четверг, 15 ноября 2007 г.

How to get Entry Point of Method Address Dynamically? No problem

In some cases (may be some sort of code injecting for constructive needs) there is a necessity for getting Method Entry Point Dynamically.

Here is my method

TMethodAddres=class
public
//Compile time binding method
procedure Method;
end;

procedure TMethodAddres.Method;
begin
//Compile time binding method
asm
mov eax,[ebp+04];
add eax,[eax-4]; //Now in eax the Entry point of this method
end;
end;

But there is some restrictions to work this code properly. This trick is based on Method stack frame existence.
To archive this, set the optimization flag of the project to unchecked state, and the stack frames flag to checked state.
And what about virtual methods address?

May be in the next time.

суббота, 27 октября 2007 г.

SEH Dynamic Unwinding with auto correction

To achieve this objective, I have made some modifications.

I have added next fields to the TYieldObject class

InnerSEHCount:DWORD;
InnerSEHOffsets:array[0..$F] of DWORD;

And of course the code has been changed a little.

function TYieldObject.MoveNext: boolean;
asm
push ebp;
push ebx;
push edi;
push esi;
push eax;
xor edx,edx;
mov eax.TYieldObject.IsYield,dl;
push offset @a1
{
Is it first call
}
mov ecx,eax.TYieldObject.BESP;
cmp ecx,edx;
jnz @NotFirstCall;
mov eax.TYieldObject.BESP,esp;
jmp @JustBeforeTheJump;
@NotFirstCall:
cmp eax.TYieldObject.StackFrameSize,edx;
jz @RestoreRegisters;
{
is need any correction
}
mov edx,esp;
sub edx,ecx;
jz @RestoreStackFrame;
{
Correction
}
{
Correct ebp
}
add [eax.TYieldObject.REBP],edx;
{
Is any SEH frames
}
mov ecx,eax.TYieldObject.InnerSEHCount;
jecxz @ChangeBESP;
{
correct SEH frames
}
mov ebx,eax.TYieldObject.REBP;
lea esi,eax.TYieldObject.StackFrame;
add esi,eax.TYieldObject.StackFrameSize;
dec ecx;
mov edi,esi;
sub edi,DWORD PTR eax.TYieldObject.InnerSEHOffsets+4*ecx;
mov [edi+$08],ebx;
@SEHCorrection:
dec ecx;
jl @ChangeBESP
mov edi,esi;
sub edi,DWORD PTR eax.TYieldObject.InnerSEHOffsets+4*ecx;
mov [edi+$08],ebx;
add [edi],edx;
jmp @SEHCorrection;
{
Change BESP
}
@ChangeBESP:
mov eax.TYieldObject.BESP,esp;
{
Restore stack frame
}
@RestoreStackFrame:
mov ecx,eax.TYieldObject.StackFrameSize;
sub esp,ecx;
mov edi,esp;
lea esi,eax.TYieldObject.StackFrame;
rep movsb;
{
Connect Inner SEH frame. Are any inner SEH?
}
mov ecx,eax.TYieldObject.InnerSEHCount;
jecxz @RestoreRegisters;
{
Connect Inner SEH frame
}
xor ecx,ecx;
mov edi,eax.TYieldObject.BESP;
sub edi,DWORD PTR eax.TYieldObject.InnerSEHOffsets+4*ecx;
mov fs:[ecx],edi;
{
Restore Registers
}
@RestoreRegisters:
mov ebx,eax.TYieldObject.REBX;
mov ecx,eax.TYieldObject.RECX;
mov edx,eax.TYieldObject.REDX;
mov esi,eax.TYieldObject.RESI;
mov edi,eax.TYieldObject.REDI;
mov ebp,eax.TYieldObject.REBP;

