dr_insert_mbr_instrumentation() of gs: call fails b/c of seg mangling
dr_insert_mbr_instrumentation() grabs the address of the callee for the vsyscall call below from "gs:0x10" which is of course incorrect b/c gs holds the priv lib segment.
before instrumentation:
TAG 0xef3ab57a
+0 L3 81 c3 86 da 0d 00 add $0x000dda86 %ebx -> %ebx
+6 L3 8b 54 24 0c mov 0x0c(%esp)[4byte] -> %edx
+10 L3 87 d3 xchg %ebx %edx -> %ebx %edx
+12 L3 b8 c5 00 00 00 mov $0x000000c5 -> %eax
+17 L3 65 ff 15 10 00 00 00 call %gs:0x10[4byte] %esp -> %esp 0xfffffffc(%esp)[4byte]
END 0xef3ab57a
after instrumentation:
TAG 0xef3ab57a
+0 L3 81 c3 86 da 0d 00 add $0x000dda86 %ebx -> %ebx
+6 L3 8b 54 24 0c mov 0x0c(%esp)[4byte] -> %edx
+10 L3 87 d3 xchg %ebx %edx -> %ebx %edx
+12 L3 b8 c5 00 00 00 mov $0x000000c5 -> %eax
+17 m4 @0xef7c6750 64 89 0d 0c 00 00 00 mov %ecx -> %fs:0x0c[4byte]
+24 m4 @0xef7c65f0 65 8b 0d 10 00 00 00 mov %gs:0x10[4byte] -> %ecx
+31 m4 @0xef7c5f14 64 87 0d 0c 00 00 00 xchg %fs:0x0c[4byte] %ecx -> %fs:0x0c[4byte] %ecx
+38 m4 @0xef7c53e0 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+44 m4 @0xef7c1780 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+50 m4 @0xef7c4d70 89 60 0c mov %esp -> 0x0c(%eax)[4byte]
+53 m4 @0xef7c6d58 8b a0 68 01 00 00 mov 0x00000168(%eax)[4byte] -> %esp
+59 m4 @0xef7c5fac 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+65 m4 @0xef7c1b78 8d a4 24 bc fe ff ff lea 0xfffffebc(%esp) -> %esp
+72 m4 @0xef7c398c e8 cf bf fb ff call $0xef77aa40 %esp -> %esp 0xfffffffc(%esp)[4byte]
+77 m4 @0xef7c489c <label>
+77 m4 @0xef7c49f0 64 ff 35 0c 00 00 00 push %fs:0x0c[4byte] %esp -> %esp 0xfffffffc(%esp)[4byte]
+84 m4 @0xef7c542c 68 8b b5 3a ef push $0xef3ab58b %esp -> %esp 0xfffffffc(%esp)[4byte]
+89 m4 @0xef7c4c8c e8 7f 77 f8 07 call $0xf77461f0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+94 m4 @0xef7c6960 8d 64 24 08 lea 0x08(%esp) -> %esp
+98 m4 @0xef7c485c e8 4f c0 fb ff call $0xef77aac0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+103 m4 @0xef7c6834 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+109 m4 @0xef7c1734 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+115 m4 @0xef7c6450 8b 60 0c mov 0x0c(%eax)[4byte] -> %esp
+118 m4 @0xef7c1bc4 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+124 L3 65 ff 15 10 00 00 00 call %gs:0x10[4byte] %esp -> %esp 0xfffffffc(%esp)[4byte]
END 0xef3ab57a
bb ilist after mangling:
TAG 0xef3ab57a
+0 L3 81 c3 86 da 0d 00 add $0x000dda86 %ebx -> %ebx
+6 L3 8b 54 24 0c mov 0x0c(%esp)[4byte] -> %edx
+10 L3 87 d3 xchg %ebx %edx -> %ebx %edx
+12 L3 b8 c5 00 00 00 mov $0x000000c5 -> %eax
+17 m4 @0xef7c6750 64 89 0d 0c 00 00 00 mov %ecx -> %fs:0x0c[4byte]
+24 m4 @0xef7c65f0 65 8b 0d 10 00 00 00 mov %gs:0x10[4byte] -> %ecx
+31 m4 @0xef7c5f14 64 87 0d 0c 00 00 00 xchg %fs:0x0c[4byte] %ecx -> %fs:0x0c[4byte] %ecx
+38 m4 @0xef7c53e0 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+44 m4 @0xef7c1780 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+50 m4 @0xef7c4d70 89 60 0c mov %esp -> 0x0c(%eax)[4byte]
+53 m4 @0xef7c6d58 8b a0 68 01 00 00 mov 0x00000168(%eax)[4byte] -> %esp
+59 m4 @0xef7c5fac 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+65 m4 @0xef7c1b78 8d a4 24 bc fe ff ff lea 0xfffffebc(%esp) -> %esp
+72 m4 @0xef7c398c e8 4b bf fb ff call $0xef77aa40 %esp -> %esp 0xfffffffc(%esp)[4byte]
+77 m4 @0xef7c489c <label>
+77 m4 @0xef7c49f0 64 ff 35 0c 00 00 00 push %fs:0x0c[4byte] %esp -> %esp 0xfffffffc(%esp)[4byte]
+84 m4 @0xef7c542c 68 8b b5 3a ef push $0xef3ab58b %esp -> %esp 0xfffffffc(%esp)[4byte]
+89 m4 @0xef7c4c8c e8 fb 76 f8 07 call $0xf77461f0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+94 m4 @0xef7c6960 8d 64 24 08 lea 0x08(%esp) -> %esp
+98 m4 @0xef7c485c e8 cb bf fb ff call $0xef77aac0 %esp -> %esp 0xfffffffc(%esp)[4byte]
+103 m4 @0xef7c6834 64 a3 00 00 00 00 mov %eax -> %fs:0x00[4byte]
+109 m4 @0xef7c1734 64 a1 10 00 00 00 mov %fs:0x10[4byte] -> %eax
+115 m4 @0xef7c6450 8b 60 0c mov 0x0c(%eax)[4byte] -> %esp
+118 m4 @0xef7c1bc4 64 a1 00 00 00 00 mov %fs:0x00[4byte] -> %eax
+124 m4 @0xef7c4f4c 64 89 0d 08 00 00 00 mov %ecx -> %fs:0x08[4byte]
+131 m4 @0xef7c219c 64 8b 0d 44 00 00 00 mov %fs:0x44[4byte] -> %ecx
+138 L4 @0xef7c6d98 8b 0c 0d 10 00 00 00 mov 0x10(,%ecx)[4byte] -> %ecx
+145 m4 @0xef7c5600 68 92 b5 3a ef push $0xef3ab592 %esp -> %esp 0xfffffffc(%esp)[4byte]
+150 L4 @0xef7c4dbc e9 0b bb fb ff jmp $0xef77a600 <shared_bb_ibl_indcall>
END 0xef3ab57a