From d6371ea52a99fbca64dbc8d7cfb10a7f14bf3bb0 Mon Sep 17 00:00:00 2001 From: Reid Kleckner Date: Tue, 2 Aug 2016 20:36:29 +0000 Subject: [asan] Intercept RtlRaiseException instead of kernel32!RaiseException Summary: On my install of Windows 10, RaiseException is a tail call to kernelbase!RaiseException. Obviously, we fail to intercept that. Instead, try hooking at the ntdll!RtlRaiseException layer. It is unlikely that this layer will contain control flow. Intercepting at this level requires adding a decoding for 'LEA ESP, [ESP + 0xXXXXXXXX]', which is a really obscure way to write 'SUB ESP, 0xXXXXXXXX' that avoids clobbering EFLAGS. Reviewers: etienneb Subscribers: llvm-commits, kubabrecka Differential Revision: https://reviews.llvm.org/D23046 llvm-svn: 277518 --- compiler-rt/lib/interception/interception_win.cc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'compiler-rt/lib/interception/interception_win.cc') diff --git a/compiler-rt/lib/interception/interception_win.cc b/compiler-rt/lib/interception/interception_win.cc index 3b1b858db63..5acb4afe765 100644 --- a/compiler-rt/lib/interception/interception_win.cc +++ b/compiler-rt/lib/interception/interception_win.cc @@ -565,6 +565,9 @@ static size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) { case 0x24748B: // 8B 74 24 XX : mov esi, dword ptr [esp + XX] case 0x247C8B: // 8B 7C 24 XX : mov edi, dword ptr [esp + XX] return 4; + + case 0x24A48D: // 8D A4 24 XX XX XX XX : lea esp, [esp + XX XX XX XX] + return 7; } switch (*(u32*)address) { -- cgit v1.2.3