|
|
/*++
Copyright (c) 2000-2001 Microsoft Corporation
Module Name:
walkamd64.c
Abstract:
This file implements the AMD64 stack walking api.
Author:
Environment:
User Mode
--*/
#define _IMAGEHLP_SOURCE_
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include "private.h"
#define NOEXTAPI
#include "wdbgexts.h"
#include "ntdbg.h"
#include "symbols.h"
#include <stdlib.h>
#include <globals.h>
#define WDB(Args) SdbOut Args
//
// Lookup table providing the number of slots used by each unwind code.
//
UCHAR RtlpUnwindOpSlotTableAmd64[] = { 1, // UWOP_PUSH_NONVOL
2, // UWOP_ALLOC_LARGE (or 3, special cased in lookup code)
1, // UWOP_ALLOC_SMALL
1, // UWOP_SET_FPREG
2, // UWOP_SAVE_NONVOL
3, // UWOP_SAVE_NONVOL_FAR
2, // UWOP_SAVE_XMM
3, // UWOP_SAVE_XMM_FAR
2, // UWOP_SAVE_XMM128
3, // UWOP_SAVE_XMM128_FAR
1 // UWOP_PUSH_MACHFRAME
};
BOOLWalkAmd64Init( HANDLE Process, LPSTACKFRAME64 StackFrame, PAMD64_CONTEXT Context, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, PGET_MODULE_BASE_ROUTINE64 GetModuleBase );
BOOLWalkAmd64Next( HANDLE Process, LPSTACKFRAME64 StackFrame, PAMD64_CONTEXT Context, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, PGET_MODULE_BASE_ROUTINE64 GetModuleBase );
BOOLUnwindStackFrameAmd64( HANDLE Process, PULONG64 ReturnAddress, PULONG64 StackPointer, PULONG64 FramePointer, PAMD64_CONTEXT Context, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory, PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess, PGET_MODULE_BASE_ROUTINE64 GetModuleBase );
PAMD64_UNWIND_INFOReadUnwindInfoAmd64(ULONG64 ImageBase, ULONG Offset, BOOL ReadCodes, HANDLE Process, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory, PVOID StaticBuffer, ULONG StaticBufferSize){ ULONG Done; ULONG UnwindInfoSize; PAMD64_UNWIND_INFO UnwindInfo; PVOID SymInfo = NULL; ULONG SymInfoSize; ULONG64 MemOffset = ImageBase + Offset;
// Static buffer should at least be large enough to read the
// basic structure.
if (StaticBufferSize < sizeof(*UnwindInfo)) { return NULL; } UnwindInfo = (PAMD64_UNWIND_INFO)StaticBuffer;
// First read just the basic structure since the information
// is needed to compute the complete size.
if (!ReadMemory(Process, MemOffset, UnwindInfo, sizeof(*UnwindInfo), &Done) || Done != sizeof(*UnwindInfo)) { WDB((1, "Unable to read unwind info at %I64X\n", MemOffset));
SymInfo = GetUnwindInfoFromSymbols(Process, ImageBase, Offset, &SymInfoSize); if (!SymInfo || SymInfoSize < sizeof(*UnwindInfo)) { WDB((1, "Unable to get symbol unwind info at %I64X:%X\n", ImageBase, Offset)); return NULL; }
memcpy(UnwindInfo, SymInfo, sizeof(*UnwindInfo)); }
if (!ReadCodes) { return UnwindInfo; }
// Compute the size of all the data.
UnwindInfoSize = sizeof(*UnwindInfo) + (UnwindInfo->CountOfCodes - 1) * sizeof(AMD64_UNWIND_CODE); // An extra alignment code and pointer may be added on to handle
// the chained info case where the chain pointer is just
// beyond the end of the normal code array.
if ((UnwindInfo->Flags & AMD64_UNW_FLAG_CHAININFO) != 0) { if ((UnwindInfo->CountOfCodes & 1) != 0) { UnwindInfoSize += sizeof(AMD64_UNWIND_CODE); } UnwindInfoSize += sizeof(ULONG64); } if (UnwindInfoSize > 0xffff) { // Too large to be valid data, assume it's garbage.
