tags:

views:

167

answers:

1
+1  Q: 

Patching out CALLL by replacing with NOPs works in user space but not in kernel space

I have a device driver I want to patch. This device driver calls IOLog and I want to get rid of the logging.

If I replace the CALLL to IOLog with (the corresponding number of) NOPs inside the device driver (kext), the kernel crashes with what looks like a smashed stack ("Backtrace terminated-invalid frame pointer 0").

The same technique however, works fine in user-space (e.g. NOPping NSLogs inside an OS X binary).

What am I missing here?

+2  A: 

You didn't explain whether you do cold patching (driver on disk) or hot patching (driver in memory). For in-memory patching, all kinds of issues might exist, such as the driver being executed when you patch it, the CPU(s) having cached portions of the code, etc. See the Intel manual section on self-modifying code.

For on-disk patching, it might be that you have a relocation record for the target address. So when the driver is loaded, the dynamic module loader will fixup the address of IOLog in the code, replacing it with the real address. This will overwrite your nop instructions.

Martin v. Löwis  2008-11-04 07:18:18
I am doing on-disk patching.If my NOPs were replaced as a side-effect of relocation, wouldn't then the driver function as before the patching?Relocation might play a part indeed, but I am yet to understand how it works. otool lists 390 relocation entries in the driver mach image.
diciu  2008-11-04 10:02:55
Relocation works by replacing the bytes in the instruction with the target address. So if the call is E8 xx xx xx xx, then it overwrites the xxs. If you replace E8 and all the xxs with nops, it leaves the first nop, and overwrites the others with the target, those bytes then become instructions.
Martin v. Löwis  2008-11-04 12:25:16
Ok, that makes sense. And it explains why when I used GDB to look at the device driver I saw call 0x0 while a symbol capable debugger showed call _IOLog. The symbol capable debugger must have looked at the relocation table.Thanks for the pointers, I'll keep digging.
diciu  2008-11-04 15:16:34

related questions

Any ReSharper equivalent for Xcode?
Rich GUI OS X Frameworks?
Best UML Application for MAC OSX / Cross Platform
Developer Setup for Starting Out with Cocoa/Mac Programming
Python Sound ("Bell")
In Cocoa do I need to remove an Object from receiving KVO notifications when deallocating it?
Is there a good GUI SVN app for Mac (better than XCode)
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How can I improve performance when adding InDesign XMLElements via AppleScript?
Cocoa - best way to capture key events in NSTextView?
Reading Other Process' Memory in Mac OS / BSD
Accessing iSight programatically?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
Not showing Dialog when opening file in Acrobat Pro using Applescript
Cocoa and Objective-C resources?
Source control for web projects.
x86 Assembly on a mac...
Upload form does not work in Firefox 3 with Mac OS X
I have some RAM to burn - any suggestions?
How to tab between buttons on an Mac OS X dialog box
How to tab focus onto a dropdown field in Mac OSX
How do I turn on line numbers by default in TextWrangler on the Mac?
What are the preferred versions of Vim and Emacs on Mac OS X?
Best subversion client for Mac OS
How can I find the full path to a font from its display name on a Mac?