Allow Windows PE binaries to be rebased.

GJDuck · GJDuck · commit 160a354288ee · 2021-09-07T12:40:59.000+08:00
This is supported via the `--mem-rebase' option.

Only works if relocations are available.
diff --git a/src/e9patch/e9elf.cpp b/src/e9patch/e9elf.cpp
@@ -501,6 +501,10 @@ size_t emitElf(const Binary *B, const MappingSet &mappings,
     phdr->p_align  = PAGE_SIZE;
 
     stat_output_file_size = size;
+
+    if (option_mem_rebase_set)
+        warning("ignoring `--mem-rebase' option for Linux ELF binary");
+
     return size;
 }
 
diff --git a/src/e9patch/e9patch.cpp b/src/e9patch/e9patch.cpp
@@ -57,6 +57,7 @@ intptr_t option_mem_lb         = RELATIVE_ADDRESS_MIN;
 intptr_t option_mem_ub         = RELATIVE_ADDRESS_MAX;
 size_t option_mem_mapping_size = PAGE_SIZE;
 bool option_mem_multi_page     = true;
+intptr_t option_mem_rebase     = 0x0;
 std::set<intptr_t> option_trap;
 bool option_trap_all           = false;
 bool option_trap_entry         = false;
@@ -65,6 +66,7 @@ static std::string option_output("-");
 bool option_loader_base_set    = false;
 bool option_loader_phdr_set    = false;
 bool option_loader_static_set  = false;
+bool option_mem_rebase_set     = false;
 
 /*
  * Global statistics.
@@ -140,7 +142,7 @@ void debugImpl(const char *msg, ...)
  * Parse an integer from an optarg.
  */
 static intptr_t parseIntOptArg(const char *option, const char *optarg,
-    intptr_t lb, intptr_t ub)
+    intptr_t lb, intptr_t ub, bool hex = false)
 {
     const char *optarg_0 = optarg;
     bool neg = (optarg[0] == '-');
@@ -155,8 +157,18 @@ static intptr_t parseIntOptArg(const char *option, const char *optarg,
     r = (neg? -r: r);
     if (errno != 0 || end == optarg ||
             (end != nullptr && *end != '\0') || r < lb || r > ub)
-        error("failed to parse argument \"%s\" for the `%s' option; "
-            "expected a number %zd..%zd", option, optarg_0, lb, ub);
+    {
+        if (!hex)
+            error("failed to parse argument \"%s\" for the `%s' option; "
+                "expected a number within the range %zd..%zd", option,
+                optarg_0, lb, ub);
+        else
+            error("failed to parse argument \"%s\" for the `%s' option; "
+                "expected a number within the range %s0x%lx..%s0x%lx",
+                option, optarg_0,
+                (lb < 0? "-": ""), std::abs(lb),
+                (ub < 0? "-": ""), std::abs(ub));
+    }
     return r;
 }
 
