// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "preamble_patcher.h"
#include "memory_hook.h"
#include "mini_disassembler.h"
// compatibility shims
#include "base/logging.h"
// Definitions of assembly statements we need
#define ASM_JMP32REL 0xE9
#define ASM_INT3 0xCC
namespace sidestep {
SideStepError PreamblePatcher::RawPatchWithStubAndProtections(
void* target_function, void *replacement_function,
unsigned char* preamble_stub, unsigned long stub_size,
unsigned long* bytes_needed) {
// We need to be able to write to a process-local copy of the first
// MAX_PREAMBLE_STUB_SIZE bytes of target_function. We may be giving execute
// privilege to something that doesn't have it, but that's the price to pay
// for tools.
DWORD old_target_function_protect = 0;
BOOL succeeded = ::VirtualProtect(reinterpret_cast<void*>(target_function),
MAX_PREAMBLE_STUB_SIZE,
PAGE_EXECUTE_READWRITE,
&old_target_function_protect);
if (!succeeded) {
ASSERT(false, "Failed to make page containing target function "
"copy-on-write.");
return SIDESTEP_ACCESS_DENIED;
}
SideStepError error_code = RawPatchWithStub(target_function,
replacement_function,
preamble_stub,
stub_size,
bytes_needed);
if (SIDESTEP_SUCCESS != error_code) {
ASSERT1(false);
return error_code;
}
// Restore the protection of the first MAX_PREAMBLE_STUB_SIZE bytes of
// pTargetFunction to what they were before we started goofing around.
succeeded = ::VirtualProtect(reinterpret_cast<void*>(target_function),
MAX_PREAMBLE_STUB_SIZE,
old_target_function_protect,
&old_target_function_protect);
if (!succeeded) {
ASSERT(false, "Failed to restore protection to target function.");
// We must not return an error here because the function has actually
// been patched, and returning an error would likely cause our client
// code not to unpatch it. So we just keep going.
}
// Flush the instruction cache to make sure the processor doesn't execute the
// old version of the instructions (before our patch).
//
// FlushInstructionCache is actually a no-op at least on single-processor
// XP machines. I'm not sure why this is so, but it is, yet I want to keep
// the call to the API here for correctness in case there is a difference in
// some variants of Windows/hardware.
succeeded = ::FlushInstructionCache(::GetCurrentProcess(),
target_function,
MAX_PREAMBLE_STUB_SIZE);
if (!succeeded) {
ASSERT(false, "Failed to flush instruction cache.");
// We must not return an error here because the function has actually
// been patched, and returning an error would likely cause our client
// code not to unpatch it. So we just keep going.
}
return SIDESTEP_SUCCESS;
}
SideStepError PreamblePatcher::RawPatch(void* target_function,
void* replacement_function,
void** original_function_stub) {
if (!target_function || !replacement_function || !original_function_stub ||
(*original_function_stub) || target_function == replacement_function) {
ASSERT(false, "Preconditions not met");
return SIDESTEP_INVALID_PARAMETER;
}
// @see MAX_PREAMBLE_STUB_SIZE for an explanation of how we arrives at
// this size
unsigned char* preamble_stub =
reinterpret_cast<unsigned char*>(
MemoryHook::Alloc(sizeof(unsigned char) * MAX_PREAMBLE_STUB_SIZE));
if (!preamble_stub) {
ASSERT(false, "Unable to allocate preamble-stub.");
return SIDESTEP_INSUFFICIENT_BUFFER;
}
// Change the protection of the newly allocated preamble stub to
// PAGE_EXECUTE_READWRITE. This is required to work with DEP (Data
// Execution Prevention) which will cause an exception if code is executed
// from a page on which you do not have read access.
DWORD old_stub_protect = 0;
BOOL succeeded = VirtualProtect(preamble_stub, MAX_PREAMBLE_STUB_SIZE,
PAGE_EXECUTE_READWRITE, &old_stub_protect);
if (!succeeded) {
ASSERT(false, "Failed to make page preamble stub read-write-execute.");
delete[] preamble_stub;
return SIDESTEP_ACCESS_DENIED;
}
SideStepError error_code = RawPatchWithStubAndProtections(target_function,
replacement_function,
preamble_stub,
MAX_PREAMBLE_STUB_SIZE,
NULL);
if (SIDESTEP_SUCCESS != error_code) {
ASSERT1(false);
delete[] preamble_stub;
return error_code;
}
*original_function_stub = reinterpret_cast<void*>(preamble_stub);
// NOTE: For hooking malloc/free, we don't want to use streams which
// allocate. Basically, we've hooked malloc, but not necessarily
// hooked free yet. To do anything which uses the heap could crash
// with a mismatched malloc/free!
