diff options
-rwxr-xr-x | tools/traceline/traceline/main.cc | 11 | ||||
-rwxr-xr-x | tools/traceline/traceline/syscall_map.h | 8 |
2 files changed, 13 insertions, 6 deletions
diff --git a/tools/traceline/traceline/main.cc b/tools/traceline/traceline/main.cc index f149853..997a428 100755 --- a/tools/traceline/traceline/main.cc +++ b/tools/traceline/traceline/main.cc @@ -199,8 +199,14 @@ class Playground { func_addr - 5, GetLastError()); } + // TODO(deanm): It seems in more recent updates the compiler is generating + // complicated sequences for padding / alignment. For example: + // 00000000 8DA42400000000 lea esp,[esp+0x0] + // 00000007 8D4900 lea ecx,[ecx+0x0] + // is used for a 16 byte alignment. We need a better way of handling this. if (memcmp(buf, "\x90\x90\x90\x90\x90", 5) == 0 || - memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0) { + memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0 || + memcmp(buf, "\x00\x00\x8D\x49\x00", 5) == 0) { unsigned int instr_bytes = 0; // We might have a hotpatch no-op of mov edi, edi "\x8b\xff". It is a @@ -994,10 +1000,7 @@ class Playground { PatchThreadExit(); PatchSetThreadName(); -#if 0 - // FIXME PatchSyscall(); -#endif PatchApcDispatcher(); diff --git a/tools/traceline/traceline/syscall_map.h b/tools/traceline/traceline/syscall_map.h index 18f12db..30a2348 100755 --- a/tools/traceline/traceline/syscall_map.h +++ b/tools/traceline/traceline/syscall_map.h @@ -15,9 +15,13 @@ #include <map> +// TODO(deanm): Right now these tables are manually extracted and hardcoded +// here. It would be great (but possibly difficult) to do it on startup. We +// should at least checksum the DLLs to make sure they match. + std::map<int, const char*> CreateSyscallMap() { std::map<int, const char*> table; -if (0) { +if (1) { // XP table. table[0] = "ntdll.dll!NtAcceptConnectPort"; table[1] = "ntdll.dll!NtAccessCheck"; table[2] = "ntdll.dll!ZwAccessCheckAndAuditAlarm"; @@ -954,7 +958,7 @@ if (0) { table[4760] = "gdi32.dll!NtGdiBRUSHOBJ_DeleteRbrush"; table[4761] = "gdi32.dll!NtGdiUMPDEngFreeUserMem"; table[4762] = "gdi32.dll!NtGdiDrawStream"; -} else { +} else { // Vista table. table[4272] = "gdi32.dll!NtGdiGetDeviceCaps"; table[4220] = "gdi32.dll!NtGdiDeleteObjectApp"; table[4249] = "gdi32.dll!NtGdiFlush"; |