I added today disassembler for arm64 linux kernel to search pointers. It turned out to be surprisingly difficult to do for several reasons (disasm for x64 is only 383 LOC vs 618 for arm64)
One of them is poor code produced by some gcc versions
But the main problem is arm64 opcodes. Lets see simple indirect call: ADRP X27, #mh_filter@PAGE
CMP W22, #0x3A ; ':'
B.EQ loc_FFFFFFC010CC7140
CMP W22, #0x87
B.NE loc_FFFFFFC010CC7188
LDR X2, [X27,#mh_filter@PAGEOFF]
CBZ X2, loc_FFFFFFC010CC7188
MOV X1, skb
MOV X0, X28
BLR X2
ADRP __data, #__tracepoint_cpu_idle@PAGE
ADD X0, X0, #__tracepoint_cpu_idle@PAGEOFF
MOV X29, SP
STR X19, [SP,#var_s10]
LDR X19, [X0,#(__tracepoint_powernv_throttle.funcs - 0xFFFFFFC011A562C0)]
...
loc_FFFFFFC01011FC60:
LDR X4, [X19]
MOV W3, W20
LDR X0, [X19,#8]
MOV X2, X21
MOV W1, W22
BLR X4
LDR X0, [X19,#0x18]!
CBNZ X0, loc_FFFFFFC01011FC60
In second case register X4 was loaded from X19, which in turn was loaded from some memory, so I need to track how many times content of register was loaded
Anyway results is +34 newly discovered functions pointers
Комментариев нет:
Отправить комментарий