1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
|
/* Copyright (c) 2007, Google Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
* * Neither the name of Google Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* ---
* Author: Joi Sigurdsson
* Author: Scott Francis
*
* Definition of PreamblePatcher
*/
#ifndef GOOGLE_PERFTOOLS_PREAMBLE_PATCHER_H_
#define GOOGLE_PERFTOOLS_PREAMBLE_PATCHER_H_
#include "config.h"
#include <windows.h>
// compatibility shim
#include "base/logging.h"
#define SIDESTEP_ASSERT(cond) RAW_DCHECK(cond, #cond)
#define SIDESTEP_LOG(msg) RAW_VLOG(1, msg)
// Maximum size of the preamble stub. We overwrite at least the first 5
// bytes of the function. Considering the worst case scenario, we need 4
// bytes + the max instruction size + 5 more bytes for our jump back to
// the original code. With that in mind, 32 is a good number :)
#ifdef _M_X64
// In 64-bit mode we may need more room. In 64-bit mode all jumps must be
// within +/-2GB of RIP. Because of this limitation we may need to use a
// trampoline to jump to the replacement function if it is further than 2GB
// away from the target. The trampoline is 14 bytes.
//
// So 4 bytes + max instruction size (17 bytes) + 5 bytes to jump back to the
// original code + trampoline size. 64 bytes is a nice number :-)
#define MAX_PREAMBLE_STUB_SIZE (64)
#else
#define MAX_PREAMBLE_STUB_SIZE (32)
#endif
// Determines if this is a 64-bit binary.
#ifdef _M_X64
static const bool kIs64BitBinary = true;
#else
static const bool kIs64BitBinary = false;
#endif
namespace sidestep {
// Possible results of patching/unpatching
enum SideStepError {
SIDESTEP_SUCCESS = 0,
SIDESTEP_INVALID_PARAMETER,
SIDESTEP_INSUFFICIENT_BUFFER,
SIDESTEP_JUMP_INSTRUCTION,
SIDESTEP_FUNCTION_TOO_SMALL,
SIDESTEP_UNSUPPORTED_INSTRUCTION,
SIDESTEP_NO_SUCH_MODULE,
SIDESTEP_NO_SUCH_FUNCTION,
SIDESTEP_ACCESS_DENIED,
SIDESTEP_UNEXPECTED,
};
#define SIDESTEP_TO_HRESULT(error) \
MAKE_HRESULT(SEVERITY_ERROR, FACILITY_NULL, error)
class DeleteUnsignedCharArray;
// Implements a patching mechanism that overwrites the first few bytes of
// a function preamble with a jump to our hook function, which is then
// able to call the original function via a specially-made preamble-stub
// that imitates the action of the original preamble.
//
// NOTE: This patching mechanism should currently only be used for
// non-production code, e.g. unit tests, because it is not threadsafe.
// See the TODO in preamble_patcher_with_stub.cc for instructions on what
// we need to do before using it in production code; it's fairly simple
// but unnecessary for now since we only intend to use it in unit tests.
//
// To patch a function, use either of the typesafe Patch() methods. You
// can unpatch a function using Unpatch().
//
// Typical usage goes something like this:
// @code
// typedef int (*MyTypesafeFuncPtr)(int x);
// MyTypesafeFuncPtr original_func_stub;
// int MyTypesafeFunc(int x) { return x + 1; }
// int HookMyTypesafeFunc(int x) { return 1 + original_func_stub(x); }
//
// void MyPatchInitializingFunction() {
// original_func_stub = PreamblePatcher::Patch(
// MyTypesafeFunc, HookMyTypesafeFunc);
// if (!original_func_stub) {
// // ... error handling ...
// }
//
// // ... continue - you have patched the function successfully ...
// }
// @endcode
//
// Note that there are a number of ways that this method of patching can
// fail. The most common are:
// - If there is a jump (jxx) instruction in the first 5 bytes of
// the function being patched, we cannot patch it because in the
// current implementation we do not know how to rewrite relative
// jumps after relocating them to the preamble-stub. Note that
// if you really really need to patch a function like this, it
// would be possible to add this functionality (but at some cost).
