diff options
| author | rvargas@google.com <rvargas@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-21 19:15:23 +0000 |
|---|---|---|
| committer | rvargas@google.com <rvargas@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-21 19:15:23 +0000 |
| commit | 177a06ad12d6be3250e3d6041e4d86314c4b9726 (patch) | |
| tree | c2a7edcc391b184fa0403bd981684955ddc1341a /sandbox/src | |
| parent | ee0783d7085784d41839bbe19d34090712ae4c85 (diff) | |
| download | chromium_src-177a06ad12d6be3250e3d6041e4d86314c4b9726.zip chromium_src-177a06ad12d6be3250e3d6041e4d86314c4b9726.tar.gz chromium_src-177a06ad12d6be3250e3d6041e4d86314c4b9726.tar.bz2 | |
Sandbox: Add support for the latest version of windows' service
stub on 64 bit systems.
BUG=133633
TEST=current sbox tests.
Review URL: https://chromiumcodereview.appspot.com/10581031
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@143428 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox/src')
| -rw-r--r-- | sandbox/src/service_resolver_64.cc | 55 |
1 files changed, 49 insertions, 6 deletions
diff --git a/sandbox/src/service_resolver_64.cc b/sandbox/src/service_resolver_64.cc index afc9441..01e3b1a 100644 --- a/sandbox/src/service_resolver_64.cc +++ b/sandbox/src/service_resolver_64.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -14,6 +14,9 @@ namespace { const ULONG kMmovR10EcxMovEax = 0xB8D18B4C; const USHORT kSyscall = 0x050F; const BYTE kRetNp = 0xC3; +const ULONG64 kMov1 = 0x54894808244C8948; +const ULONG64 kMov2 = 0x4C182444894C1024; +const ULONG kMov3 = 0x20244C89; // Service code for 64 bit systems. struct ServiceEntry { @@ -34,13 +37,47 @@ struct ServiceEntry { USHORT xchg_ax_ax2; // = 66 90 }; +// Service code for 64 bit Windows 8. +struct ServiceEntryW8 { + // This struct contains the following code: + // 00 48894c2408 mov [rsp+8], rcx + // 05 4889542410 mov [rsp+10], rdx + // 0a 4c89442418 mov [rsp+18], r8 + // 0f 4c894c2420 mov [rsp+20], r9 + // 14 4c8bd1 mov r10,rcx + // 17 b825000000 mov eax,25h + // 1c 0f05 syscall + // 1e c3 ret + // 1f 90 nop + + ULONG64 mov_1; // = 48 89 4C 24 08 48 89 54 + ULONG64 mov_2; // = 24 10 4C 89 44 24 18 4C + ULONG mov_3; // = 89 4C 24 20 + ULONG mov_r10_rcx_mov_eax; // = 4C 8B D1 B8 + ULONG service_id; + USHORT syscall; // = 0F 05 + BYTE ret; // = C2 + BYTE nop; // = 90 +}; + // We don't have an internal thunk for x64. struct ServiceFullThunk { - ServiceEntry original; + union { + ServiceEntry original; + ServiceEntryW8 original_w8; + }; }; #pragma pack(pop) +bool IsService(const void* source) { + const ServiceEntry* service = + reinterpret_cast<const ServiceEntry*>(source); + + return (kMmovR10EcxMovEax == service->mov_r10_rcx_mov_eax && + kSyscall == service->syscall && kRetNp == service->ret); +} + }; // namespace namespace sandbox { @@ -80,7 +117,7 @@ size_t ServiceResolverThunk::GetThunkSize() const { } bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const { - ServiceEntry function_code; + ServiceFullThunk function_code; SIZE_T read; if (!::ReadProcessMemory(process_, target_, &function_code, sizeof(function_code), &read)) @@ -89,9 +126,15 @@ bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const { if (sizeof(function_code) != read) return false; - if (kMmovR10EcxMovEax != function_code.mov_r10_rcx_mov_eax || - kSyscall != function_code.syscall || kRetNp != function_code.ret) - return false; + if (!IsService(&function_code)) { + // See if it's the Win8 signature. + ServiceEntryW8* w8_service = &function_code.original_w8; + if (!IsService(&w8_service->mov_r10_rcx_mov_eax) || + w8_service->mov_1 != kMov1 || w8_service->mov_1 != kMov1 || + w8_service->mov_1 != kMov1) { + return false; + } + } // Save the verified code. memcpy(local_thunk, &function_code, sizeof(function_code)); |