@JustBeforeTheJump:
push [eax.TYieldObject.NextItemEntryPoint];
mov eax,eax.TYieldObject.REAX;
ret;
@a1:;
pop eax;
pop esi;
pop edi;
pop ebx;
pop ebp;
mov al,eax.TYieldObject.IsYield;
end;

procedure TYieldObject.Yield(const Value);
asm
mov eax.TYieldObject.REBP,ebp;
mov eax.TYieldObject.REAX,eax;
mov eax.TYieldObject.REBX,ebx;
mov eax.TYieldObject.RECX,ecx;
mov eax.TYieldObject.REDX,edx; // This is the Ref to const param
mov eax.TYieldObject.RESI,ESI;
mov eax.TYieldObject.REDI,EDI;
pop ecx;
mov eax.TYieldObject.NextItemEntryPoint,ecx;
//We must do it first for valid const reference
push eax;
mov ecx,[eax];
CALL DWORD PTR [ecx+VMTOFFSET TYieldObject.SaveYieldedValue];
pop eax;
{
Unwind SEH
// There is no need ebx,esi,edi to retain
}
xor ebx,ebx;
mov ecx,fs:[ebx];
@SEHUnwind:
jecxz @JustAfterSEHUnwind;
cmp ecx,eax.TYieldObject.BESP;
jnl @JustAfterSEHUnwind
mov esi,eax.TYieldObject.BESP;
sub esi,ecx;
mov DWORD PTR eax.TYieldObject.InnerSEHOffsets+4*ebx,esi;
inc ebx;
mov ecx,[ecx];
jmp @SEHUnwind;
@JustAfterSEHUnwind:
mov eax.TYieldObject.InnerSEHCount,ebx;
{
Connect Outer SEH frame.
If no local SEH frames next two commands are redundant
}
xor ebx,ebx;
mov fs:[ebx],ecx;
{
Save local stack frame
}
mov ecx,eax.TYieldObject.BESP;
sub ecx,esp;
mov eax.TYieldObject.StackFrameSize,ecx;
jz @AfterSaveStack;
lea esi,[esp];
lea edi,[eax.TYieldObject.StackFrame];
rep movsb;
mov esp,eax.TYieldObject.BESP;
@AfterSaveStack:
mov eax.TYieldObject.IsYield,1;
end;

So for now you may use try/finally and try/except construction in procedure that uses yielding.
Next article will be about additional improvements.
Now I am thinking about separate stack.

понедельник, 22 октября 2007 г.

Just before improving implementation for dynamic SEH unwinding support

All times we declare local variables of finalized types the Delphi compiler inserts hidden try finally block that forces local variables of finalized types to be finalized under any circumstances.

Look at the next sample.

Delphi code

procedure TForm1.Button1Click(Sender: TObject);
var a:string;
begin
a:='abcdef';
end;

is mapped to appropriate x86 assembler code.
Something like this

push ebp
mov ebp,esp
push $00
xor eax,eax

{
This is the hidden try
}
push ebp
push $XXXXXXXX
push dword ptr fs:[eax]
mov fs:[eax],esp


Unit1.pas. XX: a:='abcdef';
lea eax,[ebp-$04]
mov edx,$XXXXXXXX
call @LStrLAsg
Unit1.pas.XX: end;
xor eax,eax
pop edx
pop ecx
pop ecx
mov fs:[eax],edx
push $XXXXXXXX
{
Local variable Finalization code
}
lea eax,[ebp-$04]
call @LStrClr

ret

{
And this is the hidden finally block
}
jmp @HandleFinally
jmp $XXXXXXXX

{Normal procedure Exit }
pop ecx
pop ebp
ret

Little explanation about SEH.

FS is protected mode selector that indexes descriptor of segment in descriptor tables (descriptors map logical address space to linear) .
Segment that is indexed by FS has special meaning for Windows Operation System.
This segment contains structure known as Thread Environment Block, TEB. But TEB structure includes at start of it a Win32 Thread Information Block (TIB). Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores info about the currently running thread.
First field of TIB (i.e. fs:[0]) is current Structured Exception Handling frame.
This field is used by system to provide your code the ability to react on raised exception.
Because your procedures and functions may consist of not only hidden try/finally blocks, but yours try/finally try/except blocks, I have to implement some special SEH unwinding code and if there is any displacement I need to correct this dynamically.

