mirror/upx
1
0
Fork 0
mirror of https://github.com/upx/upx synced 2025-09-28 19:06:07 +08:00
Code Issues Releases Wiki Activity

TLS handling updated to v2, ASLR fix in unpacking

Browse Source
This commit is contained in:
Stefan Widmann 2010-08-13 17:44:21 +02:00
parent 25902005f6
commit 1d8cb47830
6 changed files with 1981 additions and 1954 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/p_w32pe.cpp
View File

@ -123,6 +123,7 @@ PackW32Pe::PackW32Pe(InputFile *f) : super(f)
isrtm = false;
use_dep_hack = true;
use_clear_dirty_stack = true;
use_tls_callbacks = false;
}
@ -200,8 +201,6 @@ void PackW32Pe::processTls(Interval *iv) // pass 1
const tls * const tlsp = (const tls*) (ibuf + IDADDR(PEDIR_TLS));
use_tls_callbacks = false; //NEW - Stefan Widmann
// note: TLS callbacks are not implemented in Windows 95/98/ME
if (tlsp->callbacks)
{
@ -299,6 +298,14 @@ void PackW32Pe::processTls(Reloc *rel,const Interval *iv,unsigned newaddr) // pa
//NEW: if we have TLS callbacks to handle, we create a pointer to the new callback chain - Stefan Widmann
tlsp->callbacks = (use_tls_callbacks ? newaddr + sotls + ih.imagebase - 8 : 0);
if(use_tls_callbacks)
{
//set handler offset
set_le32(otls + sotls - 8, tls_handler_offset + ih.imagebase);
//add relocation for TLS handler offset
rel->add(newaddr + sotls - 8, 3);
}
}
/*************************************************************************
@ -1135,8 +1142,8 @@ void PackW32Pe::pack(OutputFile *fo)
if(use_tls_callbacks)
{
//esi is ih.imagebase + rvamin
linker->defineSymbol("tls_callbacks_ptr", tlscb_ptr - (ih.imagebase + rvamin));
linker->defineSymbol("tls_callbacks_off", ic + sotls - 8 - rvamin);
linker->defineSymbol("tls_callbacks_ptr", tlscb_ptr);
//linker->defineSymbol("tls_callbacks_off", ic + sotls - 8 - rvamin);
linker->defineSymbol("tls_module_base", 0u - rvamin);
}
@ -1172,6 +1179,11 @@ void PackW32Pe::pack(OutputFile *fo)
// tls & loadconf are put into section 1
//ic = s1addr + s1size - sotls - soloadconf; //ATTENTION: moved upwards to TLS callback handling - Stefan Widmann
//get address of TLS callback handler
tls_handler_offset = linker->getSymbolOffset("PETLSC2");
//add relocation entry for TLS callback handler
rel.add(tls_handler_offset + 4, 3);
processTls(&rel,&tlsiv,ic);
ODADDR(PEDIR_TLS) = sotls ? ic : 0;
ODSIZE(PEDIR_TLS) = sotls ? 0x18 : 0;

2
src/p_w32pe.h
View File

@ -70,7 +70,7 @@ protected:
unsigned soloadconf;
unsigned tlscb_ptr; //NEW: TLS callback handling - Stefan Widmann
//unsigned tlscb_off; //NEW: TLS callback handling - Stefan Widmann
unsigned tls_handler_offset;
bool isrtm;
bool use_dep_hack;

4
src/pefile.cpp
View File

@ -1751,6 +1751,10 @@ void PeFile::unpack(OutputFile *fo)
oh.headersize = rvamin;
oh.chksum = 0;
//NEW: disable reloc stripping if ASLR is enabled
if(ih.dllflags & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE)
opt->win32_pe.strip_relocs = false;
// FIXME: ih.flags is checked here because of a bug in UPX 0.92
if ((opt->win32_pe.strip_relocs && !isdll) || (ih.flags & RELOCS_STRIPPED))
{

3272
src/stub/i386-win32.pe.h
View File

File diff suppressed because it is too large Load Diff

26
src/stub/src/i386-win32.pe.S
View File

@ -114,7 +114,7 @@ section PEK32ORD
jmps next_imp
not_kernel32:
section PEIMORD1
movzxw eax, word ptr [edi] //new: "word ptr" - Stefan Widmann
movzxw eax, word ptr [edi]
inc edi
push eax
inc edi
@ -225,20 +225,18 @@ pedep9:
//;NEW: TLS callback support - Stefan Widmann
section PETLSC
lea ebx, [esi + tls_module_base] //;load module base to ebx
lea eax, [esi + tls_callbacks_ptr] //;load pointer to original callback chain
lea edi, [ebx + tls_handler_start] //;load offset of handler
lea edi, [ebx + tls_handler_start + 1] //;load offset of handler
push edi
inc edi //;pointer to original TLS callback chain is to be saved to handler + 2
inc edi
stosd
pop eax
lea edi, [esi + tls_callbacks_off] //;get ptr to first TLS callback entry
stosd //;save the handler ptr to the TLS callback chain
//;remove jump from TLS handler entry (overwrite displacement)
xor eax, eax
stosb
pop ecx
dec ecx
//;emulate callbacks like PE loader would have done
push 0 //;reserved
push eax //;0 - reserved
push 1 //;DLL_PROCESS_ATTACH
push ebx //;module base alias module handle alias hInstance alias ...
call eax //;contains ptr to callback handler
call ecx //;contains ptr to callback handler
section PEMAIN20
popa
@ -270,10 +268,9 @@ section PEDOJUMP
section PETLSC2
//;TLS_CALLBACK(hModule, reason, reserved)
tls_handler_start:
jmp end_of_tls_handler //;this jump is patched to EB 00 (jmp $+2) by stub
push esi
.byte 0xBE //mov esi, XXXXXXXX
tlsc_chain_ptr:
.byte 0, 0, 0, 0
mov esi, offset tls_callbacks_ptr //;must be relocated
cld //;you never know, this code gets called by the PE loader
walk_tlsc_chain2:
lodsd
@ -289,6 +286,7 @@ push_loop:
jmp walk_tlsc_chain2
done_callbacks:
pop esi
end_of_tls_handler:
ret 0x0C
// =============

