| blob | b4cda713a6dd28a763824b17c471264718cb3e9c |
1 /* -*- Mode: C++; tab-width: 40; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 #ifndef NS_WINDOWS_DLL_INTERCEPTOR_H_
7 #define NS_WINDOWS_DLL_INTERCEPTOR_H_
8 #include <windows.h>
9 #include <winternl.h>
11 /*
12 * Simple function interception.
13 *
14 * We have two separate mechanisms for intercepting a function: We can use the
15 * built-in nop space, if it exists, or we can create a detour.
16 *
17 * Using the built-in nop space works as follows: On x86-32, DLL functions
18 * begin with a two-byte nop (mov edi, edi) and are preceeded by five bytes of
19 * NOP instructions.
20 *
21 * When we detect a function with this prelude, we do the following:
22 *
23 * 1. Write a long jump to our interceptor function into the five bytes of NOPs
24 * before the function.
25 *
26 * 2. Write a short jump -5 into the two-byte nop at the beginning of the function.
27 *
28 * This mechanism is nice because it's thread-safe. It's even safe to do if
29 * another thread is currently running the function we're modifying!
30 *
31 * When the WindowsDllNopSpacePatcher is destroyed, we overwrite the short jump
32 * but not the long jump, so re-intercepting the same function won't work,
33 * because its prelude won't match.
34 *
35 *
36 * Unfortunately nop space patching doesn't work on functions which don't have
37 * this magic prelude (and in particular, x86-64 never has the prelude). So
38 * when we can't use the built-in nop space, we fall back to using a detour,
39 * which works as follows:
40 *
41 * 1. Save first N bytes of OrigFunction to trampoline, where N is a
42 * number of bytes >= 5 that are instruction aligned.
43 *
44 * 2. Replace first 5 bytes of OrigFunction with a jump to the Hook
45 * function.
46 *
47 * 3. After N bytes of the trampoline, add a jump to OrigFunction+N to
48 * continue original program flow.
49 *
50 * 4. Hook function needs to call the trampoline during its execution,
51 * to invoke the original function (so address of trampoline is
52 * returned).
53 *
54 * When the WindowsDllDetourPatcher object is destructed, OrigFunction is
55 * patched again to jump directly to the trampoline instead of going through
56 * the hook function. As such, re-intercepting the same function won't work, as
57 * jump instructions are not supported.
58 *
59 * Note that this is not thread-safe. Sad day.
60 *
61 */
63 #include <stdint.h>
68 class WindowsDllNopSpacePatcher
69 {
71 HMODULE mModule;
73 // Dumb array for remembering the addresses of functions we've patched.
74 // (This should be nsTArray, but non-XPCOM code uses this class.)
83 {}
86 {
87 // Restore the mov edi, edi to the beginning of each function we patched.
92 // Ensure we can write to the code.
93 DWORD op;
95 // printf("VirtualProtectEx failed! %d\n", GetLastError());
97 }
99 // mov edi, edi
102 // Restore the old protection.
105 // I don't think this is actually necessary, but it can't hurt.
109 }
110 }
113 {
116 //printf("LoadLibraryEx for '%s' failed\n", aModuleName);
118 }
119 }
121 #if defined(_M_IX86)
123 {
126 }
129 // printf ("No space for hook in mPatchedFns.\n");
131 }
135 //printf ("GetProcAddress failed\n");
137 }
141 // Ensure we can read and write starting at fn - 5 (for the long jmp we're
142 // going to write) and ending at fn + 2 (for the short jmp up to the long
143 // jmp).
144 DWORD op;
147 //printf ("VirtualProtectEx failed! %d\n", GetLastError());
149 }
153 // Re-protect, and we're done.
158 mPatchedFnsLen++;
159 }
162 }
165 {
166 // Check that the 5 bytes before aFn are NOP's or INT 3's,
167 // and that the 2 bytes after aFn are mov(edi, edi).
168 //
169 // It's safe to read aFn[-5] because we set it to PAGE_EXECUTE_READWRITE
170 // before calling WriteHook.
175 }
176 }
178 // mov edi, edi. Yes, there are two ways to encode the same thing:
179 //
180 // 0x89ff == mov r/m, r
181 // 0x8bff == mov r, r/m
182 //
183 // where "r" is register and "r/m" is register or memory. Windows seems to
184 // use 8bff; I include 89ff out of paranoia.
187 }
189 // Write a long jump into the space above the function.
193 // Set aOrigFunc here, because after this point, aHookDest might be called,
194 // and aHookDest might use the aOrigFunc pointer.
197 // Short jump up into our long jump.
200 // I think this routine is safe without this, but it can't hurt.
206 }
210 {
211 // If function entry is jmp [disp32] such as used by kernel32,
212 // we resolve redirected address from import table.
215 }
218 }
219 #else
221 {
222 // Not implemented except on x86-32.
224 }
225 #endif
226 };
228 class WindowsDllDetourPatcher
229 {
234 {
235 }
238 {
240 byteptr_t p;
242 #if defined(_M_IX86)
244 #elif defined(_M_X64)
246 #else
248 #endif
250 // ensure we can modify the original code
251 DWORD op;
255 }
256 // Remove the hook by making the original function jump directly
257 // in the trampoline.
259 #if defined(_M_IX86)
260 // Ensure the JMP from CreateTrampoline is where we expect it to be.
265 #elif defined(_M_X64)
266 // Ensure the MOV R11 from CreateTrampoline is where we expect it to be.
