x86 Mono "safe" native data access

RawCode · May 16, 2016, 07:14:17 AM

Not safe actually.
Content:

Platform independant (should be) native bindings that actually works with a13 public build;
Implementation sample;
Proof of work;

Structs:

Code Select


	//partial map for MonoJitInfo unmanaged structure
	[StructLayout(LayoutKind.Explicit)] public unsafe struct u_MonoJitInfo
	{
		[FieldOffset(0) ] public int  *dmethod;
		[FieldOffset(8) ] public int  *code_start;
		[FieldOffset(16)] public int   code_size;
	}

	//partial map for MonoMethod unamanged structure
	[StructLayout(LayoutKind.Explicit)] public unsafe struct u_MonoMethod
	{
		[FieldOffset(16) ] public int* name;
	}

natives:

Code Select


		[DllImport("__Internal")]
		static extern private unsafe int* mono_method_full_name(int* MonoMethod, bool signature = true);

		[DllImport("__Internal")]
		static extern private unsafe int* mono_jit_info_table_find(void* MonoDomain, void* ptr2function);

		[DllImport("__Internal")]
		static extern private unsafe void mono_print_method_from_ip(int* ptr2mfunction);

		[DllImport("__Internal")]
		static extern private unsafe void* mono_domain_get ();

Implementation (including mapping unmanaged memory to "managed" struct:

Code Select

		static public void MethodFastPrint(Type t, string s)
		{
			MethodInfo mi = t.GetMethod (s, (BindingFlags)60);
			if (mi == null)
				return;
			void* fpraw = mi.MethodHandle.GetFunctionPointer().ToPointer();
			void* jitinforaw = mono_jit_info_table_find (mono_domain_get (), fpraw);
			u_MonoJitInfo jitinfo = *(u_MonoJitInfo*)jitinforaw;
			int size = jitinfo.code_size;
			int i = 0;

			byte* walk = (byte*)fpraw;

			Console.WriteLine ("IP BEGIN " + mi);
			while (i < size) 
			{
				Console.WriteLine ("{0:X2}", walk[i]);
				i++;
			}
			Console.WriteLine ("IP END " + mi);
		}

proof of work (you will need to replace console write with logger warning or similar:

[attachment deleted by admin - too old]

Wivex · May 17, 2016, 11:02:02 AM

Could you explain to low life peasant like me what does it do and how to use that? Is that a form of platform independant detouring or something else?

RawCode · May 18, 2016, 03:59:58 AM

this is sneak peak for advanced detouring.

this code allows to detect real (malloc) size of function, in other case you can't know, will your injected code fit allocation or not.

Wivex · May 18, 2016, 04:45:34 AM

But your previous detouring method works fine in most cases too (except for overloaded methods). How would this one be used in particular? Could you provide any real example of using it?

RawCode · May 19, 2016, 03:29:42 AM

you can read (and write) any function in reliable manner, without any risk of damaging other functions or hitting read violation.

previous reference implementation had no such checks, now such check is possible.

Wivex · May 19, 2016, 10:50:21 AM

I haven't met such case before, but i understand that code was unsafe and could cause troubles. Using your new discovery, could you add it as part of the TryDetourFromTo(method1, method2) detouring wrapper and post it here?

1000101 · May 19, 2016, 05:00:44 PM

Yes, a practical example would be very helpful. Trying to understand the abstract theoretical when we aren't privilege to your thought process and research makes it a bit unclear.

I'd really love to have a better implementation for CCL's detouring which would be (a) non-destructive and (b) allow for different handlers in different situations. This method sounds promising on those fronts but I don't understand how to implement it based on what you've posted.

RawCode · May 20, 2016, 02:01:47 AM

soon(TM)

actually really soon and you will like how it works.