@@ -281,6 +293,13 @@ static void usage(FILE *stream, const char *progname)
         "\t\tEnable [disable] trampolines that cross page boundaries.\n"
         "\t\tDefault: true (enabled)\n"
         "\n"
+        "\t--mem-rebase[=ADDR]\n"
+        "\t\tRebase the binary to the absolute address ADDR.  Only\n"
+        "\t\trelevant for Windows PE binaries.  The special value \"auto\"\n"
+        "\t\twill cause a suitable base address to be chose automatically.\n"
+        "\t\tThe special value \"none\" leaves the original base intact.\n"
+        "\t\tDefault: none (disabled)\n"
+        "\n"
         "\t--tactic-B1[=false]\n"
         "\t--tactic-B2[=false]\n"
         "\t--tactic-T1[=false]\n"
@@ -327,6 +346,7 @@ enum Option
     OPTION_MEM_LB,
     OPTION_MEM_MAPPING_SIZE,
     OPTION_MEM_MULTI_PAGE,
+    OPTION_MEM_REBASE,
     OPTION_MEM_UB,
     OPTION_OEPILOGUE,
     OPTION_OEPILOGUE_SIZE,
@@ -374,6 +394,7 @@ void parseOptions(int argc, char * const argv[], bool api)
         {"mem-lb",             req_arg, nullptr, OPTION_MEM_LB},
         {"mem-mapping-size",   req_arg, nullptr, OPTION_MEM_MAPPING_SIZE},
         {"mem-multi-page",     opt_arg, nullptr, OPTION_MEM_MULTI_PAGE},
+        {"mem-rebase",         req_arg, nullptr, OPTION_MEM_REBASE},
         {"mem-ub",             req_arg, nullptr, OPTION_MEM_UB},
         {"output",             req_arg, nullptr, OPTION_OUTPUT},
         {"tactic-B1",          opt_arg, nullptr, OPTION_TACTIC_B1},
@@ -480,7 +501,7 @@ void parseOptions(int argc, char * const argv[], bool api)
                 break;
             case OPTION_TRAP:
                 option_trap.insert(parseIntOptArg("--trap", optarg, 0,
-                    INTPTR_MAX));
+                    INTPTR_MAX, /*hex=*/true));
                 break;
             case OPTION_TRAP_ALL:
                 option_trap_all = parseBoolOptArg("--trap-all", optarg);
@@ -491,7 +512,7 @@ void parseOptions(int argc, char * const argv[], bool api)
             case OPTION_LOADER_BASE:
                 option_loader_base_set = true;
                 option_loader_base = parseIntOptArg("--loader-base", optarg,
-                    0x0, 0x800000000);
+                    0x0, 0x800000000, /*hex=*/true);
                 if (option_loader_base % PAGE_SIZE != 0)
                     error("failed to parse argument \"%s\" for the "
                         "`--loader-base' option; the loader base address "
@@ -533,11 +554,11 @@ void parseOptions(int argc, char * const argv[], bool api)
                 break;
             case OPTION_MEM_LB:
                 option_mem_lb = parseIntOptArg("--mem-lb", optarg,
-                    RELATIVE_ADDRESS_MIN, RELATIVE_ADDRESS_MAX);
+                    RELATIVE_ADDRESS_MIN, RELATIVE_ADDRESS_MAX, /*hex=*/true);
                 break;
             case OPTION_MEM_UB:
                 option_mem_ub = parseIntOptArg("--mem-ub", optarg,
-                    RELATIVE_ADDRESS_MIN, RELATIVE_ADDRESS_MAX);
+                    RELATIVE_ADDRESS_MIN, RELATIVE_ADDRESS_MAX, /*hex=*/true);
                 break;
             case OPTION_MEM_MAPPING_SIZE:
                 option_mem_mapping_size = parseIntOptArg("--mem-mapping-size",
@@ -557,6 +578,16 @@ void parseOptions(int argc, char * const argv[], bool api)
                 option_mem_multi_page =
                     parseBoolOptArg("--mem-multi-page", optarg);
                 break;
+            case OPTION_MEM_REBASE:
+                option_mem_rebase_set = true;
+                if (strcmp(optarg, "auto") == 0)
+                    option_mem_rebase = -1;
+                else if (strcmp(optarg, "none") == 0)
+                    option_mem_rebase = 0x0;
+                else
+                    option_mem_rebase = parseIntOptArg("--mem-rebase", optarg,
+                        0x100000000ll, 0xffff00000000ll, /*hex=*/true);
+                break;
             default:
                 error("failed to parse command-line options; try `--help' "
                     "for more information");
diff --git a/src/e9patch/e9patch.h b/src/e9patch/e9patch.h
@@ -509,11 +509,13 @@ extern bool option_trap_entry;
 extern size_t option_mem_granularity;
 extern size_t option_mem_mapping_size;
 extern bool option_mem_multi_page;
+extern intptr_t option_mem_rebase;
 extern intptr_t option_mem_lb;
 extern intptr_t option_mem_ub;
 extern bool option_loader_base_set;
 extern bool option_loader_phdr_set;
 extern bool option_loader_static_set;
+extern bool option_mem_rebase_set;
 