// - If there is a return (ret) instruction in the first 5 bytes
// we cannot patch the function because it may not be long enough
// for the jmp instruction we use to inject our patch.
// - If there is another thread currently executing within the bytes
// that are copied to the preamble stub, it will crash in an undefined
// way.
//
// If you get any other error than the above, you're either pointing the
// patcher at an invalid instruction (e.g. into the middle of a multi-
// byte instruction, or not at memory containing executable instructions)
// or, there may be a bug in the disassembler we use to find
// instruction boundaries.
//
// NOTE: In optimized builds, when you have very trivial functions that
// the compiler can reason do not have side effects, the compiler may
// reuse the result of calling the function with a given parameter, which
// may mean if you patch the function in between your patch will never get
// invoked. See preamble_patcher_test.cc for an example.
class PERFTOOLS_DLL_DECL PreamblePatcher {
public:
// This is a typesafe version of RawPatch(), identical in all other
// ways than it takes a template parameter indicating the type of the
// function being patched.
//
// @param T The type of the function you are patching. Usually
// you will establish this type using a typedef, as in the following
// example:
// @code
// typedef BOOL (WINAPI *MessageBoxPtr)(HWND, LPCTSTR, LPCTSTR, UINT);
// MessageBoxPtr original = NULL;
// PreamblePatcher::Patch(MessageBox, Hook_MessageBox, &original);
// @endcode
template <class T>
static SideStepError Patch(T target_function,
T replacement_function,
T* original_function_stub) {
// NOTE: casting from a function to a pointer is contra the C++
// spec. It's not safe on IA64, but is on i386. We use
// a C-style cast here to emphasize this is not legal C++.
return RawPatch((void*)(target_function),
(void*)(replacement_function),
(void**)(original_function_stub));
}
// Patches a named function imported from the named module using
// preamble patching. Uses RawPatch() to do the actual patching
// work.
//
// @param T The type of the function you are patching. Must
// exactly match the function you specify using module_name and
// function_name.
//
// @param module_name The name of the module from which the function
// is being imported. Note that the patch will fail if this module
// has not already been loaded into the current process.
//
// @param function_name The name of the function you wish to patch.
//
// @param replacement_function Your replacement function which
// will be called whenever code tries to call the original function.
//
// @param original_function_stub Pointer to memory that should receive a
// pointer that can be used (e.g. in the replacement function) to call the
// original function, or NULL to indicate failure.
//
// @return One of the EnSideStepError error codes; only SIDESTEP_SUCCESS
// indicates success.
template <class T>
static SideStepError Patch(LPCTSTR module_name,
LPCSTR function_name,
T replacement_function,
T* original_function_stub) {
SIDESTEP_ASSERT(module_name && function_name);
if (!module_name || !function_name) {
SIDESTEP_ASSERT(false &&
"You must specify a module name and function name.");
return SIDESTEP_INVALID_PARAMETER;
}
HMODULE module = ::GetModuleHandle(module_name);
SIDESTEP_ASSERT(module != NULL);
if (!module) {
SIDESTEP_ASSERT(false && "Invalid module name.");
return SIDESTEP_NO_SUCH_MODULE;
}
FARPROC existing_function = ::GetProcAddress(module, function_name);
if (!existing_function) {
SIDESTEP_ASSERT(
false && "Did not find any function with that name in the module.");
return SIDESTEP_NO_SUCH_FUNCTION;
}
// NOTE: casting from a function to a pointer is contra the C++
// spec. It's not safe on IA64, but is on i386. We use
// a C-style cast here to emphasize this is not legal C++.
return RawPatch((void*)existing_function, (void*)replacement_function,
(void**)(original_function_stub));
}
// Patches a function by overwriting its first few bytes with
// a jump to a different function. This is the "worker" function
// for each of the typesafe Patch() functions. In most cases,
// it is preferable to use the Patch() functions rather than
// this one as they do more checking at compile time.
//
// @param target_function A pointer to the function that should be
// patched.
