Skip to content

Commit eb76211

Browse files
oleavroleavr
committed
stalker: Handle the clone3 syscall in the x86 backend
1 parent 6843180 commit eb76211

1 file changed

Lines changed: 13 additions & 8 deletions

File tree

gum/backend-x86/gumstalker-x86.c

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,9 @@
4040
# ifndef HAVE_ANDROID
4141
# include <unwind.h>
4242
# endif
43+
# ifndef __NR_clone3
44+
# define __NR_clone3 435
45+
# endif
4346
#endif
4447

4548
#define GUM_CODE_SLAB_SIZE_INITIAL (128 * 1024)
@@ -5041,23 +5044,27 @@ gum_exec_block_virtualize_linux_syscall (GumExecBlock * block,
50415044
{
50425045
GumX86Writer * cw = gc->code_writer;
50435046
const cs_insn * insn = gc->instruction->ci;
5044-
gconstpointer perform_regular_syscall = cw->code + 1;
5045-
gconstpointer perform_next_instruction = cw->code + 2;
5047+
gconstpointer perform_clone_syscall = cw->code + 1;
5048+
gconstpointer perform_regular_syscall = cw->code + 2;
5049+
gconstpointer perform_next_instruction = cw->code + 3;
50465050

50475051
gum_x86_relocator_skip_one (gc->relocator);
50485052

50495053
if (gc->opened_prolog != GUM_PROLOG_NONE)
50505054
gum_exec_block_close_prolog (block, gc, cw);
50515055

5052-
/* Save state */
50535056
gum_x86_writer_put_lea_reg_reg_offset (cw, GUM_REG_XSP,
50545057
GUM_REG_XSP, -GUM_RED_ZONE_SIZE);
50555058
gum_x86_writer_put_pushfx (cw);
50565059

5057-
/* See if the syscall is clone */
50585060
gum_x86_writer_put_cmp_reg_i32 (cw, GUM_REG_XAX, __NR_clone);
5061+
gum_x86_writer_put_jcc_near_label (cw, X86_INS_JE, perform_clone_syscall,
5062+
GUM_NO_HINT);
5063+
gum_x86_writer_put_cmp_reg_i32 (cw, GUM_REG_XAX, __NR_clone3);
50595064
gum_x86_writer_put_jcc_near_label (cw, X86_INS_JNE, perform_regular_syscall,
5060-
GUM_UNLIKELY);
5065+
GUM_NO_HINT);
5066+
5067+
gum_x86_writer_put_label (cw, perform_clone_syscall);
50615068

50625069
/*
50635070
* Store the return address. Note that we cannot use the stack to store this
@@ -5100,16 +5107,14 @@ gum_exec_block_virtualize_linux_syscall (GumExecBlock * block,
51005107
g_assert_not_reached ();
51015108
}
51025109

5103-
gum_x86_writer_put_jmp_near_label (cw, perform_next_instruction);
5110+
gum_x86_writer_put_jmp_short_label (cw, perform_next_instruction);
51045111

51055112
gum_x86_writer_put_label (cw, perform_regular_syscall);
51065113

5107-
/* Restore state */
51085114
gum_x86_writer_put_popfx (cw);
51095115
gum_x86_writer_put_lea_reg_reg_offset (cw, GUM_REG_XSP,
51105116
GUM_REG_XSP, GUM_RED_ZONE_SIZE);
51115117

5112-
/* Original syscall instruction */
51135118
gum_x86_writer_put_bytes (cw, insn->bytes, insn->size);
51145119

51155120
gum_x86_writer_put_label (cw, perform_next_instruction);

0 commit comments

Comments
 (0)