summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xtools/traceline/traceline/main.cc11
-rwxr-xr-xtools/traceline/traceline/syscall_map.h8
2 files changed, 13 insertions, 6 deletions
diff --git a/tools/traceline/traceline/main.cc b/tools/traceline/traceline/main.cc
index f149853..997a428 100755
--- a/tools/traceline/traceline/main.cc
+++ b/tools/traceline/traceline/main.cc
@@ -199,8 +199,14 @@ class Playground {
func_addr - 5, GetLastError());
}
+ // TODO(deanm): It seems in more recent updates the compiler is generating
+ // complicated sequences for padding / alignment. For example:
+ // 00000000 8DA42400000000 lea esp,[esp+0x0]
+ // 00000007 8D4900 lea ecx,[ecx+0x0]
+ // is used for a 16 byte alignment. We need a better way of handling this.
if (memcmp(buf, "\x90\x90\x90\x90\x90", 5) == 0 ||
- memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0) {
+ memcmp(buf, "\x00\x8D\x64\x24\x00", 5) == 0 ||
+ memcmp(buf, "\x00\x00\x8D\x49\x00", 5) == 0) {
unsigned int instr_bytes = 0;
// We might have a hotpatch no-op of mov edi, edi "\x8b\xff". It is a
@@ -994,10 +1000,7 @@ class Playground {
PatchThreadExit();
PatchSetThreadName();
-#if 0
- // FIXME
PatchSyscall();
-#endif
PatchApcDispatcher();
diff --git a/tools/traceline/traceline/syscall_map.h b/tools/traceline/traceline/syscall_map.h
index 18f12db..30a2348 100755
--- a/tools/traceline/traceline/syscall_map.h
+++ b/tools/traceline/traceline/syscall_map.h
@@ -15,9 +15,13 @@
#include <map>
+// TODO(deanm): Right now these tables are manually extracted and hardcoded
+// here. It would be great (but possibly difficult) to do it on startup. We
+// should at least checksum the DLLs to make sure they match.
+
std::map<int, const char*> CreateSyscallMap() {
std::map<int, const char*> table;
-if (0) {
+if (1) { // XP table.
table[0] = "ntdll.dll!NtAcceptConnectPort";
table[1] = "ntdll.dll!NtAccessCheck";
table[2] = "ntdll.dll!ZwAccessCheckAndAuditAlarm";
@@ -954,7 +958,7 @@ if (0) {
table[4760] = "gdi32.dll!NtGdiBRUSHOBJ_DeleteRbrush";
table[4761] = "gdi32.dll!NtGdiUMPDEngFreeUserMem";
table[4762] = "gdi32.dll!NtGdiDrawStream";
-} else {
+} else { // Vista table.
table[4272] = "gdi32.dll!NtGdiGetDeviceCaps";
table[4220] = "gdi32.dll!NtGdiDeleteObjectApp";
table[4249] = "gdi32.dll!NtGdiFlush";