diff options
Diffstat (limited to 'frida_mode/src')
| -rw-r--r-- | frida_mode/src/persistent/persistent_x64.c | 46 | ||||
| -rw-r--r-- | frida_mode/src/persistent/persistent_x86.c | 40 | 
2 files changed, 13 insertions, 73 deletions
| diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index 49f1988c..aa772b7f 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -40,7 +40,6 @@ struct x86_64_regs { typedef struct x86_64_regs arch_api_regs; static arch_api_regs saved_regs = {0}; -static void * saved_return = NULL; gboolean persistent_is_supported(void) { @@ -183,43 +182,11 @@ static void instrument_persitent_restore_regs(GumX86Writer * cw, } -static void instrument_save_ret(GumX86Writer *cw, void **saved_return_ptr) { +static void instrument_exit(GumX86Writer *cw) { - GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - -(GUM_RED_ZONE_SIZE)); - gum_x86_writer_put_push_reg(cw, GUM_REG_RAX); - gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); - - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, saved_return_address); - gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, - GUM_RED_ZONE_SIZE + 0x10); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, 0, GUM_REG_RBX); - - gum_x86_writer_put_pop_reg(cw, GUM_REG_RBX); - gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX); - - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - (GUM_RED_ZONE_SIZE)); - -} - -static void instrument_jump_ret(GumX86Writer *cw, void **saved_return_ptr) { - - GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - -(GUM_RED_ZONE_SIZE)); - - /* Place holder for ret */ - gum_x86_writer_put_push_reg(cw, GUM_REG_RAX); - gum_x86_writer_put_push_reg(cw, GUM_REG_RAX); - - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, saved_return_address); - gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RAX, GUM_REG_RAX, 0); - - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RSP, 0x8, GUM_REG_RAX); - gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX); - gum_x86_writer_put_ret_imm(cw, GUM_RED_ZONE_SIZE); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, GUM_ADDRESS(_exit)); + gum_x86_writer_put_mov_reg_u32(cw, GUM_REG_RDI, 0); + gum_x86_writer_put_call_reg(cw, GUM_REG_RAX); } @@ -302,8 +269,7 @@ void persistent_prologue(GumStalkerOutput *output) { /* Stack must be 16-byte aligned per ABI */ instrument_persitent_save_regs(cw, &saved_regs); - /* Stash and pop the return value */ - instrument_save_ret(cw, &saved_return); + /* pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, (8)); /* loop: */ @@ -329,7 +295,7 @@ void persistent_prologue(GumStalkerOutput *output) { /* done: */ gum_x86_writer_put_label(cw, done); - instrument_jump_ret(cw, &saved_return); + instrument_exit(cw); /* original: */ gum_x86_writer_put_label(cw, original); diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index bd7171b9..20a3dc42 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -39,7 +39,6 @@ struct x86_regs { typedef struct x86_regs arch_api_regs; static arch_api_regs saved_regs = {0}; -static void * saved_return = NULL; gboolean persistent_is_supported(void) { @@ -138,36 +137,12 @@ static void instrument_persitent_restore_regs(GumX86Writer * cw, } -static void instrument_save_ret(GumX86Writer *cw, void **saved_return_ptr) { +static void instrument_exit(GumX86Writer *cw) { - GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); - - gum_x86_writer_put_push_reg(cw, GUM_REG_EAX); - gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); - - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, saved_return_address); - gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x8); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, 0, GUM_REG_EBX); - - gum_x86_writer_put_pop_reg(cw, GUM_REG_EBX); - gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX); - -} - -static void instrument_jump_ret(GumX86Writer *cw, void **saved_return_ptr) { - - GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); - - /* Place holder for ret */ - gum_x86_writer_put_push_reg(cw, GUM_REG_EAX); - gum_x86_writer_put_push_reg(cw, GUM_REG_EAX); - - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, saved_return_address); - gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EAX, GUM_REG_EAX, 0); - - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_ESP, 0x4, GUM_REG_EAX); - gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX); - gum_x86_writer_put_ret(cw); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, GUM_ADDRESS(_exit)); + gum_x86_writer_put_mov_reg_u32(cw, GUM_REG_EDI, 0); + gum_x86_writer_put_push_reg(cw, GUM_REG_EDI); + gum_x86_writer_put_call_reg(cw, GUM_REG_EAX); } @@ -238,8 +213,7 @@ void persistent_prologue(GumStalkerOutput *output) { /* Stack must be 16-byte aligned per ABI */ instrument_persitent_save_regs(cw, &saved_regs); - /* Stash and pop the return value */ - instrument_save_ret(cw, &saved_return); + /* Pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, (4)); /* loop: */ @@ -265,7 +239,7 @@ void persistent_prologue(GumStalkerOutput *output) { /* done: */ gum_x86_writer_put_label(cw, done); - instrument_jump_ret(cw, &saved_return); + instrument_exit(cw); /* original: */ gum_x86_writer_put_label(cw, original); | 