270 #else
272 #endif
273 // restore protection; if this fails we can't really do anything about it
275 }
276 }
279 {
282 }
286 //printf("LoadLibraryEx for '%s' failed\n", aModuleName);
288 }
293 }
300 PAGE_EXECUTE_READWRITE);
304 }
305 }
310 {
313 }
315 DWORD op;
320 }
323 {
326 }
330 //printf ("GetProcAddress failed\n");
332 }
338 //printf ("CreateTrampoline failed\n");
340 }
343 }
349 HMODULE mModule;
350 byteptr_t mHookPage;
355 {
361 }
368 #if defined(_M_IX86)
370 // Understand some simple instructions that might be found in a
371 // prologue; we might need to extend this as necessary.
372 //
373 // Note! If we ever need to understand jump instructions, we'll
374 // need to rewrite the displacement argument.
376 // various MOVs
381 // REG=r, R/M=r or REG=r, R/M=[r]
385 // REG=r, R/M=[SIB + disp8]
388 // REG=r, R/M=[r + disp8]
390 }
392 // complex MOV, bail
394 }
396 // MOV 0xB8: http://ref.x86asm.net/coder32.html#xB8
399 // ADD|ODR|ADC|SBB|AND|SUB|XOR|CMP r/m, imm8
402 // ADD|ODR|ADC|SBB|AND|SUB|XOR|CMP r, imm8
405 // bail
407 }
409 // PUSH with 4-byte operand
412 // 1-byte PUSH/POP
413 nBytes++;
415 // PUSH imm8
419 // jmp 32bit offset
422 // jmp [disp32]
425 //printf ("Unknown x86 instruction byte 0x%02x, aborting trampoline\n", origBytes[nBytes]);
427 }
428 }
429 #elif defined(_M_X64)
430 byteptr_t directJmpAddr;
434 // if found JMP 32bit offset, next bytes must be NOP
438 }
441 }
443 nBytes++;
445 // nop (multibyte)
446 nBytes++;
452 }
454 // syscall
455 nBytes++;
458 }
461 // Plain REX or REX.B
462 nBytes++;
465 // push/pop with Rx register
466 nBytes++;
468 // mov r32, imm32
472 }
474 // REX.R & REX.B
475 nBytes++;
478 // xor r32, r32
482 }
484 // REX.W | REX.WR
485 nBytes++;
489 // sub r, dword
493 // sub r, byte
497 // and [r+d], imm8
500 // MOV r/m64, r64 | MOV r64, r/m64
503 // R/M=[SIB+disp8], REG=r64
506 // R/M=[r64+disp8], REG=r64
508 }
513 // REG=r64, R/M=r64 or REG=r64, R/M=[r64]
516 // complex MOV
518 }
520 // MOV r/m64, imm32
522 // MOV [r64+disp8], imm32
523 // ModR/W + SIB + disp8 + imm32
527 }
530 // JMP /4
533 // [rip+disp32]
534 // convert JMP 32bit offset to JMP 64bit direct
535 directJmpAddr =
540 // not support yet!
542 }
544 // not support yet!
546 }
548 // 1-byte push/pop
549 nBytes++;
551 // nop
552 nBytes++;
554 // MOV 0xB8: http://ref.x86asm.net/coder32.html#xB8
557 // ret
558 nBytes++;
561 // convert JMP 32bit offset to JMP 64bit direct
563 // jmp 32bit offset
566 nBytes++;
568 // push r64
569 nBytes++;
572 }
575 }
576 }
577 #else
579 #endif
582 //printf ("Too big!");
584 }
586 // We keep the address of the original function in the first bytes of
587 // the trampoline buffer
593 // OrigFunction+N, the target of the trampoline
596 #if defined(_M_IX86)
598 // Jump directly to the original target of the jump instead of jumping to the
599 // original function.
600 // Adjust jump target displacement to jump location in the trampoline.
606 }
607 #elif defined(_M_X64)
608 // If JMP32 opcode found, we don't insert to trampoline jump
610 // mov r11, address
615 // jmp r11
620 // mov r11, address
625 // jmp r11
629 }
630 #endif
632 // The trampoline is now valid.
635 // ensure we can modify the original code
636 DWORD op;
639 //printf ("VirtualProtectEx failed! %d\n", GetLastError());
641 }
643 #if defined(_M_IX86)
644 // now modify the original bytes
648 #elif defined(_M_X64)
649 // mov r11, address
655 // jmp r11
659 #endif
661 // restore protection; if this fails we can't really do anything about it
663 }
666 {
669 }
673 mCurHooks++;
676 }
679 {
680 #if defined(_M_IX86)
681 // If function entry is jmp [disp32] such as used by kernel32,
682 // we resolve redirected address from import table.
685 }
686 #elif defined(_M_X64)
688 // require for TestDllInterceptor with --disable-optimize
691 }
692 #endif
695 }
696 };
700 class WindowsDllInterceptor
701 {
712 {}
715 {
718 }
724 // Lazily initialize mDetourPatcher, since it allocates memory and we might
725 // not need it.
726 }
729 {
732 }
733 }
736 {
737 // Use a nop space patch if possible, otherwise fall back to a detour.
738 // This should be the preferred method for adding hooks.
742 }
746 }
749 }
752 {
753 // Generally, code should not call this method directly. Use AddHook unless
754 // there is a specific need to avoid nop space patches.
758 }
762 }
765 }
766 };