And because Yield has a very specific behaviour I have to dynamically attach/detach/correct local SEH frames.

Read about this in my next article.

пятница, 19 октября 2007 г.

C# Yield implementation in Delphi.

The C# yield keyword is used to provide a value to the enumerator object or to signal the end of iteration. The main idea of yield construction is to generate a collection item on request and return it to the enumerator consumer immediately. You may find it useful in some cases.

As you know the Enumerator has two methods MoveNext and GetCurrent.
But how does yield works?

Technical details of the implementation

When I saw this construction I asked myself where is MoveNext and GetCurrent?
The function returns the enumerator object or interface, but the enumerator is not explicitly constructed anywhere. So there must be some secret mechanism that makes it possible.
How does it really work? After spending some time in the debugger and the answer appeared.

In short the compiler generates a special type of object that of course
has some magic MoveNext and GetCurrent functions.

And because this construction may be useful to our Delphi community, I asked myself, what can I do to get yield support in Delphi with saving the form of using like in С#.

But of course I have to generalize implementation for all types.

I started from the programmer’s viewpoint. Something like this:

var
number, exponent, counter, Res:integer;
begin
…..
Res:=1;
while counter begin
Res:=Res*number;
Yield(Res);
inc(counter);
end;
end;

I had to implement some class that implemented the magic MoveNext and GetCurrent functions.
And if you use local vars (that is placed on stack) I had to implement some mechanism that guarantees no memory leaks for finalized types and some mechanism that guarantees that I use
the valid local vars when the actual address of local vars has changed after last yield calling due to external reasons (e.g. enumerator passed as parameter to other procedure, so the location in stack becomes different).

So after each yield call I have to preserve the state of local vars and processor registers,
clean up the stack and return a value to the enumerator consumer.
And after next call to MoveNext I must allocate stack space, restore the state of local vars and processor registers, i.e. emulate that nothing has happened.
And of course I must provide a normal procedure for exiting at the end.

So let’s begin
First of all we declare some types:

type
TYieldObject = class;
TYieldProc = procedure (YieldObject: TYieldObject);

TYieldObject = class
protected
IsYield:boolean;
NextItemEntryPoint:pointer;
BESP:pointer;
REAX,REBX,RECX,REDX,RESI,REDI,REBP:pointer;
StackFrameSize:DWORD;
StackFrame: array[1..128] of DWORD;
procedure SaveYieldedValue(const Value); virtual; abstract;
public
constructor Create(YieldProc: TYieldProc);
function MoveNext:boolean;
procedure Yield(const Value);
end;

And the implementation

constructor TYieldObject.Create(YieldProc:TYieldProc);
asm
mov eax.TYieldObject.NextItemEntryPoint,ecx;
mov eax.TYieldObject.REAX,EAX;
end;

function TYieldObject.MoveNext: boolean;
asm
{ Save the value of following registers.
We must preserve EBP, EBX, EDI, ESI, EAX for some circumstances.
Because there is no guarantee that the state of registers will
be the same after an iteration }
push ebp;
push ebx;
push edi;
push esi;
push eax;

mov eax.TYieldObject.IsYield,0
push offset @a1
xor edx,edx;
cmp eax.TYieldObject.BESP,edx;
jz @AfterEBPAdjust;

{ Here is the correction of EBP. Some need of optimization still exists. }
mov edx,esp;
sub edx,eax.TYieldObject.BESP;
add [eax.TYieldObject.REBP],edx
@AfterEBPAdjust:
mov eax.TYieldObject.BESP,esp;

{ Is there any local frame? }
cmp eax.TYieldObject.StackFrameSize,0
jz @JumpIn;

{ Restore the local stack frame }
mov ecx,eax.TYieldObject.StackFrameSize;
sub esp,ecx;
mov edi,esp;
lea esi,eax.TYieldObject.StackFrame;

{ Some need of optimization still exists. Like movsd}
rep movsb;
@JumpIn:

