0
                 && Dis.ModRM.Bits.Rm  == 5 /* wrt RIP */
@@ -358 +360 @@
         if (Dis.ModRM.Bits.Mod == 0 && Dis.ModRM.Bits.Rm == 5 /* wrt RIP */)
             cRipRelMovs++;
+        if (   Dis.pCurInstr->uOpcode == OP_CALL
+            && (Dis.pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW))
+            cRelCalls++;
 
         offJmpBack += cbInstr;
@@ -363 +368 @@
     }
 
+    /*
+     * Each relative call requires 7 extra bytes as it is converted to an absolute one
+     * using two instructions (mov raw, qword + call rax). */
+    cbPatchMem += cRelCalls * 7;
     cbPatchMem += 14; /* jmp qword [$+8 wrt RIP] + 8 byte address to jump to. */
     cbPatchMem = RT_ALIGN_32(cbPatchMem, 8);
 
-    /* Allocate suitable exectuable memory available. */
+    /* Allocate suitable executable memory available. */
     bool fConvRipRelMovs = false;
     uint8_t *pbPatchMem = supR3HardenedMainPosixExecMemAlloc(cbPatchMem, pbTarget, cRipRelMovs > 0);
@@ -397 +406 @@
         int rc = DISInstr(pbTarget + offInsn, DISCPUMODE_64BIT, &Dis, &cbInstr);
         if (   RT_FAILURE(rc)
-            || (Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW))
+            || (   Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW
+                && Dis.pCurInstr->uOpcode != OP_CALL))
             return VERR_SUPLIB_UNEXPECTED_INSTRUCTION;
 
@@ -439 +449 @@
                 pbPatchMem   += sizeof(int32_t);
             }
+        }
+        else if (   Dis.pCurInstr->uOpcode == OP_CALL
+                 && (Dis.pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW))
+        {
+            /* Convert to absolute call. */
+            uintptr_t uAddr = (uintptr_t)&pbTarget[offInsn + cbInstr] + (intptr_t)Dis.Param1.uValue;
+
+            *pbPatchMem++ = 0x48;
+            *pbPatchMem++ = 0xb8;
+            *(uint64_t *)pbPatchMem = uAddr;
+            pbPatchMem   += sizeof(uint64_t);
+
+            *pbPatchMem++ = 0xff; /* call rax */
+            *pbPatchMem++ = 0xd0;
         }
         else