-
Notifications
You must be signed in to change notification settings - Fork 38
/
Copy pathsyscall_amd64.s
86 lines (63 loc) · 2.09 KB
/
syscall_amd64.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#include "textflag.h"
#define maxargs 16
// syscalls implementation is a mix of:
// - https://golang.org/src/runtime/sys_windows_amd64.s
// - https://github.com/C-Sto/BananaPhone/blob/master/pkg/BananaPhone/asm_x64.s#L96
// with custom modifications to support indirect syscall execution
// via a trampoline (syscall;ret instruction) in ntdll.dll
// return type is a 32-bit datatype, as per NTSTATUS definition (https://msdn.microsoft.com/en-us/library/cc704588.aspx)
// but we use an unsigned integer instead of LONG (int32), since working with uint types is easier in Go
// func execIndirectSyscall(ssn uint16, trampoline uintptr, argh ...uintptr) uint32
TEXT ·execIndirectSyscall(SB),NOSPLIT, $0-40
XORQ AX, AX
MOVW ssn+0(FP), AX
XORQ R11, R11
MOVQ trampoline+8(FP), R11
PUSHQ CX
//put variadic pointer into SI
MOVQ argh_base+16(FP),SI
//put variadic size into CX
MOVQ argh_len+24(FP),CX
// SetLastError(0).
MOVQ 0x30(GS), DI
MOVL $0, 0x68(DI)
// room for args
SUBQ $(maxargs*8), SP
//no parameters, special case
CMPL CX, $0
JLE jumpcall
// Fast version, do not store args on the stack.
CMPL CX, $4
JLE loadregs
// Check we have enough room for args.
CMPL CX, $maxargs
JLE 2(PC)
// not enough room -> crash
INT $3
// Copy args to the stack.
MOVQ SP, DI
CLD
REP; MOVSQ
MOVQ SP, SI
loadregs:
// Load first 4 args into correspondent registers.
MOVQ 0(SI), CX
MOVQ 8(SI), DX
MOVQ 16(SI), R8
MOVQ 24(SI), R9
// Floating point arguments are passed in the XMM registers
// Set them here in case any of the arguments are floating point values.
// For details see: https://msdn.microsoft.com/en-us/library/zthk2dkh.aspx
MOVQ CX, X0
MOVQ DX, X1
MOVQ R8, X2
MOVQ R9, X3
jumpcall:
MOVQ CX, R10
//jump to syscall;ret gadget address instead of direct syscall
CALL R11
ADDQ $((maxargs)*8), SP
// Return result
POPQ CX
MOVL AX, errcode+40(FP)
RET