summaryrefslogtreecommitdiffstats
path: root/mozglue/misc/interceptor/PatcherNopSpace.h
blob: deee87e0f8865530ea83a92c27582f5339a2827b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */

#ifndef mozilla_interceptor_PatcherNopSpace_h
#define mozilla_interceptor_PatcherNopSpace_h

#if defined(_M_IX86)

#  include "mozilla/interceptor/PatcherBase.h"

namespace mozilla {
namespace interceptor {

template <typename VMPolicy>
class WindowsDllNopSpacePatcher final : public WindowsDllPatcherBase<VMPolicy> {
  typedef typename VMPolicy::MMPolicyT MMPolicyT;

  // For remembering the addresses of functions we've patched.
  mozilla::Vector<void*> mPatchedFns;

 public:
  template <typename... Args>
  explicit WindowsDllNopSpacePatcher(Args&&... aArgs)
      : WindowsDllPatcherBase<VMPolicy>(std::forward<Args>(aArgs)...) {}

  ~WindowsDllNopSpacePatcher() { Clear(); }

  WindowsDllNopSpacePatcher(const WindowsDllNopSpacePatcher&) = delete;
  WindowsDllNopSpacePatcher(WindowsDllNopSpacePatcher&&) = delete;
  WindowsDllNopSpacePatcher& operator=(const WindowsDllNopSpacePatcher&) =
      delete;
  WindowsDllNopSpacePatcher& operator=(WindowsDllNopSpacePatcher&&) = delete;

  void Clear() {
    // Restore the mov edi, edi to the beginning of each function we patched.

    for (auto&& ptr : mPatchedFns) {
      WritableTargetFunction<MMPolicyT> fn(
          this->mVMPolicy, reinterpret_cast<uintptr_t>(ptr), sizeof(uint16_t));
      if (!fn) {
        continue;
      }

      // mov edi, edi
      fn.CommitAndWriteShort(0xff8b);
    }

    mPatchedFns.clear();
  }

  /**
   * NVIDIA Optimus drivers utilize Microsoft Detours 2.x to patch functions
   * in our address space. There is a bug in Detours 2.x that causes it to
   * patch at the wrong address when attempting to detour code that is already
   * NOP space patched. This function is an effort to detect the presence of
   * this NVIDIA code in our address space and disable NOP space patching if it
   * is. We also check AppInit_DLLs since this is the mechanism that the Optimus
   * drivers use to inject into our process.
   */
  static bool IsCompatible() {
    // These DLLs are known to have bad interactions with this style of patching
    const wchar_t* kIncompatibleDLLs[] = {L"detoured.dll", L"_etoured.dll",
                                          L"nvd3d9wrap.dll", L"nvdxgiwrap.dll"};
    // See if the infringing DLLs are already loaded
    for (unsigned int i = 0; i < mozilla::ArrayLength(kIncompatibleDLLs); ++i) {
      if (GetModuleHandleW(kIncompatibleDLLs[i])) {
        return false;
      }
    }
    if (GetModuleHandleW(L"user32.dll")) {
      // user32 is loaded but the infringing DLLs are not, assume we're safe to
      // proceed.
      return true;
    }
    // If user32 has not loaded yet, check AppInit_DLLs to ensure that Optimus
    // won't be loaded once user32 is initialized.
    HKEY hkey = NULL;
    if (!RegOpenKeyExW(
            HKEY_LOCAL_MACHINE,
            L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 0,
            KEY_QUERY_VALUE, &hkey)) {
      nsAutoRegKey key(hkey);
      DWORD numBytes = 0;
      const wchar_t kAppInitDLLs[] = L"AppInit_DLLs";
      // Query for required buffer size
      LONG status = RegQueryValueExW(hkey, kAppInitDLLs, nullptr, nullptr,
                                     nullptr, &numBytes);
      mozilla::UniquePtr<wchar_t[]> data;
      if (!status) {
        // Allocate the buffer and query for the actual data
        data = mozilla::MakeUnique<wchar_t[]>((numBytes + 1) / sizeof(wchar_t));
        status = RegQueryValueExW(hkey, kAppInitDLLs, nullptr, nullptr,
                                  (LPBYTE)data.get(), &numBytes);
      }
      if (!status) {
        // For each token, split up the filename components and then check the
        // name of the file.
        const wchar_t kDelimiters[] = L", ";
        wchar_t* tokenContext = nullptr;
        wchar_t* token = wcstok_s(data.get(), kDelimiters, &tokenContext);
        while (token) {
          wchar_t fname[_MAX_FNAME] = {0};
          if (!_wsplitpath_s(token, nullptr, 0, nullptr, 0, fname,
                             mozilla::ArrayLength(fname), nullptr, 0)) {
            // nvinit.dll is responsible for bootstrapping the DLL injection, so
            // that is the library that we check for here
            const wchar_t kNvInitName[] = L"nvinit";
            if (!_wcsnicmp(fname, kNvInitName,
                           mozilla::ArrayLength(kNvInitName))) {
              return false;
            }
          }
          token = wcstok_s(nullptr, kDelimiters, &tokenContext);
        }
      }
    }
    return true;
  }

