The point was from the malicious point of view, if an entity can do a
patch do a binary with nops at the head of f( ), then it is not that hard to
do for g( ) w/o nops …
But for sure for the debugging/management tools it is easier w/nops.
As to the performance, I always think about perceived_peformance. Again, a
single program tweaked to perform better on Pantium II w/o much of OS bagage
does not simply satisfy my craving. I’ve 386 (0x8086 was dumped long-time
back), Pant-1(100Mz), Pant-II ( ~334Mz), Pant-IV-HT, and other machines, so
sooner or later I would be able to prove that I’m a real stupid to gradually
upgrade for new OSes, and that can only be proved when I see most of the
programs (compilers,tools, office, explorer, etc., etc ) are slowing down(in
a perceived manner) due to : nop, nop, nop… Also I’ve not seen significant
balzing fast Linux ( on my HP Nx suse8.1 laptop)…Seriously.
Again, for Alberto, it is all the better(to have nop, nop, nop ) for tools
vendors as you mentioned.
-pro
----- Original Message -----
From: “Bruce Ellis”
To: “Windows System Software Devs Interest List”
Sent: Saturday, February 12, 2005 7:06 AM
Subject: Re: [ntdev] Compiler aligning/optimisation Was: IRQL = 0xFF
> I disagree. Leaving around dead code intended to be patched
> shows complete distrust in the code base. And for every function?
> A few bytes here and there, a few cache lines blown away.
> I don’t want it. I’ve never had to hook an OS call in my life,
> though patching binaries is nothing new to me.
>
> So can I buy a Win* without this hook crap? I just did a quick
> test of adding 3 nops at the beginning of every function to my
> compiler. Try it - you’ll enjoy the downgrade.
>
> brucee
>
> On Sat, 12 Feb 2005 09:52:56 -0500, Alberto Moreira
wrote:
> > Pro,
> >
> > It actually is easier to hook over no-ops. First of all, you
> > don’t have to move the existing instructions out and put them
> > somewhere where you can execute them from,when you finally
> > decide to go back to the original code. One of those
> > instructions might be a jump or a call that requires you to
> > recompute your own relocation. Because i386 instructions are
> > variable length, and because the instruction set isn’t as
> > regular as one would want it to be, you may need to do a fair
> > amount of processing just to figure out how many bytes to remove
> > and where to stop executing the code you obliterated.
> >
> > And there are other problems. For example, code that jumps back
> > to the second instruction, which happens to be a 5-byte
> > instruction that follows a 2-byte instruction, and you have put
> > a 5-byte jump over it: the code jumps to the middle of your jump
> > target address, and bang, the system goes into la-la land. More,
> > if you’re hooking with a 5-byte instruction, that’s two write
> > accesses, and you have to worry about the eventuality that
> > someone jumps to your target code between the moment you wrote
> > the first word and the moment you wrote the second. Or, maybe
> > the code you’re trying to intercept starts with a two-byte jump,
> > or it happens to be a little stub that’s less than 5 bytes long,
> > and bang, you crash again.
> >
> > Then you say, well, I’ll just put a one-byte Int 3 instruction
> > in there, or even a two-byte int. And then you clash with the
> > debugger-that-be, or with someone else’s ISR, or someone comes
> > and clobbers your int with their own code, or, or, or…
> >
> > Ah, the joys of writing machine level code. Believe me, those
> > no-ops are a welcome sight! And gents, no flames, please.
> > Someone has to write those debuggers and bounds-checkers and
> > performance monitoring tools and what not.
> >
> > Alberto.
> >
> >
> > ----- Original Message -----
> > From: “Prokash Sinha”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Saturday, February 12, 2005 1:06 AM
> > Subject: Re: [ntdev] Compiler aligning/optimisation Was: IRQL =
> > 0xFF
> >
> > > First, I dont belive that it is easier to hook when there are
> > > zero or more
> > > nop either at the top of function prolog or anywhere in a
> > > routine. Also SDT
> > > is not the only place people go for it, even though all are
> > > equally
> > > dangerous. So leave that aside !.
