77 - [ 1.1 Optimization] ( #optimization )
88 - [ 1.2 Compression] ( #compression )
99 - [ 1.3 Rewriting Modes] ( #modes )
10+ * [ 1.3.1 Control-Flow Recovery Mode] ( #cfr_mode )
11+ * [ 1.3.2 Full-Coverage Mode] ( #100_mode )
1012 - [ 1.4 Disassembly and Analysis] ( #analysis )
1113* [ 2. Matching Language] ( #matching )
1214 - [ 2.1 Attributes] ( #attributes )
@@ -100,16 +102,49 @@ The default compression level is 9 (most compression).
100102---
101103### <a id =" modes " >1.3 Rewriting Modes</a >
102104
103- E9Tool (and E9Patch) support two main rewriting modes:
105+ E9Tool (and E9Patch) supports three main rewriting modes:
104106
105- 1 . The * default* mode that uses binary rewriting without control-flow
106- recovery.
107- 2 . A * control-flow-recovery* (CFR) mode that uses a (conservative) CFR
107+ 1 . * Default* : Classic binary rewriting without control-flow recovery.
108+ This is the "official" mode of E9Tool/E9Patch for benchmarking and testing
109+ purposes.
110+ 2 . * CFR* : A * control-flow-recovery* (CFR) mode that uses a (conservative) CFR
108111 analysis to optimize further binary rewriting.
112+ 3 . * 100%* : A * full-coverage* (100%) mode that ensures that every matching instruction
113+ will be patched, even if this (significantly) reduces performance.
109114
110- The CFR mode can be enabled by passing ` -X ` to E9Tool, e.g. :
115+ Below if a summary of the different modes and features :
111116
112- $ e9tool -X -M jmp -P print xterm
117+ <table border =" 1 " >
118+ <tr ><th ></th ><th >Option</th ><th >Performance</th ><th >Robustness</th ><th >Coverage</th ></tr >
119+ <tr ><td ><b >Default</b ></td ><td ></td >
120+ <td>★★ </td>
121+ <td>★★★</td>
122+ <td>★★ </td>
123+ </tr>
124+ <tr ><td ><b >CFR</b ></td ><td ><tt >-CFR</tt ></td >
125+ <td>★★★</td>
126+ <td>★½ </td>
127+ <td>★★½</td>
128+ </tr>
129+ <tr ><td ><b >100%</b ></td ><td ><tt >-100</tt ></td >
130+ <td>0</td>
131+ <td>★★★</td>
132+ <td>★★★</td>
133+ </tr>
134+ </table >
135+
136+ Here, * Option* is the E9Tool command-line option to enable the mode,
137+ * Performance* is the relative performance of the rewitten binary,
138+ * Robustness* is the relative absense rewriting errors, and
139+ * Coverage* is the patching coverage (number of matching instructions actually
140+ patched).
141+
142+ ---
143+ #### <a id =" cfr_mode " >1.3.1 Control-Flow-Recovery Mode</a >
144+
145+ The CFR mode can be enabled by passing ` -CFR ` to E9Tool, e.g.:
146+
147+ $ e9tool -CFR -M jmp -P print xterm
113148
114149The CFR mode has pros and cons, which may or may not be acceptable
115150depending on the application.
@@ -124,6 +159,33 @@ possible rewriting errors.
124159Thus, the CFR mode is not as robust as the default mode, although it should
125160be compatible with most binaries.
126161
162+ ---
163+ #### <a id =" 100_mode " >1.3.2 Full-Coverage Mode</a >
164+
165+ The 100% (full coverage) mode can be enabled by passing ` -100 ` to E9Tool, e.g.:
166+
167+ $ e9tool -100 -M jmp -P print xterm
168+
169+ This mode aims to achieve 100% patching coverage, even if this
170+ (significantly) degrades performance.
171+ To do so, the 100% mode will resort to illegal opcodes and ` SIGILL ` handlers
172+ if an instruction cannot be patched using any other method.
173+ The 100% mode is useful for applications that need full coverage, even if
174+ this comes at the cost of performance.
175+
176+ Note that the 100% mode has some caveats:
177+
178+ * Any attempt by the program to install a ` SIGILL ` signal handler will fail
179+ with errno=` ENOSYS ` .
180+ This potentially breaks transparency.
181+ * The patching coverage may not reach 100% for other reasons, such as virtual
182+ address space exhaustion.
183+ Such cases will be uncommon.
184+
185+ The 100% and CFR modes are compatible and can be combined, e.g.:
186+
187+ $ e9tool -100 -CFR -M jmp -P print xterm
188+
127189---
128190### <a id =" analysis " >1.4 Disassembly and Analysis</a >
129191
0 commit comments