WDB((1, "Invalid unwind info at %I64X\n", MemOffset)); return NULL; } if (SymInfo && UnwindInfoSize > SymInfoSize) { WDB((1, "Insufficient unwind info in symbols for %I64X:%X\n", ImageBase, Offset)); return NULL; } if (UnwindInfoSize > StaticBufferSize) { UnwindInfo = (PAMD64_UNWIND_INFO)MemAlloc(UnwindInfoSize); if (UnwindInfo == NULL) { WDB((1, "Unable to allocate memory for unwind info\n")); return NULL; } }
// Now read all the data.
if (SymInfo) { memcpy(UnwindInfo, SymInfo, UnwindInfoSize); } else if (!ReadMemory(Process, MemOffset, UnwindInfo, UnwindInfoSize, &Done) || Done != UnwindInfoSize) { if ((PVOID)UnwindInfo != StaticBuffer) { MemFree(UnwindInfo); }
WDB((1, "Unable to read unwind info at %I64X\n", MemOffset)); return NULL; }
return UnwindInfo;}
//
// ****** temp - defin elsewhere ******
//
#define SIZE64_PREFIX 0x48
#define ADD_IMM8_OP 0x83
#define ADD_IMM32_OP 0x81
#define JMP_IMM8_OP 0xeb
#define JMP_IMM32_OP 0xe9
#define LEA_OP 0x8d
#define POP_OP 0x58
#define RET_OP 0xc3
BOOLEANRtlpUnwindPrologueAmd64 ( IN ULONG64 ImageBase, IN ULONG64 ControlPc, IN ULONG64 FrameBase, IN _PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry, IN OUT PAMD64_CONTEXT ContextRecord, IN HANDLE Process, IN PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory )
/*++
Routine Description:
This function processes unwind codes and reverses the state change effects of a prologue. If the specified unwind information contains chained unwind information, then that prologue is unwound recursively. As the prologue is unwound state changes are recorded in the specified context structure and optionally in the specified context pointers structures.
Arguments:
ImageBase - Supplies the base address of the image that contains the function being unwound.
ControlPc - Supplies the address where control left the specified function.
FrameBase - Supplies the base of the stack frame subject function stack frame.
FunctionEntry - Supplies the address of the function table entry for the specified function.
ContextRecord - Supplies the address of a context record.
--*/
{
ULONG64 FloatingAddress; PAMD64_M128 FloatingRegister; ULONG FrameOffset; ULONG Index; ULONG64 IntegerAddress; PULONG64 IntegerRegister; BOOLEAN MachineFrame; ULONG OpInfo; ULONG PrologOffset; PULONG64 RegisterAddress; ULONG64 ReturnAddress; ULONG64 StackAddress; PAMD64_UNWIND_CODE UnwindCode; ULONG64 UnwindInfoBuffer[32]; PAMD64_UNWIND_INFO UnwindInfo; ULONG Done; ULONG UnwindOp;
//
// Process the unwind codes.
//
FloatingRegister = &ContextRecord->Xmm0; IntegerRegister = &ContextRecord->Rax; Index = 0; MachineFrame = FALSE; PrologOffset = (ULONG)(ControlPc - (FunctionEntry->BeginAddress + ImageBase));
WDB((1, "Prol: RIP %I64X, 0x%X bytes in function at %I64X\n", ControlPc, PrologOffset, FunctionEntry->BeginAddress + ImageBase)); WDB((1, "Prol: Read unwind info at %I64X\n", FunctionEntry->UnwindInfoAddress + ImageBase));
UnwindInfo = ReadUnwindInfoAmd64(ImageBase, FunctionEntry->UnwindInfoAddress, TRUE, Process, ReadMemory, UnwindInfoBuffer, sizeof(UnwindInfoBuffer)); if (UnwindInfo == NULL) { WDB((1, "Prol: Unable to read unwind info\n")); return FALSE; }
WDB((1, " Unwind info has 0x%X codes\n", UnwindInfo->CountOfCodes)); while (Index < UnwindInfo->CountOfCodes) {
WDB((1, " %02X: Code %X offs %03X, RSP %I64X\n", Index, UnwindInfo->UnwindCode[Index].UnwindOp, UnwindInfo->UnwindCode[Index].CodeOffset, ContextRecord->Rsp)); //
// If the prologue offset is greater than the next unwind code offset,
// then simulate the effect of the unwind code.
//
UnwindOp = UnwindInfo->UnwindCode[Index].UnwindOp; OpInfo = UnwindInfo->UnwindCode[Index].OpInfo; if (PrologOffset >= UnwindInfo->UnwindCode[Index].CodeOffset) { switch (UnwindOp) {
//
// Push nonvolatile integer register.
//
// The operation information is the register number of the
// register than was pushed.
//
case AMD64_UWOP_PUSH_NONVOL: IntegerAddress = ContextRecord->Rsp; if (!ReadMemory(Process, IntegerAddress, &IntegerRegister[OpInfo], sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { goto Fail; }
ContextRecord->Rsp += 8; break;
//
// Allocate a large sized area on the stack.
//
// The operation information determines if the size is
// 16- or 32-bits.
//
case AMD64_UWOP_ALLOC_LARGE: Index += 1; FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset; if (OpInfo != 0) { Index += 1; FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16); } else { // The 16-bit form is scaled.
FrameOffset *= 8; }
ContextRecord->Rsp += FrameOffset; break;
//
// Allocate a small sized area on the stack.
