GP-3124 Added callfixup and patterns handling security_push_cookie on

windows aarch64
2025-02-16 15:40:14 +00:00 · 2023-02-24 21:48:32 +00:00 · 2023-02-24 21:48:32 +00:00 · b067451ef9
commit b067451ef9
parent fc4f3d0e45
4 changed files with 77 additions and 0 deletions
--- a/Ghidra/Processors/AARCH64/certification.manifest
+++ b/Ghidra/Processors/AARCH64/certification.manifest
@ -21,4 +21,6 @@ data/languages/AARCH64sve.sinc||GHIDRA||||END|
 data/languages/AppleSilicon.ldefs||GHIDRA||||END|
 data/manuals/AARCH64.idx||GHIDRA||||END|
 data/patterns/AARCH64_LE_patterns.xml||GHIDRA||||END|
+data/patterns/AARCH64_win_patterns.xml||GHIDRA||||END|
 data/patterns/patternconstraints.xml||GHIDRA||||END|
+data/patterns/prepatternconstraints.xml||GHIDRA||||END|
--- a/Ghidra/Processors/AARCH64/data/languages/AARCH64_win.cspec
+++ b/Ghidra/Processors/AARCH64/data/languages/AARCH64_win.cspec
@ -193,4 +193,22 @@
    </prototype>
  </default_proto>

+  <callfixup name="security_push_cookie">
+  <target name="__security_push_cookie"/>
+  <pcode>
+    <body><![CDATA[
+     sp = sp - 16;
+    ]]></body>
+  </pcode>
+  </callfixup>
+  
+  <callfixup name="security_pop_cookie">
+  <target name="__security_pop_cookie"/>
+  <pcode>
+    <body><![CDATA[
+     sp = sp + 16;
+    ]]></body>
+  </pcode>
+  </callfixup>
+  
 </compiler_spec>
--- a/Ghidra/Processors/AARCH64/data/patterns/AARCH64_win_patterns.xml
+++ b/Ghidra/Processors/AARCH64/data/patterns/AARCH64_win_patterns.xml
@ -0,0 +1,50 @@
+<patternlist>
+  
+  <!-- Special functions with side-effects -->
+  <!--                                     -->
+  
+  <pattern> <!-- __security_push_cookie -->
+      <data> 0xff 0x43 0x00 0xd1 
+             ...10001 ........ ........ 1..10000 
+             00110001 ......10 01...... 11111001
+             0xf1 0x63 0x31 0xcb 
+             0xf1 0x07 0x00 0xf9 
+             0xc0 0x03 0x5f 0xd6  </data>
+      <!--
+          sub      sp,sp,#0x10
+          adrp     x17,0x........
+          ldr      x17,[x17, #0x...]
+          sub      x17,sp,x17
+          str      x17,[sp, #0x8]
+          ret
+       -->
+      <align mark="0" bits="3"/>
+      <funcstart label="__security_push_cookie"/>
+  </pattern>
+  
+  <pattern> <!-- __security_pop_cookie -->
+      <data> ...10001 ........ ........ 1..10000 
+             0xf0 0x07 0x40 0xf9 
+             00110001 ......10 01...... 11111001
+             0xf0 0x63 0x30 0xcb 
+             0x1f 0x02 0x11 0xeb 
+             ...00001 ........ ........ 01010100
+             0xff 0x43 0x00 0x91 
+             0xc0 0x03 0x5f 0xd6 
+             0x1f 0x20 0x03 0xd5   </data>
+      <!--
+           adrp     x17,0x........
+           ldr      x16,[sp, #0x8]
+           ldr      x17,[x17, #0x...]
+           sub      x16,sp,x16
+           cmp      x16,x17
+           b.ne     LAB_14020e5a4
+           add      sp,sp,#0x10
+            ret
+
+       -->
+      <align mark="0" bits="3"/>
+      <funcstart label="__security_pop_cookie"/>
+  </pattern>
+  
+</patternlist>
--- a/Ghidra/Processors/AARCH64/data/patterns/prepatternconstraints.xml
+++ b/Ghidra/Processors/AARCH64/data/patterns/prepatternconstraints.xml
@ -0,0 +1,7 @@
+<patternconstraints>
+  <language id="AARCH64:LE:64:*">
+    <compiler id="windows">
+      <patternfile>AARCH64_win_patterns.xml</patternfile>
+    </compiler>
+  </language>
+</patternconstraints>