1 : // Copyright 2012 Google Inc.
2 : //
3 : // Licensed under the Apache License, Version 2.0 (the "License");
4 : // you may not use this file except in compliance with the License.
5 : // You may obtain a copy of the License at
6 : //
7 : // http://www.apache.org/licenses/LICENSE-2.0
8 : //
9 : // Unless required by applicable law or agreed to in writing, software
10 : // distributed under the License is distributed on an "AS IS" BASIS,
11 : // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 : // See the License for the specific language governing permissions and
13 : // limitations under the License.
14 : //
15 : // Declaration of the thunk import references instrumentation transform.
16 : //
17 : // This transform is designed to traverse all blocks containing references to
18 : // entries in the import tables and replace them with references to conjured-up
19 : // thunks that delegate to the instrumentation machinery.
20 : // It accepts a list of modules to exclude from this process to allow for
21 : // e.g. not thunking the instrumentation.
22 :
23 : #ifndef SYZYGY_INSTRUMENT_TRANSFORMS_THUNK_IMPORT_REFERENCES_TRANSFORM_H_
24 : #define SYZYGY_INSTRUMENT_TRANSFORMS_THUNK_IMPORT_REFERENCES_TRANSFORM_H_
25 :
26 : #include <set>
27 : #include <string>
28 :
29 : #include "base/string_piece.h"
30 : #include "syzygy/block_graph/iterate.h"
31 : #include "syzygy/block_graph/transforms/iterative_transform.h"
32 : #include "syzygy/pe/transforms/add_imports_transform.h"
33 :
34 : namespace instrument {
35 : namespace transforms {
36 :
37 : class ThunkImportReferencesTransform
38 : : public block_graph::transforms::NamedBlockGraphTransformImpl<
39 : ThunkImportReferencesTransform> {
40 : public:
41 : ThunkImportReferencesTransform();
42 :
43 : // Adds a module to the list of those from which imports are excluded from
44 : // being thunked. @p module_name is the name of the module including
45 : // the extension, e.g. kernel32.dll.
46 : void ExcludeModule(const base::StringPiece& module_name);
47 :
48 : // The name of the import for general entry hooks.
49 : static const char kEntryHookName[];
50 :
51 : // The name of the instrumentation DLL imported by default.
52 : static const char kDefaultInstrumentDll[];
53 :
54 : protected:
55 : typedef block_graph::BlockGraph BlockGraph;
56 : struct Thunk;
57 :
58 : // @name IterativeTransformImpl implementation.
59 : // @{
60 : virtual bool TransformBlockGraph(
61 : BlockGraph* block_graph, BlockGraph::Block* header_block) OVERRIDE;
62 : // @}
63 :
64 : // Accessor.
65 : BlockGraph::Section* thunk_section() const { return thunk_section_; }
66 :
67 : // Instrument all references to the IAT, excluding the block containing the
68 : // image import descriptor table passed in @p iidt_block.
69 : bool InstrumentIATReferences(BlockGraph* block_graph,
70 : BlockGraph::Block* iat_block,
71 : BlockGraph::Block* iidt_block);
72 :
73 : // Create a single thunk to destination.
74 : // @param destination the destination reference.
75 : // @param is_dll_entry_signature true iff this should be a DLL entry thunk.
76 : BlockGraph::Block* CreateOneThunk(BlockGraph* block_graph,
77 : const BlockGraph::Reference& destination);
78 :
79 : // Initializes the references in thunk_block, which must be an allocated
80 : // thunk of size sizeof(Thunk), containing data of the same size.
81 : static bool InitializeThunk(BlockGraph::Block* thunk_block,
82 : const BlockGraph::Reference& destination,
83 : const BlockGraph::Reference& import_entry);
84 :
85 : // Exposed for testing. Valid after Apply() is called.
86 E : pe::transforms::AddImportsTransform& add_imports_transform() {
87 E : return add_imports_transform_;
88 E : }
89 :
90 : private:
91 : friend NamedBlockGraphTransformImpl<ThunkImportReferencesTransform>;
92 :
93 : // For NamedBlockGraphTransformImpl.
94 : static const char kTransformName[];
95 :
96 : // The section we put our thunks in.
97 : BlockGraph::Section* thunk_section_;
98 :
99 : // References to _indirect_penter and _indirect_penter_dllmain import
100 : // entries.
101 : BlockGraph::Reference hook_ref_;
102 :
103 : // The transform used to add imports for our instrumentation. It also
104 : // conveniently stores references to the blocks containing the IAT and IDT.
105 : pe::transforms::AddImportsTransform add_imports_transform_;
106 :
107 : // Name of the instrumentation DLL we import. Defaults to "call_trace.dll".
108 : std::string instrument_dll_name_;
109 :
110 : // Set of names of modules whose imports will not be thunked.
111 : std::set<std::string> modules_to_exclude_;
112 :
113 : static const Thunk kThunkTemplate;
114 :
115 : DISALLOW_COPY_AND_ASSIGN(ThunkImportReferencesTransform);
116 : };
117 :
118 : // This defines the memory layout for the thunks we create.
119 : #pragma pack(push)
120 : #pragma pack(1)
121 : struct ThunkImportReferencesTransform::Thunk {
122 : WORD push;
123 : DWORD func_addr; // The address to dereference to find the import address.
124 : WORD jmp;
125 : DWORD hook_addr; // The instrumentation hook that gets called beforehand.
126 : };
127 : #pragma pack(pop)
128 :
129 : } // namespace transforms
130 : } // namespace instrument
131 :
132 : #endif // SYZYGY_INSTRUMENT_TRANSFORMS_THUNK_IMPORT_REFERENCES_TRANSFORM_H_
|