diff options
| author | deanm@chromium.org <deanm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-03-19 11:53:30 +0000 |
|---|---|---|
| committer | deanm@chromium.org <deanm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-03-19 11:53:30 +0000 |
| commit | 08e0f82c4a60e88a8967536afe4d997f8051be81 (patch) | |
| tree | 1b0e97d1096aca74475b504f605a0da3223fcb69 | |
| parent | b844d29b7434595b45b129094770c524073fc0d1 (diff) | |
| download | chromium_src-08e0f82c4a60e88a8967536afe4d997f8051be81.zip chromium_src-08e0f82c4a60e88a8967536afe4d997f8051be81.tar.gz chromium_src-08e0f82c4a60e88a8967536afe4d997f8051be81.tar.bz2 | |
Fix traceline's system call patching on recent versions of ntdll.dll.
Because KiFastSystemCall is so short (4 bytes), we need to use the preceeding alignment for a 5 byte jump. The compiler is generating more complicated alignments these days. Hardcode another case.
Additionally switch to using the XP system call tables by default.
Review URL: http://codereview.chromium.org/50006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12088 0039d316-1c4b-4281-b951-d872f2087c98
| -rwxr-xr-x | tools/traceline/traceline/main.cc | 11 | ||||
| -rwxr-xr-x | tools/traceline/traceline/syscall_map.h | 8 |
2 files changed, 13 insertions, 6 deletions
diff --git a/tools/traceline/traceline/main.cc b/tools/traceline/traceline/main.cc index f149853..997a428 100755 --- a/tools/traceline/traceline/main.cc +++ b/tools/traceline/traceline/main.cc @@ -199,8 +199,14 @@ class Playground { func_addr - 5, GetLastError()); } + // TODO(deanm): It seems in more recent updates the compiler is generating + // complicated sequences for padding / alignment. For example: + // 00000000 8DA42400000000 lea esp,[esp+0x0] + // 00000007 8D4900 lea ecx,[ecx+0x0] + // is used for a 16 byte alignment. We need a better way of handling this. if (memcmp(buf, "\x90\x90\x90\x90\x90", 5) == 0 || - memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0) { + memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0 || + memcmp(buf, "\x00\x00\x8D\x49\x00", 5) == 0) { unsigned int instr_bytes = 0; // We might have a hotpatch no-op of mov edi, edi "\x8b\xff". It is a @@ -994,10 +1000,7 @@ class Playground { PatchThreadExit(); PatchSetThreadName(); -#if 0 - // FIXME PatchSyscall(); -#endif PatchApcDispatcher(); diff --git a/tools/traceline/traceline/syscall_map.h b/tools/traceline/traceline/syscall_map.h index 18f12db..30a2348 100755 --- a/tools/traceline/traceline/syscall_map.h +++ b/tools/traceline/traceline/syscall_map.h @@ -15,9 +15,13 @@ #include <map> +// TODO(deanm): Right now these tables are manually extracted and hardcoded +// here. It would be great (but possibly difficult) to do it on startup. We +// should at least checksum the DLLs to make sure they match. + std::map<int, const char*> CreateSyscallMap() { std::map<int, const char*> table; -if (0) { +if (1) { // XP table. table[0] = "ntdll.dll!NtAcceptConnectPort"; table[1] = "ntdll.dll!NtAccessCheck"; table[2] = "ntdll.dll!ZwAccessCheckAndAuditAlarm"; @@ -954,7 +958,7 @@ if (0) { table[4760] = "gdi32.dll!NtGdiBRUSHOBJ_DeleteRbrush"; table[4761] = "gdi32.dll!NtGdiUMPDEngFreeUserMem"; table[4762] = "gdi32.dll!NtGdiDrawStream"; -} else { +} else { // Vista table. table[4272] = "gdi32.dll!NtGdiGetDeviceCaps"; table[4220] = "gdi32.dll!NtGdiDeleteObjectApp"; table[4249] = "gdi32.dll!NtGdiFlush"; |