//
// The operation information is the size of the unscaled
// allocation size (8 is the scale factor) minus 8.
//
case AMD64_UWOP_ALLOC_SMALL: ContextRecord->Rsp += (OpInfo * 8) + 8; break;
//
// Establish the the frame pointer register.
//
// The operation information is not used.
//
case AMD64_UWOP_SET_FPREG: ContextRecord->Rsp = IntegerRegister[UnwindInfo->FrameRegister]; ContextRecord->Rsp -= UnwindInfo->FrameOffset * 16; break;
//
// Save nonvolatile integer register on the stack using a
// 16-bit displacment.
//
// The operation information is the register number.
//
case AMD64_UWOP_SAVE_NONVOL: Index += 1; FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset * 8; IntegerAddress = FrameBase + FrameOffset; if (!ReadMemory(Process, IntegerAddress, &IntegerRegister[OpInfo], sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { goto Fail; } break;
//
// Save nonvolatile integer register on the stack using a
// 32-bit displacment.
//
// The operation information is the register number.
//
case AMD64_UWOP_SAVE_NONVOL_FAR: Index += 2; FrameOffset = UnwindInfo->UnwindCode[Index - 1].FrameOffset; FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16); IntegerAddress = FrameBase + FrameOffset; if (!ReadMemory(Process, IntegerAddress, &IntegerRegister[OpInfo], sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { goto Fail; } break;
//
// Save a nonvolatile XMM(64) register on the stack using a
// 16-bit displacement.
//
// The operation information is the register number.
//
case AMD64_UWOP_SAVE_XMM: Index += 1; FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset * 8; FloatingAddress = FrameBase + FrameOffset; FloatingRegister[OpInfo].High = 0; if (!ReadMemory(Process, FloatingAddress, &FloatingRegister[OpInfo].Low, sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { goto Fail; } break;
//
// Save a nonvolatile XMM(64) register on the stack using a
// 32-bit displacement.
//
// The operation information is the register number.
//
case AMD64_UWOP_SAVE_XMM_FAR: Index += 2; FrameOffset = UnwindInfo->UnwindCode[Index - 1].FrameOffset; FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16); FloatingAddress = FrameBase + FrameOffset; FloatingRegister[OpInfo].High = 0; if (!ReadMemory(Process, FloatingAddress, &FloatingRegister[OpInfo].Low, sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { goto Fail; } break;
//
// Save a nonvolatile XMM(128) register on the stack using a
// 16-bit displacement.
//
// The operation information is the register number.
//
case AMD64_UWOP_SAVE_XMM128: Index += 1; FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset * 16; FloatingAddress = FrameBase + FrameOffset; if (!ReadMemory(Process, FloatingAddress, &FloatingRegister[OpInfo], sizeof(AMD64_M128), &Done) || Done != sizeof(AMD64_M128)) { goto Fail; } break;
//
// Save a nonvolatile XMM(128) register on the stack using a
// 32-bit displacement.
//
// The operation information is the register number.
//
case AMD64_UWOP_SAVE_XMM128_FAR: Index += 2; FrameOffset = UnwindInfo->UnwindCode[Index - 1].FrameOffset; FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16); FloatingAddress = FrameBase + FrameOffset; if (!ReadMemory(Process, FloatingAddress, &FloatingRegister[OpInfo], sizeof(AMD64_M128), &Done) || Done != sizeof(AMD64_M128)) { goto Fail; } break;
//
// Push a machine frame on the stack.
//
// The operation information determines whether the machine
// frame contains an error code or not.
//
case AMD64_UWOP_PUSH_MACHFRAME: MachineFrame = TRUE; ReturnAddress = ContextRecord->Rsp; StackAddress = ContextRecord->Rsp + (3 * 8); if (OpInfo != 0) { ReturnAddress += 8; StackAddress += 8; }
if (!ReadMemory(Process, ReturnAddress, &ContextRecord->Rip, sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { goto Fail; } if (!ReadMemory(Process, StackAddress, &ContextRecord->Rsp, sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { goto Fail; } break;
//
// Unused codes.
//
default: break; }
Index += 1; } else {
//
// Skip this unwind operation by advancing the slot index by the
// number of slots consumed by this operation.
//
Index += RtlpUnwindOpSlotTableAmd64[UnwindOp];
//
// Special case any unwind operations that can consume a variable
// number of slots.
//
switch (UnwindOp) {
//
// A non-zero operation information indicates that an
// additional slot is consumed.
//
case AMD64_UWOP_ALLOC_LARGE: if (OpInfo != 0) { Index += 1; }
break;
//
// No other special cases.
//
default: break; } } }
//
// If chained unwind information is specified, then recursively unwind
// the chained information. Otherwise, determine the return address if
// a machine frame was not encountered during the scan of the unwind
// codes.
