On 02/25/2015 05:56 PM, Bill Williams wrote:
> On 02/25/2015 05:31 AM, Aleksandar Nikolic wrote:
>> Hi list,
>>
>> So I am slowly working through issues regarding binary rewriting on
>> windows. I made few patches so far and things are going in the right
>> direction, I'd say.
>>
>>
>> To document the patches more easily, I'm commiting them to github
>> with intention of submitting a complete patch directly to you
>> once it's finished.
>>
>> First issue was that the mutator was crashing when loading the libraries
>> where getMemSize was used for allocating a piece of memory
>> but was later erroneously used as an argument to memcpy instead of
>> actuall size and lead to a crash due to memcpy trying to read past the
>> end of the source buffer.
>> https://github.com/ea/dyninst/commit/bd91b200e13ba1a212b24fdf34ad1a6e544359f2
>>
>>
>> With that change, the mutator finishes the job and produces a broken
>> binary. Firstly , every instruction including an immediate operand
>> was broken as the base was missing from the calculation.
>> This was tracked down to a nedless substraction and was patched like so:
>> https://github.com/ea/dyninst/commit/4badeb118d9a1fc7a285f25251521d5c46db2221
>>
>>
>> Next issue was that the imports in the produced binary were either
>> missing or destroyed. Turns out that RVAs were miscalculated
>> as the calculation were based on initial memory VAs before the
>> actual .dyninst section was fixed. Rearanging the code a bit
>> solves the issue.
>> https://github.com/ea/dyninst/commit/50870a586be7c3ec016d7670dbe70f9ec1aa43f4
>>
>> https://github.com/ea/dyninst/commit/9495e6d056a7d34f626f3f22a8a66ea55a7eb517
>>
>> This patch is a bit hacky and the proper one would need some refactoring
>> but it will do for now for my tests.
>>
>> Now the produced binary looks good (new section is properly added,
>> imports are fixed) sans one thing.
>> Near jumps in the inserted trampolines have a wrong target.
>>
>> For example (trampoline inserted at the beginning of main in my test
>> example):
>> 0x00401010 E9 07 F0 0F 00 jmp near ptr 50001ch
>>
>> Should really be:
>> 0x00401010 E9 07 10 02 00 jmp near ptr 42201ch
>>
>> Which seems to be a constant error of 0xde000.
>> We are currently debugging this issue and I am mentioning
>> it in case somebody knows where the issue might be.
>>
> I'll take a look at the patches over the next couple of days, but this
> all sounds very promising.
>
> I don't have a definite answer for the trampoline issue, but I'd look at
> whether there's a similar issue to the one with the imports where we
> generated branches before .dyninst was fixed and didn't recalculate
> them. The springboard code is very good at doing what it's told, so I'd
> strongly suspect that we moved the section of relocated code after we
> generated springboards.
>
It would seem that that is the case. If if fix the base address
"manually", it sort of works. As my patch for imports is hacky, is
there a part of the API that does the recalculations or should I do
them myself?
>> Cheers,
>> Alex
>>
>> On 02/11/2015 06:20 PM, Matthew LeGendre wrote:
>>>
>>> At one point, perhaps 6-7 years ago, a student had windows binary
>>> rewriting working to the point where you could do basic binary rewriting
>>> on notepad.exe. They left before finishing the project, and it was
>>> never feature complete nor functional on complicated binaries. You're
>>> likely seeing the remains of that effort. I don't know how much of that
>>> code is still valid or useful.
>>>
>>> -Matt
>>>
>>>
>>> On Wed, 11 Feb 2015, Aleksandar Nikolic wrote:
>>>> Hi,
>>>>
>>>> looking at the codebase, a lot of code seems to already be there.
>>>> I'll be getting to know the code in more details. Any directions
>>>> into what would need to be implemented or what parts are missing?
>>>>
>>>> Thanks,
>>>> Alex
>>>>
>>>> On 02/08/2015 10:59 PM, Barton Miller wrote:
>>>>> BTW, if there are any individuals or groups that would like to work on
>>>>> getting rewriting to work on Windows, we'd be happy to provide
>>>>> support.
>>>>> Not a small effort but interesting and worthwhile.
>>>>>
>>>>> --bart
>>>>>
>>>>>
>>>>> On 2/6/2015 4:36 PM, Bill Williams wrote:
>>>>>> No, and not exactly. Windows binary rewriting is not supported,
>>>>>> and is
>>>>>> documented as such. If it were to be supported, what you are doing
>>>>>> would work quite reasonably.
>>>>> _______________________________________________
>>>>> Dyninst-api mailing list
>>>>> Dyninst-api@xxxxxxxxxxx
>>>>> https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api
>>>> _______________________________________________
>>>> Dyninst-api mailing list
>>>> Dyninst-api@xxxxxxxxxxx
>>>> https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api
>>>>
>> _______________________________________________
>> Dyninst-api mailing list
>> Dyninst-api@xxxxxxxxxxx
>> https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api
>>
>
>
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}