{ Restore the content of processor registers }
mov ebx,eax.TYieldObject.REBX;
mov ecx,eax.TYieldObject.RECX;
mov edx,eax.TYieldObject.REDX;
mov esi,eax.TYieldObject.RESI;
mov edi,eax.TYieldObject.REDI;
mov ebp,eax.TYieldObject.REBP;
push [eax.TYieldObject.NextItemEntryPoint];
mov eax,eax.TYieldObject.REAX;

{ Here is the jump to next iteration }
ret;

{ And we return here after next iteration in all cases, except exception of course. }
@a1:;

{ Restore the preserved EBP, EBX, EDI, ESI, EAX registers }
pop eax;
pop esi;
pop edi;
pop ebx;
pop ebp;
{ This Flag indicates the occurrence or no occurrence of Yield }
mov al,eax.TYieldObject.IsYield;
end;

procedure TYieldObject.Yield(const Value);
asm
{ Preserve EBP, EAX,EBX,ECX,EDX,ESI,EDI }
mov eax.TYieldObject.REBP,ebp;
mov eax.TYieldObject.REAX,eax;
mov eax.TYieldObject.REBX,ebx;
mov eax.TYieldObject.RECX,ecx;
mov eax.TYieldObject.REDX,edx; // This is the Ref to const param
mov eax.TYieldObject.RESI,ESI;
mov eax.TYieldObject.REDI,EDI;
pop ecx;
mov eax.TYieldObject.NextItemEntryPoint,ecx;

//We must do it first for valid const reference
push eax;
mov ecx,[eax];
CALL DWORD PTR [ecx+VMTOFFSET TYieldObject.SaveYieldedValue];
pop eax;

{ Calculate the current local stack frame size }
mov ecx,eax.TYieldObject.BESP;
sub ecx,esp;
mov eax.TYieldObject.StackFrameSize,ecx;
jz @AfterSaveStack;

{ Preserve the local stack frame }
lea esi,[esp];
lea edi,[eax.TYieldObject.StackFrame];

{ Some need of optimization still exists. Like movsd }
rep movsb;
mov esp,eax.TYieldObject.BESP;
@AfterSaveStack:

{Set flag of Yield occurance }
mov eax.TYieldObject.IsYield,1;
end;

And what about my improvements

As for improvements I am still thinking about unwinding the local SEH (Structured Exception Handling) frames on yielding and restore it with any needed correction after return.

And how do you use it?

type
TYieldInteger = class(TYieldObject)
protected
Value:integer;
function GetCurrent:integer;
procedure SaveYieldedValue(const Value); override;
public
property Current:integer read GetCurrent;
end;

{ TYieldInteger }

function TYieldInteger.GetCurrent: integer;
begin
Result:=Value;
end;

procedure TYieldInteger.SaveYieldedValue(const Value);
begin
Self.Value:=integer(Value);
end;

So now there is full support for integer.

TYieldString = class(TYieldObject)
protected
Value:string;
function GetCurrent:string;
procedure SaveYieldedValue(const Value); override;
public
property Current:string read GetCurrent;
end;

{ TYieldString }

function TYieldString.GetCurrent: string;
begin
Result:=Value;
end;

procedure TYieldString.SaveYieldedValue(const Value);
begin
Self.Value := string(Value);
end;

And now there is full support for string.

Sample of using a string Enumerator

procedure StringYieldProc(YieldObj: TYieldObject);
var
YieldValue: string;
i: integer;
begin
YieldValue:='None';
YieldObj.Yield(YieldValue);
for i := 1 to 10 do
begin
YieldValue := YieldValue + IntToStr(i);
YieldObj.Yield(YieldValue);
end;
end;

function TForm1.GetEnumerator: TYieldString;
begin
Result:=TYieldString.Create(StringYieldProc);
end;

procedure TForm1.Button1Click(Sender: TObject);
var
a:string;
begin
for a in self do
Memo1.Lines.Add(a);
end;

From Russia with love Sergey Antonov aka oxffff.

References

ECMA 334
ECMA 335
MSDN