//VLOG(1) << "PreamblePatcher::RawPatch successfully patched 0x"
// << target_function;
return SIDESTEP_SUCCESS;
}
SideStepError PreamblePatcher::Unpatch(void* target_function,
void* replacement_function,
void* original_function_stub) {
ASSERT1(target_function && original_function_stub);
if (!target_function || !original_function_stub) {
return SIDESTEP_INVALID_PARAMETER;
}
// We disassemble the preamble of the _stub_ to see how many bytes we
// originally copied to the stub.
MiniDisassembler disassembler;
unsigned int preamble_bytes = 0;
while (preamble_bytes < 5) {
InstructionType instruction_type = disassembler.Disassemble(
reinterpret_cast<unsigned char*>(original_function_stub) +
preamble_bytes, preamble_bytes);
if (IT_GENERIC != instruction_type) {
ASSERT(false, "Should only have generic instructions in stub!!");
return SIDESTEP_UNSUPPORTED_INSTRUCTION;
}
}
// Before unpatching, target_function should be a JMP to
// replacement_function. If it's not, then either it's an error, or
// we're falling into the case where the original instruction was a
// JMP, and we patched the jumped_to address rather than the JMP
// itself. (For instance, if malloc() is just a JMP to __malloc(),
// we patched __malloc() and not malloc().)
unsigned char* target = reinterpret_cast<unsigned char*>(target_function);
while (1) { // we stop when target is a JMP to replacement_function
if (target[0] != ASM_JMP32REL) {
ASSERT(false, "target_function does not look like it was patched.");
return SIDESTEP_INVALID_PARAMETER;
}
int relative_offset; // Windows guarantees int is 4 bytes
ASSERT1(sizeof(relative_offset) == 4);
memcpy(reinterpret_cast<void*>(&relative_offset),
reinterpret_cast<void*>(target + 1), 4);
unsigned char* jump_to = target + 5 + relative_offset;
if (jump_to == replacement_function)
break;
target = jump_to; // follow the jmp
}
// We need to be able to write to a process-local copy of the first
// MAX_PREAMBLE_STUB_SIZE bytes of target_function. We may be giving execute
// privilege to something that doesn't have it, but that's the price to pay
// for tools.
DWORD old_target_function_protect = 0;
BOOL succeeded = ::VirtualProtect(reinterpret_cast<void*>(target),
MAX_PREAMBLE_STUB_SIZE,
PAGE_EXECUTE_READWRITE,
&old_target_function_protect);
if (!succeeded) {
ASSERT(false, "Failed to make page containing target function "
"copy-on-write.");
return SIDESTEP_ACCESS_DENIED;
}
// Replace the first few bytes of the original function with the bytes we
// previously moved to the preamble stub.
memcpy(reinterpret_cast<void*>(target),
original_function_stub, preamble_bytes);
// Stub is now useless so delete it.
// [csilvers: Commented out for perftools because it causes big problems
// when we're unpatching malloc. We just let this live on as a leak.]
//delete original_function_stub;
// Restore the protection of the first MAX_PREAMBLE_STUB_SIZE bytes of
// target to what they were before we started goofing around.
succeeded = ::VirtualProtect(reinterpret_cast<void*>(target),
MAX_PREAMBLE_STUB_SIZE,
old_target_function_protect,
&old_target_function_protect);
// Flush the instruction cache to make sure the processor doesn't execute the
// old version of the instructions (before our patch).
//
// See comment on FlushInstructionCache elsewhere in this file.
succeeded = ::FlushInstructionCache(::GetCurrentProcess(),
target,
MAX_PREAMBLE_STUB_SIZE);
if (!succeeded) {
ASSERT(false, "Failed to flush instruction cache.");
return SIDESTEP_UNEXPECTED;
}
VLOG(1) << "PreamblePatcher::Unpatch successfully unpatched 0x"
<< target_function;
return SIDESTEP_SUCCESS;
}
}; // namespace sidestep