> > >
> > > Now I think someone mentioned instruction pairing. Also there
> > > are possibly
> > > other things in mind, pipe-line stall, data hazard,
> > > instruction hazard,
> > > fetch alignment, and so many other things compiler writers
> > > need to worry
> > > about, so a cycle or two ( with a byte or two ) loosing here
> > > and there could
> > > be thought of as investment, so that the overall performance
> > > could be
> > > better. Just by looking at those nop does not give enough to
> > > say that the
> > > genrated code is bad. On the top of it, there are phy/logical
> > > multiprocessing.
> > >
> > > SO IT IS REALLY HARD TO JUMP INTO ANY CONCLUSION LIKE THIS
> > > !!!
> > >
> > > -pro
> > > ----- Original Message -----
> > > From: “Bruce Ellis”
> > > To: “Windows System Software Devs Interest List”
> > >
> > > Sent: Friday, February 11, 2005 9:08 PM
> > > Subject: Re: [ntdev] Compiler aligning/optimisation Was: IRQL
> > > = 0xFF
> > >
> > >
> > >> Well then I’d have to say that it is a disgusting waste of
> > >> resources. Quite understandable in a development
> > >> environment but “waste cycles just in case” in a production
> > >> system is crazy. It may explain why my 400MHz PII
> > >> running a different operating system (not nx) outperforms
> > >> my 3.4GHz HT P4 on some tasks. I don’t want anyone
> > >> to hook anything ever on my computers. That kinda fix
> > >> was deprecated more than 20 years ago.
> > >>
> > >> I’d like to hear disagreements. If it’s “cause the OS is
> > >> broken”
> > >> I’ll file it away.
> > >>
> > >> Regards,
> > >>
> > >> brucee
> > >>
> > >> On Fri, 11 Feb 2005 23:43:34 -0500, Peter Viscarola (OSR)
> > >> wrote:
> > >> > xxxxx@attotech.com wrote:
> > >> > > Well after someone’s previous post mentioning this hot
> > >> > > patch idea, I
> > >> > > noticed that our drivers, being built with the 2003 ddk,
> > >> > > now have
> > > these
> > >> > > no-op instructions at the head of ALL functions, both
> > >> > > internal and
> > >> > > exported.
> > >> >
> > >> > Nice find.
> > >> >
> > >> > > I then went and looked at the assembler output from the
> > >> > > compiler and each function starts off with “npad 2” that
> > >> > > translates to
> > >> > > that “mov edi, edi” instruction. Then I found that this
> > >> > > is controlled
> > > by
> > >> > > the compiler switch /hotpatch. The pads between the
> > >> > > functions is
> > >> > > controlled by the linker switch /functionpadmin. These
> > >> > > switches are
> > > set
> > >> > > by the DDK build in the file i386mk.inc and there isn’t
> > >> > > any convenient
> > >> > > way for the developer to turn them off other than by
> > >> > > modifying
> > > i386mk.inc.
> > >> > >
> > >> > > One of our guys here thought that maybe these were being
> > >> > > put in for
> > >> > > Driver Verifier. I could see that if they were only on
> > >> > > exported
> > >> > > functions, but then why the internal functions too?
> > >> > >
> > >> >
> > >> > To the best of my knowledge, it’s not related to Driver
> > >> > Verifier.
> > >> >
> > >> > I CAN tell you that the compiler, linker, and build
> > >> > environment (right
> > >> > down to the compiler and linker options specified) in the
> > >> > DDK are
> > >> > identical to those used to build the matching build of the
> > >> > Windows OS.
> > >> > It’s makes sense (I have no information one way or the
> > >> > other, this is
> > >> > truly just a guess) that Windows is built with these no-ops
> > >> > in its
> > >> > functions to facilitate hotpatching. If that’s the case,
> > >> > then given that
> > >> > the DDK build environment is identical to that used to
> > >> > build the OS, it
> > >> > would explain why those options are present when you build
> > >> > drivers in
> > >> > the DDK.
> > >> >
> > >> > Peter
> > >> > OSR
> > >> >
> > >> > —
> > >> > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >> >
> > >> > You are currently subscribed to ntdev as:
> > >> > xxxxx@gmail.com
> > >> > To unsubscribe send a blank email to
> > >> > xxxxx@lists.osr.com
> > >> >
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as: xxxxx@garlic.com
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >>
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>