//
// @param replacement_function A pointer to the function that should
// replace the target function. The replacement function must have
// exactly the same calling convention and parameters as the original
// function.
//
// @param original_function_stub Pointer to memory that should receive a
// pointer that can be used (e.g. in the replacement function) to call the
// original function, or NULL to indicate failure.
//
// @param original_function_stub Pointer to memory that should receive a
// pointer that can be used (e.g. in the replacement function) to call the
// original function, or NULL to indicate failure.
//
// @return One of the EnSideStepError error codes; only SIDESTEP_SUCCESS
// indicates success.
//
// @note The preamble-stub (the memory pointed to by
// *original_function_stub) is allocated on the heap, and (in
// production binaries) never destroyed, resulting in a memory leak. This
// will be the case until we implement safe unpatching of a method.
// However, it is quite difficult to unpatch a method (because other
// threads in the process may be using it) so we are leaving it for now.
// See however UnsafeUnpatch, which can be used for binaries where you
// know only one thread is running, e.g. unit tests.
static SideStepError RawPatch(void* target_function,
void* replacement_function,
void** original_function_stub);
// Unpatches target_function and deletes the stub that previously could be
// used to call the original version of the function.
//
// DELETES the stub that is passed to the function.
//
// @param target_function Pointer to the target function which was
// previously patched, i.e. a pointer which value should match the value
// of the symbol prior to patching it.
//
// @param replacement_function Pointer to the function target_function
// was patched to.
//
// @param original_function_stub Pointer to the stub returned when
// patching, that could be used to call the original version of the
// patched function. This function will also delete the stub, which after
// unpatching is useless.
//
// If your original call was
// Patch(VirtualAlloc, MyVirtualAlloc, &origptr)
// then to undo it you would call
// Unpatch(VirtualAlloc, MyVirtualAlloc, origptr);
//
// @return One of the EnSideStepError error codes; only SIDESTEP_SUCCESS
// indicates success.
static SideStepError Unpatch(void* target_function,
void* replacement_function,
void* original_function_stub);
// A helper routine when patching, which follows jmp instructions at
// function addresses, to get to the "actual" function contents.
// This allows us to identify two functions that are at different
// addresses but actually resolve to the same code.
//
// @param target_function Pointer to a function.
//
// @return Either target_function (the input parameter), or if
// target_function's body consists entirely of a JMP instruction,
// the address it JMPs to (or more precisely, the address at the end
// of a chain of JMPs).
template <class T>
static T ResolveTarget(T target_function) {
return (T)ResolveTargetImpl((unsigned char*)target_function, NULL);
}
// Allocates a block of memory of size MAX_PREAMBLE_STUB_SIZE that is as
// close (within 2GB) as possible to target. This is done to ensure that
// we can perform a relative jump from target to a trampoline if the
// replacement function is > +-2GB from target. This means that we only need
// to patch 5 bytes in the target function.
//
// @param target Pointer to target function.
//
// @return Returns a block of memory of size MAX_PREAMBLE_STUB_SIZE that can
// be used to store a function preamble block.
static unsigned char* AllocPreambleBlockNear(void* target);
// Frees a block allocated by AllocPreambleBlockNear.
//
// @param block Block that was returned by AllocPreambleBlockNear.
static void FreePreambleBlock(unsigned char* block);
private:
friend class DeleteUnsignedCharArray;
// Used to store data allocated for preamble stubs
struct PreamblePage {
unsigned int magic_;
PreamblePage* next_;
// This member points to a linked list of free blocks within the page
// or NULL if at the end
void* free_;
};
// In 64-bit mode, the replacement function must be within 2GB of the original
// target in order to only require 5 bytes for the function patch. To meet
// this requirement we're creating an allocator within this class to
// allocate blocks that are within 2GB of a given target. This member is the
// head of a linked list of pages used to allocate blocks that are within
// 2GB of the target.
static PreamblePage* preamble_pages_;
// Page granularity
static long granularity_;
// Page size
static long pagesize_;
// Determines if the patcher has been initialized.
static bool initialized_;
// Used to initialize static members.
static void Initialize();
// Patches a function by overwriting its first few bytes with
// a jump to a different function. This is similar to the RawPatch
// function except that it uses the stub allocated by the caller
// instead of allocating it.