 /*
  * Global statistics.
diff --git a/src/e9patch/e9pe.cpp b/src/e9patch/e9pe.cpp
@@ -103,14 +103,21 @@ struct _IMAGE_SECTION_HEADER
 
 typedef struct _IMAGE_TLS_DIRECTORY64
 {
-      uint64_t StartAddressOfRawData;
-      uint64_t EndAddressOfRawData;
-      uint64_t AddressOfIndex;
-      uint64_t AddressOfCallBacks;
-      int32_t SizeOfZeroFill;
-      int32_t Characteristics;
+    uint64_t StartAddressOfRawData;
+    uint64_t EndAddressOfRawData;
+    uint64_t AddressOfIndex;
+    uint64_t AddressOfCallBacks;
+    int32_t SizeOfZeroFill;
+    int32_t Characteristics;
 } IMAGE_TLS_DIRECTORY64, *PIMAGE_TLS_DIRECTORY64;
 
+typedef struct _IMAGE_BASE_RELOCATION
+{
+    uint32_t VirtualAddress;
+    uint32_t SizeOfBlock;
+    uint16_t TypeOffset[];
+} IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION;
+
 #define IMAGE_SCN_MEM_EXECUTE   0x20000000
 #define IMAGE_SCN_MEM_READ      0x40000000
 #define IMAGE_SCN_MEM_WRITE     0x80000000
@@ -124,6 +131,17 @@ typedef struct _IMAGE_TLS_DIRECTORY64
 #define ALIGN(x, y)             \
     ((x) % (y) == 0? (x): (x) + (y) - ((x) % (y)))
 
+/*
+ * Simple string hash function.
+ */
+uint64_t hash(const char *s)
+{
+	uint64_t h = 777799777ull;
+	while (*s)
+	    h = (3333331ull * h) ^ (0xe9e9ea1bull * (uint64_t)*s++);
+	return h;
+}
+
 /*
  * Parse a Windows PE executable.
  */
@@ -178,11 +196,16 @@ void parsePE(Binary *B)
         error("failed to parse PE file \"%s\"; invalid image base (0x%lx), "
             "expected a multiple of virtual allocation granularity (%u)",
             filename, image_base, WINDOWS_VIRTUAL_ALLOC_SIZE);
+    bool have_relocs =
+        (opt_hdr->DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
+            != 0;
     uint64_t image_base_min = 0x100000000;
-    if (image_base < image_base_min)
-        error("failed to parse PE file \"%s\"; not-yet-implemented image "
-            "base (0x%lx), must be (>=0x%lx)", filename, image_base,
-            image_base_min);
+    if ((option_mem_rebase == 0 || !have_relocs) &&
+            image_base < image_base_min)
+        error("failed to parse PE file \"%s\"; image base (0x%lx) must be "
+            "(>=0x%lx)%s", filename, image_base, image_base_min,
+            (have_relocs? " (hint: see the `--mem-rebase' option)":
+                ", but relocations are stripped"));
     PIMAGE_SECTION_HEADER shdr =
         (PIMAGE_SECTION_HEADER)&opt_hdr->DataDirectory[
             opt_hdr->NumberOfRvaAndSizes];
@@ -224,7 +247,6 @@ static uint8_t *findData(const Binary *B, uint32_t addr)
 {
     if (addr == 0x0)
         return nullptr;
-
     PIMAGE_FILE_HEADER file_hdr = B->pe.file_hdr;
     PIMAGE_SECTION_HEADER shdr  = B->pe.shdr;
     for (uint16_t i = 0; i < file_hdr->NumberOfSections; i++)
@@ -386,20 +408,82 @@ size_t emitPE(const Binary *B, const MappingSet &mappings, size_t mapping_size)
      * Windows ASLR depends on text relocations, which is not compatible with
      * static binary rewriting.  Thus, it must be disabled...
      */
+    bool have_relocs =
+        (opt_hdr->DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
+            != 0;
+    uint32_t relocs =
+        opt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
+    uint32_t relocs_size =
+        opt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
     opt_hdr->DllCharacteristics &= ~IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE;
     opt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = 0;
     opt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = 0;
     file_hdr->Characteristics |= IMAGE_FILE_RELOCS_STRIPPED;
 
