search

UTSASRG / Scaler

GNU General Public License v2.0
4 stars 0 forks source link

Finding C allocated TLS in assembly #62

Closed GammaPi closed 2 years ago

GammaPi commented 2 years ago

Dump of assembler code for function accessTLS(): 0x00007ffff7adf930 <+0>: push %rbp 0x00007ffff7adf931 <+1>: mov %rsp,%rbp

//auto& i attribute((used)) = curContext; => 0x00007ffff7adf934 <+4>: mov %fs:0x0,%rdx 0x00007ffff7adf93d <+13>: mov 0x2ee304(%rip),%rax # 0x7ffff7dcdc48 0x00007ffff7adf944 <+20>: add %rdx,%rax 0x00007ffff7adf947 <+23>: mov %rax,-0x20(%rbp)

//auto& j attribute((used)) = curContext->timingArr; 0x00007ffff7adf94b <+27>: mov 0x2ee2f6(%rip),%rax # 0x7ffff7dcdc48 0x00007ffff7adf952 <+34>: mov %fs:(%rax),%rax 0x00007ffff7adf956 <+38>: add $0x8,%rax 0x00007ffff7adf95a <+42>: mov %rax,-0x18(%rbp)

//auto& k attribute((used)) = curContext->timingArr->internalArr; 0x00007ffff7adf95e <+46>: mov 0x2ee2e3(%rip),%rax # 0x7ffff7dcdc48 0x00007ffff7adf965 <+53>: mov %fs:(%rax),%rax 0x00007ffff7adf969 <+57>: mov 0x8(%rax),%rax 0x00007ffff7adf96d <+61>: add $0x8,%rax 0x00007ffff7adf971 <+65>: mov %rax,-0x10(%rbp)

//auto& k attribute((used)) = curContext->timingArr->internalArr; 0x00007ffff7adf975 <+69>: mov 0x2ee2cc(%rip),%rax # 0x7ffff7dcdc48 0x00007ffff7adf97c <+76>: mov %fs:(%rax),%rax 0x00007ffff7adf980 <+80>: mov 0x8(%rax),%rax 0x00007ffff7adf984 <+84>: mov 0x8(%rax),%rax 0x00007ffff7adf988 <+88>: mov %rax,-0x8(%rbp) 0x00007ffff7adf98c <+92>: nop 0x00007ffff7adf98d <+93>: pop %rbp 0x00007ffff7adf98e <+94>: ret
End of assembler dump.

GammaPi commented 2 years ago

image

GammaPi commented 2 years ago

The cs offset points to TLS location. rdx shows how to access the address of the thread local variable. rcx accesses a pointer inside the thread-local array. The offset of this variable is 8. Basically we can fill the address manually to access TLS. The offset is related to the loading address of the Scaler module.

GammaPi commented 2 years ago

Sec 11.4.5 https://cdrdv2.intel.com/v1/dl/getContent/671200

SSE2 extensions designate two instruction prefixes (2EH and 3EH) to provide branch hints to the processor (see
“Instruction Prefixes” in Chapter 2 of the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume
2A). These prefixes can only be used with the Jcc instruction and only at the machine code level (that is, there are
no mnemonics for the branch hints).
GammaPi commented 2 years ago

Already implemented in v0.2.0