Zero canary changes

Former-commit-id: e727dcb9465e3993ceb5a0b046d2f8972ffd00e0

Zero canary changes
3812935d · asj5b · 7bbcc429 · 3812935d · 3812935d
Commit 3812935d authored 8 years ago by asj5b
--- a/tools/transforms/Rewrite_Utility.cpp
+++ b/tools/transforms/Rewrite_Utility.cpp
@@ -352,10 +352,12 @@ Instruction_t* insertCanaryCheckBefore(FileIR_t* virp,Instruction_t *first, unsi

 	ss<<"cmp dword ["<<sp_reg;

+	bool esp_neg=false;
 	if(esp_offset <0)
 	{
 		ss<<"-";
 		esp_offset = esp_offset*-1;
+		esp_neg=true;
 	}
 	else
 		ss<<"+";
@@ -364,16 +366,48 @@ Instruction_t* insertCanaryCheckBefore(FileIR_t* virp,Instruction_t *first, unsi

 	//Insert the cmp before 
 	Instruction_t* next = insertAssemblyBefore(virp,first,ss.str());
+
 	//Then insert the jmp after the compare. 
 	//The fallthrough of the inserted jmp will be a copy of the original
 	//instruction, still pointed to by "first".
 	insertDataBitsAfter(virp,first,getJnzDataBits(),fail_code);
 	first->SetComment("Canary Check: "+first->GetComment());

+	//TODO: move canary zero to option 
+	if(esp_neg)
+		esp_offset *= -1;
+	insertCanaryZeroAfter(virp,first,esp_offset,fail_code); 
+
 	return next;

 }

+Instruction_t* insertCanaryZeroAfter(FileIR_t* virp, Instruction_t *first, int esp_offset, Instruction_t *fail_code)
+{
+	stringstream ss;
+	const char *sp_reg="esp";
+        if(virp->GetArchitectureBitWidth()==64)
+                sp_reg="rsp";
+
+        ss<<"mov dword ["<<sp_reg;
+
+        if(esp_offset <0)
+        {
+                ss<<"-";
+                esp_offset = esp_offset*-1;
+        }
+        else
+                ss<<"+";
+
+        ss<<"0x"<<hex<<esp_offset<<"], 0x0";
+
+        //Insert the cmp before 
+        Instruction_t* next = insertAssemblyAfter(virp,first,ss.str());
+        first->SetComment("Canary Zero: "+first->GetComment());
+
+        return next;
+}
+
 Relocation_t* createNewRelocation(FileIR_t* firp, Instruction_t* insn, string type, int offset)
 {
        Relocation_t* reloc=new Relocation_t;

--- a/tools/transforms/Rewrite_Utility.hpp
+++ b/tools/transforms/Rewrite_Utility.hpp
@@ -74,6 +74,7 @@ Instruction_t* getHandlerCode(FileIR_t* virp, Instruction_t* fallthrough, mitiga
 //Returns the pointer for the copied "first" instruction, which is at the
 //end of the canary check block of instructions. 
 Instruction_t* insertCanaryCheckBefore(FileIR_t* virp,Instruction_t *first, unsigned int canary_val, int ret_offset, Instruction_t *fail_code); 
+Instruction_t* insertCanaryZeroAfter(FileIR_t* virp, Instruction_t *first, int esp_offset, Instruction_t *fail_code);

 Relocation_t* createNewRelocation(FileIR_t* firp, Instruction_t* insn, string type, int offset);