//
if ((UnwindInfo->Flags & AMD64_UNW_FLAG_CHAININFO) != 0) { Index = UnwindInfo->CountOfCodes; if ((Index & 1) != 0) { Index += 1; }
ULONG64 ChainEntryAddr = *(PULONG64)(&UnwindInfo->UnwindCode[Index]) + ImageBase;
if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) { MemFree(UnwindInfo); }
_IMAGE_RUNTIME_FUNCTION_ENTRY ChainEntry;
WDB((1, " Chain to entry at %I64X\n", ChainEntryAddr)); if (!ReadMemory(Process, ChainEntryAddr, &ChainEntry, sizeof(ChainEntry), &Done) || Done != sizeof(ChainEntry)) { WDB((1, " Unable to read entry\n")); return FALSE; }
return RtlpUnwindPrologueAmd64(ImageBase, ControlPc, FrameBase, &ChainEntry, ContextRecord, Process, ReadMemory);
} else { if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) { MemFree(UnwindInfo); }
if (MachineFrame == FALSE) { if (!ReadMemory(Process, ContextRecord->Rsp, &ContextRecord->Rip, sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { return FALSE; } ContextRecord->Rsp += 8; }
WDB((1, "Prol: Returning with RIP %I64X, RSP %I64X\n", ContextRecord->Rip, ContextRecord->Rsp)); return TRUE; }
Fail: if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) { MemFree(UnwindInfo); } WDB((1, "Prol: Unwind failed\n")); return FALSE;}
BOOLEANRtlVirtualUnwindAmd64 ( IN ULONG64 ImageBase, IN ULONG64 ControlPc, IN _PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry, IN OUT PAMD64_CONTEXT ContextRecord, OUT PULONG64 EstablisherFrame, IN HANDLE Process, IN PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory )
/*++
Routine Description:
This function virtually unwinds the specified function by executing its prologue code backward or its epilogue code forward.
If a context pointers record is specified, then the address where each nonvolatile registers is restored from is recorded in the appropriate element of the context pointers record.
Arguments:
ImageBase - Supplies the base address of the image that contains the function being unwound.
ControlPc - Supplies the address where control left the specified function.
FunctionEntry - Supplies the address of the function table entry for the specified function.
ContextRecord - Supplies the address of a context record.
EstablisherFrame - Supplies a pointer to a variable that receives the the establisher frame pointer value.
--*/
{
ULONG64 BranchTarget; LONG Displacement; ULONG FrameRegister; ULONG Index; LOGICAL InEpilogue; PULONG64 IntegerRegister; PUCHAR NextByte; ULONG PrologOffset; ULONG RegisterNumber; PAMD64_UNWIND_INFO UnwindInfo; ULONG64 UnwindInfoBuffer[8]; ULONG Done; UCHAR InstrBuffer[32]; ULONG InstrBytes; ULONG Bytes; ULONG UnwindFrameReg;
//
// If the specified function does not use a frame pointer, then the
// establisher frame is the contents of the stack pointer. This may
// not actually be the real establisher frame if control left the
// function from within the prologue. In this case the establisher
// frame may be not required since control has not actually entered
// the function and prologue entries cannot refer to the establisher
// frame before it has been established, i.e., if it has not been
// established, then no save unwind codes should be encountered during
// the unwind operation.
//
// If the specified function uses a frame pointer and control left the
// function outside of the prologue or the unwind information contains
// a chained information structure, then the establisher frame is the
// contents of the frame pointer.
//
// If the specified function uses a frame pointer and control left the
// function from within the prologue, then the set frame pointer unwind
// code must be looked up in the unwind codes to detetermine if the
// contents of the stack pointer or the contents of the frame pointer
// should be used for the establisher frame. This may not atually be
// the real establisher frame. In this case the establisher frame may
// not be required since control has not actually entered the function
// and prologue entries cannot refer to the establisher frame before it
// has been established, i.e., if it has not been established, then no
// save unwind codes should be encountered during the unwind operation.
//
// N.B. The correctness of these assumptions is based on the ordering of
// unwind codes.
//
UnwindInfo = ReadUnwindInfoAmd64(ImageBase, FunctionEntry->UnwindInfoAddress, FALSE, Process, ReadMemory, UnwindInfoBuffer, sizeof(UnwindInfoBuffer)); if (UnwindInfo == NULL) { return FALSE; }
PrologOffset = (ULONG)(ControlPc - (FunctionEntry->BeginAddress + ImageBase)); UnwindFrameReg = UnwindInfo->FrameRegister; if (UnwindFrameReg == 0) { *EstablisherFrame = ContextRecord->Rsp;
} else if ((PrologOffset >= UnwindInfo->SizeOfProlog) || ((UnwindInfo->Flags & AMD64_UNW_FLAG_CHAININFO) != 0)) { *EstablisherFrame = (&ContextRecord->Rax)[UnwindFrameReg]; *EstablisherFrame -= UnwindInfo->FrameOffset * 16;
} else {
// Read all the data.
