summaryrefslogtreecommitdiffstats
path: root/tools/traceline
diff options
context:
space:
mode:
authordeanm@chromium.org <deanm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-03-19 11:53:30 +0000
committerdeanm@chromium.org <deanm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-03-19 11:53:30 +0000
commit08e0f82c4a60e88a8967536afe4d997f8051be81 (patch)
tree1b0e97d1096aca74475b504f605a0da3223fcb69 /tools/traceline
parentb844d29b7434595b45b129094770c524073fc0d1 (diff)
downloadchromium_src-08e0f82c4a60e88a8967536afe4d997f8051be81.zip
chromium_src-08e0f82c4a60e88a8967536afe4d997f8051be81.tar.gz
chromium_src-08e0f82c4a60e88a8967536afe4d997f8051be81.tar.bz2
Fix traceline's system call patching on recent versions of ntdll.dll.
Because KiFastSystemCall is so short (4 bytes), we need to use the preceeding alignment for a 5 byte jump. The compiler is generating more complicated alignments these days. Hardcode another case. Additionally switch to using the XP system call tables by default. Review URL: http://codereview.chromium.org/50006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12088 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'tools/traceline')
-rwxr-xr-xtools/traceline/traceline/main.cc11
-rwxr-xr-xtools/traceline/traceline/syscall_map.h8
2 files changed, 13 insertions, 6 deletions
diff --git a/tools/traceline/traceline/main.cc b/tools/traceline/traceline/main.cc
index f149853..997a428 100755
--- a/tools/traceline/traceline/main.cc
+++ b/tools/traceline/traceline/main.cc
@@ -199,8 +199,14 @@ class Playground {
func_addr - 5, GetLastError());
}
+ // TODO(deanm): It seems in more recent updates the compiler is generating
+ // complicated sequences for padding / alignment. For example:
+ // 00000000 8DA42400000000 lea esp,[esp+0x0]
+ // 00000007 8D4900 lea ecx,[ecx+0x0]
+ // is used for a 16 byte alignment. We need a better way of handling this.
if (memcmp(buf, "\x90\x90\x90\x90\x90", 5) == 0 ||
- memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0) {
+ memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0 ||
+ memcmp(buf, "\x00\x00\x8D\x49\x00", 5) == 0) {
unsigned int instr_bytes = 0;
// We might have a hotpatch no-op of mov edi, edi "\x8b\xff". It is a
@@ -994,10 +1000,7 @@ class Playground {
PatchThreadExit();
PatchSetThreadName();
-#if 0
- // FIXME
PatchSyscall();
-#endif
PatchApcDispatcher();
diff --git a/tools/traceline/traceline/syscall_map.h b/tools/traceline/traceline/syscall_map.h
index 18f12db..30a2348 100755
--- a/tools/traceline/traceline/syscall_map.h
+++ b/tools/traceline/traceline/syscall_map.h
@@ -15,9 +15,13 @@
#include <map>
+// TODO(deanm): Right now these tables are manually extracted and hardcoded
+// here. It would be great (but possibly difficult) to do it on startup. We
+// should at least checksum the DLLs to make sure they match.
+
std::map<int, const char*> CreateSyscallMap() {
std::map<int, const char*> table;
-if (0) {
+if (1) { // XP table.
table[0] = "ntdll.dll!NtAcceptConnectPort";
table[1] = "ntdll.dll!NtAccessCheck";
table[2] = "ntdll.dll!ZwAccessCheckAndAuditAlarm";
@@ -954,7 +958,7 @@ if (0) {
table[4760] = "gdi32.dll!NtGdiBRUSHOBJ_DeleteRbrush";
table[4761] = "gdi32.dll!NtGdiUMPDEngFreeUserMem";
table[4762] = "gdi32.dll!NtGdiDrawStream";
-} else {
+} else { // Vista table.
table[4272] = "gdi32.dll!NtGdiGetDeviceCaps";
table[4220] = "gdi32.dll!NtGdiDeleteObjectApp";
table[4249] = "gdi32.dll!NtGdiFlush";