  bool AddHook(FARPROC aTargetFn, intptr_t aHookDest, void** aOrigFunc) {
    if (!IsCompatible()) {
#  if defined(MOZILLA_INTERNAL_API)
      NS_WARNING("NOP space patching is unavailable for compatibility reasons");
#  endif
      return false;
    }

    MOZ_ASSERT(aTargetFn);
    if (!aTargetFn) {
      return false;
    }

    ReadOnlyTargetFunction<MMPolicyT> readOnlyTargetFn(
        this->ResolveRedirectedAddress(aTargetFn));

    if (!WriteHook(readOnlyTargetFn, aHookDest, aOrigFunc)) {
      return false;
    }

    return mPatchedFns.append(
        reinterpret_cast<void*>(readOnlyTargetFn.GetBaseAddress()));
  }

  bool WriteHook(const ReadOnlyTargetFunction<MMPolicyT>& aFn,
                 intptr_t aHookDest, void** aOrigFunc) {
    // Ensure we can read and write starting at fn - 5 (for the long jmp we're
    // going to write) and ending at fn + 2 (for the short jmp up to the long
    // jmp). These bytes may span two pages with different protection.
    WritableTargetFunction<MMPolicyT> writableFn(aFn.Promote(7, -5));
    if (!writableFn) {
      return false;
    }

    // Check that the 5 bytes before the function are NOP's or INT 3's,
    const uint8_t nopOrBp[] = {0x90, 0xCC};
    if (!writableFn.template VerifyValuesAreOneOf<uint8_t, 5>(nopOrBp)) {
      return false;
    }

    // ... and that the first 2 bytes of the function are mov(edi, edi).
    // There are two ways to encode the same thing:
    //
    //   0x89 0xff == mov r/m, r
    //   0x8b 0xff == mov r, r/m
    //
    // where "r" is register and "r/m" is register or memory.
    // Windows seems to use 0x8B 0xFF. We include 0x89 0xFF out of paranoia.

    // (These look backwards because little-endian)
    const uint16_t possibleEncodings[] = {0xFF8B, 0xFF89};
    if (!writableFn.template VerifyValuesAreOneOf<uint16_t, 1>(
            possibleEncodings, 5)) {
      return false;
    }

    // Write a long jump into the space above the function.
    writableFn.WriteByte(0xe9);  // jmp
    if (!writableFn) {
      return false;
    }

    writableFn.WriteDisp32(aHookDest);  // target
    if (!writableFn) {
      return false;
    }

    // Set aOrigFunc here, because after this point, aHookDest might be called,
    // and aHookDest might use the aOrigFunc pointer.
    *aOrigFunc = reinterpret_cast<void*>(writableFn.GetCurrentAddress() +
                                         sizeof(uint16_t));

    // Short jump up into our long jump.
    return writableFn.CommitAndWriteShort(0xF9EB);  // jmp $-5
  }
};

}  // namespace interceptor
}  // namespace mozilla

#endif  // defined(_M_IX86)

#endif  // mozilla_interceptor_PatcherNopSpace_h