Questions about inline hook multi-core security...

 

Intel CPU commands:
Lock
This is a command prefix. During the corresponding command operation, the storage area specified by the target operand of this command is locked for protection.
Xadd
First swap the values of two operands before performing the arithmetic addition operation. Multi-processor security is supported in CPUs of 80486 or above.
Cmpxchg
Compare the switch command. First, compare the first operand with Al/ax/eax. If ZF is equal to 1, the second operand is assigned to the first operand. Otherwise, ZF clears 0, the first operand is assigned to Al/ax/eax.
Multi-processor security is supported in CPUs of 80486 or above.
Cmpxchg8b
Same as above, the 64-bit Comparison Switch command, the second operand implies edX: eax, compares edX: eax with the 64-bit destination, if equal, ECx: EBX is sent to the destination and ZF is set to 1, otherwise, the target sends edX: eax and ZF clears 0.

Windows mutual lock API list:
Interlockedcompareexchange/interlockedcompareexchange64
Interlockedcompareexchangeacquire/interlockedcompareexchangeacquire64
Interlockedcompareexchangepointer
Interlockedcompareexchangerelease/interlockedcompareexchangerelease64
Interlockeddecrement/interlockeddecrement64
Interlockeddecrementacquire
Interlockeddecrementrelease
Interlockedexchange/interlockedexchange64
Interlockedexchangeacquire64
Interlockedexchangeadd/interlockedexchangeadd64
Interlockedexchangepointer
Interlockedincrement/interlockedincrement64
Interlockedincrementacquire
Interlockedincrementrelease

• Multi-processor security means that when a value is modified by a processor, other processors should be aware of it, instead of using the old data in the CPU cache.
• This article does not discuss winnt3.51/Win95 and earlier operating systems (designed for 80386), and Win98 installed on 80386 (Win98 automatically determines whether xadd commands are supported during installation ).

Look at a simple function. It adds lpaddend to 1 and returns it.
Long interlockedincrement (lplong lpaddend)
{
MoV ECx, lpaddend
MoV eax, 1
Lock xadd dword ptr [ECx], eax
INC eax
RET 4
}

Looking at a complex function, it assigns the lvalue to * pltarget and returns the original value of * pltarget.
Long interlockedexchange (lplong pltarget, long lvalue)
{
MoV ECx, pltarget
MoV edX, lvalue
MoV eax, dword ptr [ECx]
L: Lock cmpxchg dword ptr [ECx], EDX
JNE L
RET 8
}
You have to use a loop command. Similarly, there are interlockedcompareexchange (pdestination, exchage, comperand) functions. If destination is equal to comperand, exchange is assigned to destination. Otherwise, nothing is done. The returned value is the original value of destination.

The loop technique is very useful. Jeffrey Richter provides a function code. If the value is greater than 0, add 1. The Code is as follows:
Do {
Long lstartvalue = * pltarget;
Long lnewvalue = lstartvalue + (lstartvalue> 0 )? 1: 0 );
} While (interlockedcompareexchange (pltarget, lnewvalue, lstartvalue )! = Lstartvalue );

An unknown problem is why lock is not seen in some operating systems. Future research will be thread/process locks.

Windows does not seem to provide related functions to deal with multi-core synchronization issues during code hook. Search for related posts and find a way to achieve this by obtaining the spin lock method for thread scheduling. Another way is, is to insert DPC, so that other CPU is idle, during which the code is replaced.

It's hard to use 00! I think of the function kisendfreeze () that can freeze other CPUs when I saw software debugging some time ago. It can change from multi-core mode to single-core mode. But it cannot be reversed-it is not good to restore the multi-core mode from the single-core mode!