-    stat_output_file_size = size;
+    /*
+     * Rebase the exectuable (if necessary).
+     */
+    const uint8_t *relocs_base = findData(B, relocs);
+    intptr_t rebase_delta = 0;
+    switch (option_mem_rebase)
+    {
+        case -1:
+        {
+            // Auto rebase
+            uint64_t lo = 0x100000000000ull, hi = 0xB00000000000ull;
+            uint64_t base = hash(B->filename) % (hi - lo) + lo;
+            base -= base % mapping_align;
+			rebase_delta = (intptr_t)base - (intptr_t)opt_hdr->ImageBase;
+            break;
+        }
+        case 0:
+            // No rebase
+            break;
+        default:
+            rebase_delta = option_mem_rebase - (intptr_t)opt_hdr->ImageBase;
+            break;
+    }
+    if (rebase_delta != 0 && !have_relocs)
+        warning("unable to apply `--mem-rebase' option to Windows PE binary "
+            "\"%s\"; relocation information has been stripped", B->filename);
+    uint32_t bytes = 0;
+    while (rebase_delta != 0 && have_relocs &&
+            bytes <= relocs_size - sizeof(IMAGE_BASE_RELOCATION))
+    {
+        const IMAGE_BASE_RELOCATION *block =
+            (const IMAGE_BASE_RELOCATION *)(relocs_base + bytes);
+        if (block->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION) ||
+                bytes + block->SizeOfBlock > relocs_size)
+            error("invalid base relocation block size (%zu)",
+                block->SizeOfBlock);
+        bytes += block->SizeOfBlock;
+
+        uint8_t *block_base = findData(B, block->VirtualAddress);
+        uint32_t num_entries =
+            (block->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) /
+                sizeof(block->TypeOffset[0]);
+        for (uint32_t i = 0; i < num_entries; i++)
+        {
+            uint16_t type   = (block->TypeOffset[i] >> 12) & 0xF;
+            uint16_t offset = (block->TypeOffset[i] & 0xFFF);
+            if (type == 0x0)
+                continue;
+            if (type != 0xa)
+                error("base relocation type (0x%x) is not-yet-implemented",
+                    type);
+            intptr_t *ptr = (intptr_t *)(block_base + offset);
+            *ptr += rebase_delta;
+        }
+    }
+    opt_hdr->ImageBase += rebase_delta;
 
     if (option_loader_base_set)
         warning("ignoring `--loader-base' option for Windows PE binary");
     if (option_loader_phdr_set)
         warning("ignoring `--loader-phdr' option for Windows PE binary");
     if (option_loader_static_set)
         warning("ignoring `--loader-static' option for Windows PE binary");
-
+    stat_output_file_size = size;
     return size;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -501,6 +501,10 @@ size_t emitElf(const Binary *B, const MappingSet &mappings,`
`501`	`501`	`phdr->p_align = PAGE_SIZE;`
`502`	`502`
`503`	`503`	`stat_output_file_size = size;`
	`504`	`+`
	`505`	`+ if (option_mem_rebase_set)`
	`506`	+ warning("ignoring `--mem-rebase' option for Linux ELF binary");
	`507`	`+`
`504`	`508`	`return size;`
`505`	`509`	`}`
`506`	`510`