UnwindInfo = ReadUnwindInfoAmd64(ImageBase, FunctionEntry->UnwindInfoAddress, TRUE, Process, ReadMemory, UnwindInfoBuffer, sizeof(UnwindInfoBuffer)); if (UnwindInfo == NULL) { return FALSE; }
Index = 0; while (Index < UnwindInfo->CountOfCodes) { if (UnwindInfo->UnwindCode[Index].UnwindOp == AMD64_UWOP_SET_FPREG) { break; }
Index += 1; }
if (PrologOffset >= UnwindInfo->UnwindCode[Index].CodeOffset) { *EstablisherFrame = (&ContextRecord->Rax)[UnwindFrameReg]; *EstablisherFrame -= UnwindInfo->FrameOffset * 16;
} else { *EstablisherFrame = ContextRecord->Rsp; }
if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) { MemFree(UnwindInfo); } }
if (!ReadMemory(Process, ControlPc, InstrBuffer, sizeof(InstrBuffer), &InstrBytes)) { WDB((1, "Unable to read instruction stream at %I64X\n", ControlPc)); return FALSE; }
//
// Check for epilogue.
//
// If the point at which control left the specified function is in an
// epilogue, then emulate the execution of the epilogue forward and
// return no exception handler.
//
IntegerRegister = &ContextRecord->Rax; NextByte = InstrBuffer; Bytes = InstrBytes;
//
// Check for one of:
//
// add rsp, imm8
// or
// add rsp, imm32
// or
// lea rsp, -disp8[fp]
// or
// lea rsp, -disp32[fp]
//
if (Bytes >= 4 && (NextByte[0] == SIZE64_PREFIX) && (NextByte[1] == ADD_IMM8_OP) && (NextByte[2] == 0xc4)) {
//
// add rsp, imm8.
//
NextByte += 4; Bytes -= 4;
} else if (Bytes >= 7 && (NextByte[0] == SIZE64_PREFIX) && (NextByte[1] == ADD_IMM32_OP) && (NextByte[2] == 0xc4)) {
//
// add rsp, imm32.
//
NextByte += 7; Bytes -= 7;
} else if (Bytes >= 4 && ((NextByte[0] & 0xf8) == SIZE64_PREFIX) && (NextByte[1] == LEA_OP)) {
FrameRegister = ((NextByte[0] & 0x7) << 3) | (NextByte[2] & 0x7); if ((FrameRegister != 0) && (FrameRegister == UnwindFrameReg)) { if ((NextByte[2] & 0xf8) == 0x60) {
//
// lea rsp, disp8[fp].
//
NextByte += 4; Bytes -= 4;
} else if (Bytes >= 7 && (NextByte[2] &0xf8) == 0xa0) {
//
// lea rsp, disp32[fp].
//
NextByte += 7; Bytes -= 7; } } }
//
// Check for any number of:
//
// pop nonvolatile-integer-register[0..15].
//
while (TRUE) { if (Bytes >= 1 && (NextByte[0] & 0xf8) == POP_OP) { NextByte += 1; Bytes -= 1;
} else if (Bytes >= 2 && ((NextByte[0] & 0xf8) == SIZE64_PREFIX) && ((NextByte[1] & 0xf8) == POP_OP)) {
NextByte += 2; Bytes -= 2;
} else { break; } }
//
// If the next instruction is a return, then control is currently in
// an epilogue and execution of the epilogue should be emulated.
// Otherwise, execution is not in an epilogue and the prologue should
// be unwound.
//
InEpilogue = FALSE; if (Bytes >= 1 && NextByte[0] == RET_OP) { //
// A return is an unambiguous indication of an epilogue
//
InEpilogue = TRUE;
} else if ((Bytes >= 2 && NextByte[0] == JMP_IMM8_OP) || (Bytes >= 5 && NextByte[0] == JMP_IMM32_OP)) {
//
// An unconditional branch to a target that is equal to the start of
// or outside of this routine is logically a call to another function.
//
BranchTarget = (ULONG64)(NextByte - InstrBuffer) + ControlPc - ImageBase; if (NextByte[0] == JMP_IMM8_OP) { BranchTarget += 2 + (CHAR)NextByte[1]; } else { BranchTarget += 5 + *((LONG UNALIGNED *)&NextByte[1]); }
//
// Now determine whether the branch target refers to code within this
// function. If not then it is an epilogue indicator.
//
if (BranchTarget <= FunctionEntry->BeginAddress || BranchTarget > FunctionEntry->EndAddress) {
InEpilogue = TRUE; } }
if (InEpilogue != FALSE) { NextByte = InstrBuffer; Bytes = InstrBytes;
//
// Emulate one of (if any):
//
// add rsp, imm8
// or
// add rsp, imm32
// or
// lea rsp, disp8[frame-register]
// or
// lea rsp, disp32[frame-register]
//
if (Bytes >= 4 && NextByte[1] == ADD_IMM8_OP) {
//
// add rsp, imm8.