//
// We call VirtualProtect to make the
// target function writable at least for the duration of the call.
//
// @param target_function A pointer to the function that should be
// patched.
//
// @param replacement_function A pointer to the function that should
// replace the target function. The replacement function must have
// exactly the same calling convention and parameters as the original
// function.
//
// @param preamble_stub A pointer to a buffer where the preamble stub
// should be copied. The size of the buffer should be sufficient to
// hold the preamble bytes.
//
// @param stub_size Size in bytes of the buffer allocated for the
// preamble_stub
//
// @param bytes_needed Pointer to a variable that receives the minimum
// number of bytes required for the stub. Can be set to NULL if you're
// not interested.
//
// @return An error code indicating the result of patching.
static SideStepError RawPatchWithStubAndProtections(
void* target_function,
void* replacement_function,
unsigned char* preamble_stub,
unsigned long stub_size,
unsigned long* bytes_needed);
// A helper function used by RawPatchWithStubAndProtections -- it
// does everything but the VirtualProtect work. Defined in
// preamble_patcher_with_stub.cc.
//
// @param target_function A pointer to the function that should be
// patched.
//
// @param replacement_function A pointer to the function that should
// replace the target function. The replacement function must have
// exactly the same calling convention and parameters as the original
// function.
//
// @param preamble_stub A pointer to a buffer where the preamble stub
// should be copied. The size of the buffer should be sufficient to
// hold the preamble bytes.
//
// @param stub_size Size in bytes of the buffer allocated for the
// preamble_stub
//
// @param bytes_needed Pointer to a variable that receives the minimum
// number of bytes required for the stub. Can be set to NULL if you're
// not interested.
//
// @return An error code indicating the result of patching.
static SideStepError RawPatchWithStub(void* target_function,
void* replacement_function,
unsigned char* preamble_stub,
unsigned long stub_size,
unsigned long* bytes_needed);
// A helper routine when patching, which follows jmp instructions at
// function addresses, to get to the "actual" function contents.
// This allows us to identify two functions that are at different
// addresses but actually resolve to the same code.
//
// @param target_function Pointer to a function.
//
// @param stop_before If, when following JMP instructions from
// target_function, we get to the address stop, we return
// immediately, the address that jumps to stop_before.
//
// @param stop_before_trampoline When following JMP instructions from
// target_function, stop before a trampoline is detected. See comment in
// PreamblePatcher::RawPatchWithStub for more information. This parameter
// has no effect in 32-bit mode.
//
// @return Either target_function (the input parameter), or if
// target_function's body consists entirely of a JMP instruction,
// the address it JMPs to (or more precisely, the address at the end
// of a chain of JMPs).
static void* ResolveTargetImpl(unsigned char* target_function,
unsigned char* stop_before,
bool stop_before_trampoline = false);
// Helper routine that attempts to allocate a page as close (within 2GB)
// as possible to target.
//
// @param target Pointer to target function.
//
// @return Returns an address that is within 2GB of target.
static void* AllocPageNear(void* target);
// Helper routine that determines if a target instruction is a short
// conditional jump.
//
// @param target Pointer to instruction.
//
// @param instruction_size Size of the instruction in bytes.
//
// @return Returns true if the instruction is a short conditional jump.
static bool IsShortConditionalJump(unsigned char* target,
unsigned int instruction_size);
// Helper routine that determines if a target instruction is a near
// conditional jump.
//
// @param target Pointer to instruction.
//
// @param instruction_size Size of the instruction in bytes.
//
// @return Returns true if the instruction is a near conditional jump.
static bool IsNearConditionalJump(unsigned char* target,
unsigned int instruction_size);
// Helper routine that determines if a target instruction is a near
// relative jump.
//
// @param target Pointer to instruction.
//
// @param instruction_size Size of the instruction in bytes.
