понедельник, 2 сентября 2019 г.

new RFG reloc types

It seems that est since build 18922 Microsoft turned on retpoline
This is implemented as RFG relocations with 3 new type:

Type 3
typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
    DWORD       PageRelativeOffset : 12;
    DWORD       IndirectCall       : 1;
    DWORD       IATIndex           : 19;
} IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION;


Looks like IAT function calling patch:
     call    cs:__imp_PshedFreeMemory
     nop     dword ptr [rax+rax+00h]


Type 4
typedef struct _IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
    WORD        PageRelativeOffset : 12;
    WORD        IndirectCall       : 1;
    WORD        RexWPrefix         : 1;
    WORD        CfgCheck           : 1;
    WORD        Reserved           : 1;
} IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION;


Looks like call reg patch:
    call    rax
    nop     dword ptr [rax]


Type 5
typedef struct _IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION {
    WORD        PageRelativeOffset : 12;
    WORD        RegisterNumber     : 4;
} IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION;


Looks like call reg in switch patch:
   mov     ecx, ds:rva off_14000DEBC[rdx+rdi*4]
   add     rcx, rdx
   jmp     rcx             ; switch jump
   db 4 dup(0CCh)


I patched today my RFG plugin to IDA Pro to support this new types