27
src/stub/tmp/i386-win32.pe.bin.dump
View File

@ -115,12 +115,14 @@ Idx Name Size VMA LMA File off Algn Flags
110 PERELLO0 0000000a 00000000 00000000 00001a5a 2**0 CONTENTS, READONLY
111 PERELHI0 0000000d 00000000 00000000 00001a64 2**0 CONTENTS, READONLY
112 PEDEPHAK 0000002f 00000000 00000000 00001a71 2**0 CONTENTS, RELOC, READONLY
113 PEMAIN20 00000001 00000000 00000000 00001aa0 2**0 CONTENTS, READONLY
114 CLEARSTACK 0000000d 00000000 00000000 00001aa1 2**0 CONTENTS, READONLY
115 PEMAIN21 00000000 00000000 00000000 00001aae 2**0 CONTENTS, READONLY
116 PERETURN 00000006 00000000 00000000 00001aae 2**0 CONTENTS, READONLY
117 PEDOJUMP 00000005 00000000 00000000 00001ab4 2**0 CONTENTS, RELOC, READONLY
118 UPX1HEAD 00000020 00000000 00000000 00001ab9 2**0 CONTENTS, READONLY
113 PETLSC 00000018 00000000 00000000 00001aa0 2**0 CONTENTS, RELOC, READONLY
114 PEMAIN20 00000001 00000000 00000000 00001ab8 2**0 CONTENTS, READONLY
115 CLEARSTACK 0000000d 00000000 00000000 00001ab9 2**0 CONTENTS, READONLY
116 PEMAIN21 00000000 00000000 00000000 00001ac6 2**0 CONTENTS, READONLY
117 PERETURN 00000006 00000000 00000000 00001ac6 2**0 CONTENTS, READONLY
118 PEDOJUMP 00000005 00000000 00000000 00001acc 2**0 CONTENTS, RELOC, READONLY
119 PETLSC2 0000001f 00000000 00000000 00001ad1 2**0 CONTENTS, RELOC, READONLY
120 UPX1HEAD 00000020 00000000 00000000 00001af0 2**0 CONTENTS, READONLY
SYMBOL TABLE:
00000000 l d N2BSMA10 00000000 N2BSMA10
00000000 l d N2BFAS11 00000000 N2BFAS11
@ -161,6 +163,7 @@ SYMBOL TABLE:
00000000 l d RELOC320 00000000 RELOC320
00000000 l d RELOC32J 00000000 RELOC32J
00000000 l d PEMAIN21 00000000 PEMAIN21
00000000 l d PETLSC2 00000000 PETLSC2
00000000 l d PEISDLL1 00000000 PEISDLL1
00000000 l d PEMAIN01 00000000 PEMAIN01
00000000 l d PEICONS1 00000000 PEICONS1
@ -236,6 +239,7 @@ SYMBOL TABLE:
00000000 l d PERELLO0 00000000 PERELLO0
00000000 l d PERELHI0 00000000 PERELHI0
00000000 l d PEDEPHAK 00000000 PEDEPHAK
00000000 l d PETLSC 00000000 PETLSC
00000000 l d PEMAIN20 00000000 PEMAIN20
00000000 l d CLEARSTACK 00000000 CLEARSTACK
00000000 l d PERETURN 00000000 PERETURN
@ -266,7 +270,9 @@ SYMBOL TABLE:
00000000 *UND* 00000000 vp_base
00000000 *UND* 00000000 vp_size
00000000 *UND* 00000000 swri
00000000 *UND* 00000000 tls_module_base
00000000 *UND* 00000000 original_entry
00000000 *UND* 00000000 tls_callbacks_ptr
RELOCATION RECORDS FOR [PEISDLL1]:
OFFSET TYPE VALUE
@ -565,6 +571,15 @@ OFFSET TYPE VALUE
0000000d R_386_32 vp_size
0000001b R_386_32 swri
RELOCATION RECORDS FOR [PETLSC]:
OFFSET TYPE VALUE
00000002 R_386_32 tls_module_base
00000008 R_386_32 PETLSC2
RELOCATION RECORDS FOR [PEDOJUMP]:
OFFSET TYPE VALUE
00000001 R_386_PC32 original_entry
RELOCATION RECORDS FOR [PETLSC2]:
OFFSET TYPE VALUE
00000004 R_386_32 tls_callbacks_ptr