//
ContextRecord->Rsp += (CHAR)NextByte[3]; NextByte += 4; Bytes -= 4;
} else if (Bytes >= 7 && NextByte[1] == ADD_IMM32_OP) {
//
// add rsp, imm32.
//
Displacement = NextByte[3] | (NextByte[4] << 8); Displacement |= (NextByte[5] << 16) | (NextByte[6] << 24); ContextRecord->Rsp += Displacement; NextByte += 7; Bytes -= 7;
} else if (Bytes >= 4 && NextByte[1] == LEA_OP) { if ((NextByte[2] & 0xf8) == 0x60) {
//
// lea rsp, disp8[frame-register].
//
ContextRecord->Rsp = IntegerRegister[FrameRegister]; ContextRecord->Rsp += (CHAR)NextByte[3]; NextByte += 4; Bytes -= 4;
} else if (Bytes >= 7 && (NextByte[2] & 0xf8) == 0xa0) {
//
// lea rsp, disp32[frame-register].
//
Displacement = NextByte[3] | (NextByte[4] << 8); Displacement |= (NextByte[5] << 16) | (NextByte[6] << 24); ContextRecord->Rsp = IntegerRegister[FrameRegister]; ContextRecord->Rsp += Displacement; NextByte += 7; Bytes -= 7; } }
//
// Emulate any number of (if any):
//
// pop nonvolatile-integer-register.
//
while (TRUE) { if (Bytes >= 1 && (NextByte[0] & 0xf8) == POP_OP) {
//
// pop nonvolatile-integer-register[0..7]
//
RegisterNumber = NextByte[0] & 0x7; if (!ReadMemory(Process, ContextRecord->Rsp, &IntegerRegister[RegisterNumber], sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { WDB((1, "Unable to read stack at %I64X\n", ContextRecord->Rsp)); return FALSE; } ContextRecord->Rsp += 8; NextByte += 1; Bytes -= 1;
} else if (Bytes >= 2 && (NextByte[0] & 0xf8) == SIZE64_PREFIX && (NextByte[1] & 0xf8) == POP_OP) {
//
// pop nonvolatile-integer-register[8..15]
//
RegisterNumber = ((NextByte[0] & 1) << 3) | (NextByte[1] & 0x7); if (!ReadMemory(Process, ContextRecord->Rsp, &IntegerRegister[RegisterNumber], sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { WDB((1, "Unable to read stack at %I64X\n", ContextRecord->Rsp)); return FALSE; } ContextRecord->Rsp += 8; NextByte += 2; Bytes -= 2;
} else { break; } }
//
// Emulate return and return null exception handler.
//
// Note: this instruction might in fact be a jmp, however
// we want to emulate a return regardless.
//
if (!ReadMemory(Process, ContextRecord->Rsp, &ContextRecord->Rip, sizeof(ULONG64), &Done) || Done != sizeof(ULONG64)) { WDB((1, "Unable to read stack at %I64X\n", ContextRecord->Rsp)); return FALSE; } ContextRecord->Rsp += 8; return TRUE; }
//
// Control left the specified function outside an epilogue. Unwind the
// subject function and any chained unwind information.
//
return RtlpUnwindPrologueAmd64(ImageBase, ControlPc, *EstablisherFrame, FunctionEntry, ContextRecord, Process, ReadMemory);}
�BOOLWalkAmd64( HANDLE Process, LPSTACKFRAME64 StackFrame, PVOID ContextRecord, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory, PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess, PGET_MODULE_BASE_ROUTINE64 GetModuleBase ){ BOOL rval; PAMD64_CONTEXT Context = (PAMD64_CONTEXT)ContextRecord;
WDB((2, "WalkAmd64 in: PC %I64X, SP %I64X, FP %I64X, RA %I64X\n", StackFrame->AddrPC.Offset, StackFrame->AddrStack.Offset, StackFrame->AddrFrame.Offset, StackFrame->AddrReturn.Offset));
if (StackFrame->Virtual) {
rval = WalkAmd64Next( Process, StackFrame, Context, ReadMemory, FunctionTableAccess, GetModuleBase );
} else {
rval = WalkAmd64Init( Process, StackFrame, Context, ReadMemory, FunctionTableAccess, GetModuleBase );
}
WDB((2, "WalkAmd64 out: succ %d, PC %I64X, SP %I64X, FP %I64X, RA %I64X\n", rval, StackFrame->AddrPC.Offset, StackFrame->AddrStack.Offset, StackFrame->AddrFrame.Offset, StackFrame->AddrReturn.Offset));
return rval;}
BOOLUnwindStackFrameAmd64( IN HANDLE Process, IN OUT PULONG64 ReturnAddress, IN OUT PULONG64 StackPointer, IN OUT PULONG64 FramePointer, IN PAMD64_CONTEXT Context, // Context members could be modified.
