-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libinjector: skip kernel mode trap frame #1639
libinjector: skip kernel mode trap frame #1639
Conversation
src/libinjector/win/win_injector.c
Outdated
@@ -292,6 +292,12 @@ static event_response_t wait_for_target_process_cb(drakvuf_t drakvuf, drakvuf_tr | |||
goto done; | |||
} | |||
|
|||
if (bp_addr & (1LL << 63)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer checking whether address is kernel-mode with VMI_GET_BIT(addr, 47)
Can one of the admins verify this patch? |
It looks like the function where you are adding this check will need to be broken up into smaller chunks to reduce its cognitive complexity. |
The threshold is way too low. I'd rather write custom system for applying patches to drakvuf on drakvuf-sandbox side and not upstream fixes rather than refactor each end every function to get below "25 cognitive complexity". |
That's disappointing considering the treshold is the standard used by clang-tidy and you would only have to refactor the function you are changing. But hey, you do you, up to you to maintain and test your fork. |
Such techniques only check for language complexity, without any understanding of underlying logic. You expecting contributors to refactor entire libinjector for windows to comply with random number when fix is a documented single line fix?
Feel free to ping me when someone does refactor |
I don't know where you are getting this from, only a single function needs to be reworked in a fairly straight forward way - taking parts of it and moving to standalone functions. But you seem to be very frustrated with the fact that there is a CI in your way and because of that don't see that the changes required to get passed it are both reasonably small and also would help you in the long term. |
No, not really. I understand that you want to to use active contributors to "reduce code complexity" when they commit new changes to drakvuf, but this is wrong way to do it.
Honestly this feels like a "management newest idea". Let's introduce this arbitrary number and track if it goes higher (or lower in this case) without looking at consequences. But hey, if the number goes down it has to be good, right? |
I understand you have a strong belief that this check to be arbitary but you are wrong. Yes, the complexity threshold of 25 is a number picked out of a hat but if you read the whitepaper you realize it is actually a very reasonable and sufficiently high margin. You are making guesses when you say splitting complex functions into smaller ones will introduce bugs. Also why would it increase maintainence cost? Smaller functions are easier to understand thus maintain. I did the math on over a 1000 repositories on github and each percent increase of complex code introduces ~1.8 new bugs (using clang as baseline for findig bugs). So unless you can back up your claim with data I will just say stop guessing. My data is available here https://intel.github.io/srs/scans/2023.04.18-4669109317. So, prove me wrong! Show me the data that backs up your claims. If you just want to argue that the CI is making you do work you don't wanna do, fair enough, that is true. You understand the logic behind it to do this incrementally as people are working on the code base. So the CI check is staying unless a critical vulnerability necessitates patching something fast. |
@tklengyel @BonusPlay: I see that you guys have really fascinating discussion, but bug is still there. I tried to setup Drakvuf this week and got the same timeouts on injector. In the same time, new possibly related issues are bubbling up: CERT-Polska/drakvuf-sandbox#808. After applying my patch, problem seems to be fixed. @tklengyel I agree that function is too complex and I guess it would be nice to split code from
So I would like to split my work into two simple steps:
Let me know what you think about it 😉 |
@psrok1 sounds reasonable to me |
Ok, I came back from holiday, made some debugging and looked for that "unknown reason" mentioned in comment. So as we already know: I checked why the first method doesn't work for x86 as well and the reason is that syscalls on x86 Windows are made through system call dispatcher But it appears that syscall doesn't return directly to EDX but to the instruction after So current injection handler for x86 traps on
but if we unify code and use method from x64, it traps on
The only thing I don't understand is why drakvuf/src/libinjector/win/methods/win_read_file.c Lines 117 to 133 in cd6d998
STEP1 calls drakvuf/src/libinjector/win/methods/win_read_file.c Lines 134 to 149 in cd6d998
and we're landing in STEP2 where we're setting up memset based on returned address from Finally there is my question: I understand why |
Hi @psrok1, 2 cents.. From the blog article that you have shared about KiFastSystemCall, it does look like it ain't reliable that much given in the blog itself they've written, I might be wrong but it does seem like they are not guaranteeing the return path from KiFastSystemCall.
Regarding your mentioned point -
We do want to catch the calls made by injector themselves as that is how injector functions. You do a syscall, now to get the status of the syscall that happened you need to hit a trap right after the syscall, if the trap that you have set ain't reliable as it seems like in-case of x86 trap being set by trying to hook onto From the looks of it when you are setting a trap in ( |
Ok, I found what I was missing 🤔 https://github.com/tklengyel/drakvuf/blob/main/src/libinjector/injector_stack.c#L503-L507 Return address is set along with arguments, so @manorit2001 Thanks for explanation! |
Refer to CERT-Polska/drakvuf-sandbox#748 for more info why this is an issue.