Since these primary defenses have so many control points on the kernel, how do they solve the problem of multi-core synchronization. The trail reversed,

. Text: 00010dfc sub_10dfc proc near; Code xref: sub_10e24 + be P
. Text: 00010dfc; sub_10e24 + FB p...
. Text: 00010dfc
. Text: 00010dfc var_4 = dword ptr-4
. Text: 00010dfc arg_0 = dword ptr 8
. Text: 00010dfc
. Text: 00010dfc mov EDI, EDI
. Text: 00010dfe push EBP
. Text: 00010dff mov EBP, ESP
. Text: 00010e01 push ECx
. Text: 00010e02 CLI
. Text: 00010e03 push eax
. Text: 00010e04 mov eax, Cr0
. Text: 00010e07 mov [EBP + var_4], eax
. Text: 00010e0a and eax, 0 fffeffffh
. Text: 00010e0f mov Cr0, eax
. Text: 00010e12 pop eax
. Text: 00010e13 mov eax, [EBP + arg_0]
. Text: 00010e16 mov ECx, [EBP + var_4]
. Text: 00010e19 mov [eax], ECx
. Text: 00010e1b leave
. Text: 00010e1c retn 4
. Text: 00010e1c sub_10dfc endp

. Text: 00010f1f call sub_10dfc
. Text: 00010f24 mov EBX, dword_13464 [EBX]
. Text: 00010f2a sub edX, EBX
. Text: 00010f2c sub edX, 4
. Text: 00010f2f xchg edX, [EBX]
. Text: 00010f31 push eax
. Text: 00010f32 mov eax, [EBP + var_20]
. Text: 00010f35 mov Cr0, eax
. Text: 00010f38 pop eax
. Text: 00010f39 STI
It is nothing more than a Guanzhong disconnection. Enable the memory writable, and then use xchg EDX and [EBX. They hook the four bytes of xxxx in callxxxx, which can be done with an xchg command. Therefore, the multi-core synchronization problem is bypassed by cleverly selecting the hook location and the number of hook bytes.

 

// Another method is to hook any number of bytes. # include "ntddk. H "# include" gainexclusi.pdf. H "ulong numberofraisedcpu; ulong allcpuraised; pkdpc g_basepkdpc; /*************************************** * ************************************ Function: void raisecpuirqlandwait () ** purpose: the callback routine when a DPC is to be removed ****************************** **************************************** * *****/void raise Cpuirqlandwait (in pkdpc DPC, in pvoid deferredcontext, in pvoid systemargument1, in pvoid systemargument2) {interlockedincrement (& numberofraisedcpu); While (! Interlockedcompareexchange (& allcpuraised, 1, 1) {__ asm nop;} interlockeddecrement (& numberofraisedcpu );} /*************************************** * ************************************ Function: ntstatus releaseexclusivity (pkdpc) ** purpose: release resources creates by gainexlusivity () **************************************** * **********************************/void releaseexclusivity () {interlo Ckedincrement (& allcpuraised); While (interlockedcompareexchange (& numberofraisedcpu, 0, 0) {__ asm nop;} If (null! = G_basepkdpc) {exfreepool (pvoid) g_basepkdpc); g_basepkdpc = NULL;} return ;} /*************************************** * ************************************ Function: pkdpc gainexlusivity (void) ** purpose: Call this function, before you want to modify eprocess or... **************************************** * **********************************/Boolean gainexlusivity (void) {ntstatus; ulong u_curre Ntcpu; cchar I; pkdpc, temp_pkdpc; If (dispatch_level! = Maid (& numberofraisedcpu, 0); interlockedand (& allcpuraised, 0); temp_pkdpc = (pkdpc) exallocatepool (nonpagedpool, kenumberprocessors * sizeof (kdpc); If (null = temp_pkdpc) {return NULL;} g_basepkdpc = temp_pkdpc; u_currentcpu = encrypt (); for (I = 0; I <kenumberprocessors; I ++, * temp_pkdpc ++) {if (I! = U_currentcpu) {keinitializedpc (temp_pkdpc, temperature, null); kesettargetprocessordpc (temp_pkdpc, I); temperature (temp_pkdpc, null, null) ;}} while (kenumberprocessors-1! = Interlockedcompareexchange (& numberofraisedcpu, kenumberprocessors-1, kenumberprocessors-1) {__ asm nop;} return true ;}# define clear_wp () \ _ asm cli \ _ ASM mov eax, Cr0 \ _ ASM and eax, not 000010000 H \ __asm mov Cr0, eax # define set_wp () \ _ ASM mov eax, Cr0 \ _ ASM or eax, 000010000 H \ _ ASM mov Cr0, eax \ __asm vosti ID _ stdcall setwp () {set_wp (); releaseexclusivity ();} void _ stdcall clearwp () {gainexlusivity (); clear_wp ();} // call setwp () and clearwp () before and after replacement () you can