IN PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory, IN PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess, IN PGET_MODULE_BASE_ROUTINE64 GetModuleBase ){ _PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry; ULONG64 RetAddr; BOOL Succ = TRUE;
FunctionEntry = (_PIMAGE_RUNTIME_FUNCTION_ENTRY) FunctionTableAccess( Process, *ReturnAddress ); if (FunctionEntry != NULL) {
ULONG64 ImageBase; // Initialized to quiet a PREfix warning.
ULONG64 EstablisherFrame = 0;
//
// The return value coming out of mainCRTStartup is set by some
// run-time routine to be 0; this serves to cause an error if someone
// actually does a return from the mainCRTStartup frame.
//
ImageBase = GetModuleBase(Process, *ReturnAddress); if (!RtlVirtualUnwindAmd64(ImageBase, *ReturnAddress, FunctionEntry, Context, &EstablisherFrame, Process, ReadMemory) || Context->Rip == 0 || (Context->Rip == *ReturnAddress && EstablisherFrame == *FramePointer)) { Succ = FALSE; }
*ReturnAddress = Context->Rip; *StackPointer = Context->Rsp; // The frame pointer is an artificial value set
// to a pointer below the return address. This
// matches an RBP-chain style of frame while
// also allowing easy access to the return
// address and homed arguments above it.
*FramePointer = Context->Rsp - 2 * sizeof(ULONG64);
} else {
ULONG Done; // If there's no function entry for a function
// we assume that it's a leaf and that ESP points
// directly to the return address. There's no
// stored frame pointer so we actually need to
// set a virtual frame pointer deeper in the stack
// so that arguments can correctly be read at
// two ULONG64's up from it.
*FramePointer = Context->Rsp - 8; *StackPointer = Context->Rsp + 8; Succ = ReadMemory(Process, Context->Rsp, ReturnAddress, sizeof(*ReturnAddress), &Done) && Done == sizeof(*ReturnAddress);
// Update the context values to what they should be in
// the caller.
if (Succ) { Context->Rsp += 8; Context->Rip = *ReturnAddress; } }
if (Succ) { ULONG64 CallOffset; _PIMAGE_RUNTIME_FUNCTION_ENTRY CallFunc;
//
// Calls of __declspec(noreturn) functions may not have any
// code after them to return to since the compiler knows
// that the function will not return. This can confuse
// stack traces because the return address will lie outside
// of the function's address range and FPO data will not
// be looked up correctly. Check and see if the return
// address falls outside of the calling function and, if so,
// adjust the return address back by one byte. It'd be
// better to adjust it back to the call itself so that
// the return address points to valid code but
// backing up in X86 assembly is more or less impossible.
//
CallOffset = *ReturnAddress - 1; CallFunc = (_PIMAGE_RUNTIME_FUNCTION_ENTRY) FunctionTableAccess(Process, CallOffset); if (CallFunc != NULL) { _IMAGE_RUNTIME_FUNCTION_ENTRY SaveCallFunc = *CallFunc; _PIMAGE_RUNTIME_FUNCTION_ENTRY RetFunc = (_PIMAGE_RUNTIME_FUNCTION_ENTRY) FunctionTableAccess(Process, *ReturnAddress); if (RetFunc == NULL || memcmp(&SaveCallFunc, RetFunc, sizeof(SaveCallFunc))) { *ReturnAddress = CallOffset; } } }
return Succ;}
BOOLReadFrameArgsAmd64( LPADDRESS64 FrameOffset, HANDLE Process, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory, PULONG64 Args ){ ULONG Done;
if (!ReadMemory(Process, FrameOffset->Offset + 2 * sizeof(ULONG64), Args, 4 * sizeof(ULONG64), &Done)) { Done = 0; }
ZeroMemory((PUCHAR)Args + Done, 4 * sizeof(ULONG64) - Done);
return Done > 0;}
BOOLWalkAmd64Init( HANDLE Process, LPSTACKFRAME64 StackFrame, PAMD64_CONTEXT Context, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory, PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess, PGET_MODULE_BASE_ROUTINE64 GetModuleBase ){ AMD64_CONTEXT ContextSave; DWORD64 PcOffset; DWORD64 StackOffset; DWORD64 FrameOffset;
