[PATCH] ntdll: Set rcx on exit from syscall dispatcher on x64.
Paul Gofman
pgofman at codeweavers.com
Wed Dec 1 10:54:45 CST 2021
On 12/1/21 19:49, Jinoh Kang wrote:
> Example scenario, if code_mem == 0x123FF0:
> - LEAQ RAX, [RIP + 0x1000] | RAX = 0x124FF7 (0x123FF0 + 7 + 0x1000)
> - ANDQ RAX, ~0xFFF | RAX = 0x124000 (0x124FF7 & ~0xFFF)
> - SUBQ RAX, 8 | RAX = 0x123FF8 (0x124FF0 - 8)
> - MOVQ [RAX], RSP
> - MOVQ RSP, RAX | RSP = 0x123FF8
> - PUSH R8 | RSP = 0x123FF0
> - PUSH RBX | RSP = 0x123FE8 <--- [[overflow]]
>
> code_mem is always page-aligned though, so the overflow won't happen.
> But in that case I suppose andq gives a false impression that the
> address might not be page-aligned.
>
I didn't want to rely that the rip is exactly at the code_mem start and
not a few bytes ahead.
>
> Perhaps it ignores CS being set to any other value (e.g. 32-bit compat segment?)
> or maybe selectively use IRETQ. I hope no usermode anti-debugging/anti-cheat
> would rely on this...
Some might, in theory, or maybe rely on one of the numerous other neat
things around this stuff. I am just not sure we should (or can) mind
every bit of special cases we can think of before we know that anything
relies on that.
More information about the wine-devel
mailing list