//
// @return Returns true if the instruction is a near absolute jump.
static bool IsNearRelativeJump(unsigned char* target,
unsigned int instruction_size);
// Helper routine that determines if a target instruction is a near
// absolute call.
//
// @param target Pointer to instruction.
//
// @param instruction_size Size of the instruction in bytes.
//
// @return Returns true if the instruction is a near absolute call.
static bool IsNearAbsoluteCall(unsigned char* target,
unsigned int instruction_size);
// Helper routine that determines if a target instruction is a near
// absolute call.
//
// @param target Pointer to instruction.
//
// @param instruction_size Size of the instruction in bytes.
//
// @return Returns true if the instruction is a near absolute call.
static bool IsNearRelativeCall(unsigned char* target,
unsigned int instruction_size);
// Helper routine that determines if a target instruction is a 64-bit MOV
// that uses a RIP-relative displacement.
//
// @param target Pointer to instruction.
//
// @param instruction_size Size of the instruction in bytes.
//
// @return Returns true if the instruction is a MOV with displacement.
static bool IsMovWithDisplacement(unsigned char* target,
unsigned int instruction_size);
// Helper routine that converts a short conditional jump instruction
// to a near conditional jump in a target buffer. Note that the target
// buffer must be within 2GB of the source for the near jump to work.
//
// A short conditional jump instruction is in the format:
// 7x xx = Jcc rel8off
//
// @param source Pointer to instruction.
//
// @param instruction_size Size of the instruction.
//
// @param target Target buffer to write the new instruction.
//
// @param target_bytes Pointer to a buffer that contains the size
// of the target instruction, in bytes.
//
// @param target_size Size of the target buffer.
//
// @return Returns SIDESTEP_SUCCESS if successful, otherwise an error.
static SideStepError PatchShortConditionalJump(unsigned char* source,
unsigned int instruction_size,
unsigned char* target,
unsigned int* target_bytes,
unsigned int target_size);
// Helper routine that converts an instruction that will convert various
// jump-like instructions to corresponding instructions in the target buffer.
// What this routine does is fix up the relative offsets contained in jump
// instructions to point back to the original target routine. Like with
// PatchShortConditionalJump, the target buffer must be within 2GB of the
// source.
//
// We currently handle the following instructions:
//
// E9 xx xx xx xx = JMP rel32off
// 0F 8x xx xx xx xx = Jcc rel32off
// FF /2 xx xx xx xx = CALL reg/mem32/mem64
// E8 xx xx xx xx = CALL rel32off
//
// It should not be hard to update this function to support other
// instructions that jump to relative targets.
//
// @param source Pointer to instruction.
//
// @param instruction_size Size of the instruction.
//
// @param target Target buffer to write the new instruction.
//
// @param target_bytes Pointer to a buffer that contains the size
// of the target instruction, in bytes.
//
// @param target_size Size of the target buffer.
//
// @return Returns SIDESTEP_SUCCESS if successful, otherwise an error.
static SideStepError PatchNearJumpOrCall(unsigned char* source,
unsigned int instruction_size,
unsigned char* target,
unsigned int* target_bytes,
unsigned int target_size);
// Helper routine that patches a 64-bit MOV instruction with a RIP-relative
// displacement. The target buffer must be within 2GB of the source.
//
// 48 8B 0D XX XX XX XX = MOV rel32off
//
// @param source Pointer to instruction.
//
// @param instruction_size Size of the instruction.
//
// @param target Target buffer to write the new instruction.
//
// @param target_bytes Pointer to a buffer that contains the size
// of the target instruction, in bytes.
//
// @param target_size Size of the target buffer.
//
// @return Returns SIDESTEP_SUCCESS if successful, otherwise an error.
static SideStepError PatchMovWithDisplacement(unsigned char* source,
unsigned int instruction_size,
unsigned char* target,
unsigned int* target_bytes,
unsigned int target_size);
};
}; // namespace sidestep
#endif // GOOGLE_PERFTOOLS_PREAMBLE_PATCHER_H_
|