ZeroMemory( &StackFrame->AddrBStore, sizeof(StackFrame->AddrBStore) ); StackFrame->FuncTableEntry = NULL; ZeroMemory( StackFrame->Params, sizeof(StackFrame->Params) ); StackFrame->Far = FALSE; StackFrame->Virtual = TRUE; ZeroMemory( StackFrame->Reserved, sizeof(StackFrame->Reserved) );
if (!StackFrame->AddrPC.Offset) { StackFrame->AddrPC.Offset = Context->Rip; StackFrame->AddrPC.Mode = AddrModeFlat; }
if (!StackFrame->AddrStack.Offset) { StackFrame->AddrStack.Offset = Context->Rsp; StackFrame->AddrStack.Mode = AddrModeFlat; }
if (!StackFrame->AddrFrame.Offset) { StackFrame->AddrFrame.Offset = Context->Rbp; StackFrame->AddrFrame.Mode = AddrModeFlat; }
if ((StackFrame->AddrPC.Mode != AddrModeFlat) || (StackFrame->AddrStack.Mode != AddrModeFlat) || (StackFrame->AddrFrame.Mode != AddrModeFlat)) { return FALSE; }
PcOffset = StackFrame->AddrPC.Offset; StackOffset = StackFrame->AddrStack.Offset; FrameOffset = StackFrame->AddrFrame.Offset;
ContextSave = *Context; ContextSave.Rip = PcOffset; ContextSave.Rsp = StackOffset; ContextSave.Rbp = FrameOffset; if (!UnwindStackFrameAmd64( Process, &PcOffset, &StackOffset, &FrameOffset, &ContextSave, ReadMemory, FunctionTableAccess, GetModuleBase)) { return FALSE; }
StackFrame->AddrReturn.Offset = PcOffset; StackFrame->AddrReturn.Mode = AddrModeFlat;
StackFrame->AddrFrame.Offset = FrameOffset; ReadFrameArgsAmd64(&StackFrame->AddrFrame, Process, ReadMemory, StackFrame->Params);
return TRUE;}
BOOLWalkAmd64Next( HANDLE Process, LPSTACKFRAME64 StackFrame, PAMD64_CONTEXT Context, PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory, PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess, PGET_MODULE_BASE_ROUTINE64 GetModuleBase ){ DWORD Done; BOOL Succ = TRUE; DWORD64 StackAddress; _PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry;
if (!UnwindStackFrameAmd64( Process, &StackFrame->AddrPC.Offset, &StackFrame->AddrStack.Offset, &StackFrame->AddrFrame.Offset, Context, ReadMemory, FunctionTableAccess, GetModuleBase)) { Succ = FALSE;
//
// If the frame could not be unwound or is terminal, see if
// there is a callback frame:
//
if (g.AppVersion.Revision >= 4 && CALLBACK_STACK(StackFrame)) { DWORD64 ImageBase;
if (CALLBACK_STACK(StackFrame) & 0x80000000) {
//
// it is the pointer to the stack frame that we want
//
StackAddress = CALLBACK_STACK(StackFrame);
} else {
//
// if it is a positive integer, it is the offset to
// the address in the thread.
// Look up the pointer:
//
Succ = ReadMemory(Process, (CALLBACK_THREAD(StackFrame) + CALLBACK_STACK(StackFrame)), &StackAddress, sizeof(StackAddress), &Done); if (!Succ || Done != sizeof(StackAddress) || StackAddress == 0) { StackAddress = (DWORD64)-1; CALLBACK_STACK(StackFrame) = (DWORD)-1; } }
if ((StackAddress == (DWORD64)-1) || (!(FunctionEntry = (_PIMAGE_RUNTIME_FUNCTION_ENTRY) FunctionTableAccess(Process, CALLBACK_FUNC(StackFrame))) || !(ImageBase = GetModuleBase(Process, CALLBACK_FUNC(StackFrame))))) {
Succ = FALSE;
} else {
if (!ReadMemory(Process, (StackAddress + CALLBACK_NEXT(StackFrame)), &CALLBACK_STACK(StackFrame), sizeof(DWORD64), &Done) || Done != sizeof(DWORD64)) { Succ = FALSE; } else { StackFrame->AddrPC.Offset = ImageBase + FunctionEntry->BeginAddress; StackFrame->AddrStack.Offset = StackAddress; Context->Rsp = StackAddress;
Succ = TRUE; } } } }
if (Succ) { AMD64_CONTEXT ContextSave; ULONG64 StackOffset = 0; ULONG64 FrameOffset = 0;
//
// Get the return address.
//
ContextSave = *Context; StackFrame->AddrReturn.Offset = StackFrame->AddrPC.Offset;
if (!UnwindStackFrameAmd64( Process, &StackFrame->AddrReturn.Offset, &StackOffset, &FrameOffset, &ContextSave, ReadMemory, FunctionTableAccess, GetModuleBase)) { StackFrame->AddrReturn.Offset = 0; }
StackFrame->AddrFrame.Offset = FrameOffset; ReadFrameArgsAmd64(&StackFrame->AddrFrame, Process, ReadMemory, StackFrame->Params); }
return Succ;}
|
