Browse Source

test case rip relative

master
aaaaaa aaaaaaa 7 years ago
parent
commit
7fcd4d6eca
1 changed files with 35 additions and 2 deletions
  1. +35
    -2
      README.md

+ 35
- 2
README.md View File

@@ -124,8 +124,32 @@ back to the original destinations

Test case: RIP relative
=======================
One of the new things in AMD64 is RIP relative addressing. I guess the reason
to include it was to make it easier to generate PIC -- all references to data
can now be made relative, instead of absolute. So it doesn't matter anymore
where the program is loaded into memory and there's less need for the
relocation table.

A quick and dirty[1] test for this is re-implementing the well known C rand
function.
```ASM
public _rip_relative
_rip_relative:
mov rax, qword[seed]
mov ecx, 214013
mul ecx
add eax, 2531011
mov [seed], eax

shr eax, 16
and eax, 0x7FFF
ret

seed dd 1
```

XXX TODO XXX
The very first instruction uses rip relative addressing, thus it needs to be
fixed in the trampoline.

Test case: AVX & RDRAND
=======================
@@ -145,4 +169,13 @@ instructions, but those were the first that came to mind.
| PolyHook| X | X | X | X | | | |
| MinHook| X | X | X | | | | X |
| MHook| | | X | | | | |
+----------+-----+------+------------+---+------+----+-------+
+----------+-----+------+------------+---+------+----+-------+

[1] This is one of the things that could easily be improved, but haven't been
because I just couldn't motivate myself. Putting the data right after the func
meant that a section containing code needed to be writable. Which is bad. Also
I load the seed DWORD as a QWORD -- which only works because the upper half is
then thrown away by the multiplication. It's shitty code is what I'm saying.

In retrospect I should have used a jump table like a switch-case could be
compiled into. That would be read only data. Oh well.

Loading…
Cancel
Save