Fixing support for inject_x64 injection inside WOW64 processes

[N0fix]

PR for issue#4990.

Those changes fixes support for inject_x64 injection on WoW64 processes, which allows support for mixed mode code, see this

Note that allocation of vmheap fails upon initializing dynamoRIO 64 on WoW64 processes. Thus, we need to pass -reachable_heap to avoid having to make this allocation.

We still need to have a proper support on drrun64 to inject natively without having to use create_process.exe.

Example command line that works :

bin64\drrun.exe -reachable_heap -inject_x64 -c .\clientdll.dll -- bin64\create_process.exe .\helloworld32.exe

As we need to specify reachable_heap I am afraid that win32.mixedmode test will be needing some tweaks.

Changes features :

• Saving eax register that holds routine address for RtlUserThreadStart before mode switch, and restore it on mode switch
• Fixing far jmp to switch to x64 mode on injection
• Fixing env variable argument propagation

EDIT

-reachable_heap should not be required anymore since vmheap injection issues has been fixed in this commit.

[derekbruening]

Thank you for working on this and contributing the patch. I'm not sure I understand some of it though.

[derekbruening]

A) Who is setting the upper bits?

B) You mean the Windows kernel ignores the upper bits? So the assert is flawed?

[N0fix]

I meant that the assert always fails due to the size of mc->rax being compared with wrong sizes, no matter if the syscall is valid or not.

[derekbruening]

I don't understand "the assert always fails due to the size of mc->rax being compared with wrong sizes"?

[N0fix]

Trying to print the first erroneous syscall (syscall that makes the assert trigger) on WoW64 + inject_x64, I can see that mc->xax value is ffffffff00031054. I assume that this comes from a conversion somehow representing the syscall with a signed number, which outputs a value that is wrong if you display it. Since mc->xax is only used as a sysnumber and type converted to int, this is not an issue, but this still makes ASSERT_TRUNCATE (more precisely CHECK_TRUNCATE_TYPE_int) fail.

[derekbruening]

There would not be a widening conversion for an application register. App register values have to be precisely preserved. The machine context structure stores 64-bit values and prints them as such. If the top bits there are 1's, either the app set them to 1's, or somehow there is a bug where DR corrupted the register value. Is this for 32-bit app code? If it is 64-bit, we can't put it past Windows making some change to have the top bits mean something -- though in the past 64-bit code wrote to eax, zeroing the top bits.

[derekbruening]

nit: Modern style is to prefer capitalized and punctuated whole-sentence comments.

[derekbruening]

All the tests are failing: looks like b/c of tabs:

ERROR: diff contains tabs:
  +	 // if x64 client targeting WOW64 we need to

The style convention is to not have any tabs.

[derekbruening]

Tests are all still failing with clang-format style violations:

 ERROR: diff contains trailing spaces:
  + // XXX : We should also be testing for target to be wow64 along with

-- Changes are not formatted properly:

[N0fix]

Tests are all still failing with clang-format style violations:

 ERROR: diff contains trailing spaces:
  + // XXX : We should also be testing for target to be wow64 along with

-- Changes are not formatted properly:

Fixed in last commit

[derekbruening]

There are more -- I would suggest checking the entire diff, or better following the development setup make/git/devsetup.sh https://dynamorio.org/page_workflow.html#autotoc_md296 which checks for trailing spaces and other things at local commit time.

  ERROR: diff contains trailing spaces:
  + // If x64 client targeting WOW64 we need to

There are also clang-format failures -- see the ci-clang-format test. I would suggest setting up clang-format in your editor.

[N0fix]

There are more -- I would suggest checking the entire diff, or better following the development setup make/git/devsetup.sh https://dynamorio.org/page_workflow.html#autotoc_md296 which checks for trailing spaces and other things at local commit time.

  ERROR: diff contains trailing spaces:
  + // If x64 client targeting WOW64 we need to

There are also clang-format failures -- see the ci-clang-format test. I would suggest setting up clang-format in your editor.

Just removed other trailing spaces.
I was looking for your dev setup, thanks for the links, I will take a look into it if this merge fails.

[N0fix]

Not sure about what is failing in Windows build. Looks like a CI error that is not coming from my code.

[derekbruening]

Not sure about what is failing in Windows build. Looks like a CI error that is not coming from my code.

I think it's a sourceforge server error causing doxygen to not get downloaded. Probably re-running is the first thing to try: I clicked re-run.

[derekbruening]

run arm tests

[derekbruening]

@AssadHashmi -- is there any way to enable existing contributors to trigger AArch64 Jenkins runs from a forked PR? It seems there's no way to do that now for a PR from a forked PR created by a new contributor.

[derekbruening]

Going to merge this w/o the Jenkins for now: the master run will catch issues. Cross-compile for these code changes gives high confidence. Once @AssadHashmi is back we'll try to figure out a better long term solution.

[AssadHashmi]

add to whitelist

[AssadHashmi]

ok to test

[AssadHashmi]

test this please

[derekbruening]

run arm tests

[derekbruening]

I think once it's merged nothing will run

[AssadHashmi]

I think once it's merged nothing will run

You're right @derekbruening.
add to whitelist worked for a new contributor @mat-kalinowski on his first PR #5020 (comment)

[N0fix]

An encoding cti error is occurring inside generate_switch_mode_jmp_to_hook on latest builds (from source or cronbuild, doesn't matter), upon injecting into x86 binaries. I have been looking at commits since this PR, and I did not find something that would have interfere with this PR at first glance.

EDIT

This can be fixed changing this to :

 bool target_64 = !x86_code IF_X64(|| !DYNAMO_OPTION(inject_x64));

But this seems to create syscall issues later on on my current Win10 OS. Upon creating a message box (target app calls MessageBoxA), DynamoRIO crashes with : Usage error: Is your client invoking raw system calls via vdso sysenter? While such behavior is not recommended and can create problems, it may work with the -sysenter_is_int80 runtime option.

Windows 10 Build 19041

[N0fix]

I can confirm that mixed code injection is not working anymore on latest cronbuilds (18324 and 18331, since PR basically).

I have a working version of dynamoRIO with injection somewhere. I have been testing this PR again, and the error occurs. So the problem comes from my side, I might have forgotten some change I have made somewhere. I will check that soon and submit a PR fixing that.

[derekbruening]

A regression test should be enabled to avoid breakage.

[N0fix]

A regression test should be enabled to avoid breakage.

Applying modification from this PR to #4653 (#803) works perfectly well, if we add :

			if (is_32bit_process(phandle) && DYNAMO_OPTION(inject_x64)) {
				target_64 = false;
			}

that I did forget in my PR.

The syscall trouble must be coming from some other commit since this PR. Would you know which commit might have mess with syscall handling since then?

[N0fix]

Trouble starts from cronbuild-8.0.18663, we need to check commits between 18655 and 18663.