On Mon, Dec 18, 2000 at 09:42:54AM -0500, Kevin Lawton wrote:
> Ramon van Handel wrote:
>
> > > Once you modify the instructions in a page by extending the size
> > > of an instruction (changing an IO to a call), as opposed to
> > > inserting an INT3 (always 1 byte), we have to move from our notion
> > > of simple modified cache pages to a more dynamic translation like
> > > scheme. The branch offsets change etc.
> >
> > No, not necessarily. What you do is overwrite the next instruction and
> > keep the original in a branch table. You use a call to go to the
> > emulation routine; in stead of using ret, however, the emulation routine
> > will look in the branch table, which contains (1) the next instructions to
> > be executed, and (2) the address of the first instruction that was not
> > overwritten.
>
> Sounds good. I think this has good potential for virtualizing branch
> instructions. I see what you mean about virtualizing other instructions
> which are less than 5 bytes. Stepping on downstream instructions
> means either generating dynamic code for arbitrary instructions, or
> accessing emulation code. The first option is much work. The
> second option is not so good from a run-it-in-ring3 perspective.
I'm not an expert on any of this, but consider the following:
jmp foo
[...]
inst1
foo: inst2
inst3
Let's say 'inst1' is a four byte instruction that we wish to emulate,
so we replace it, along with part of 'inst2', with a five byte 'call
xyz' instruction -- what happens to the foo branch?
Note, it wouldn't be possible to scan for all 'jmp foo' instructions
because the jmp branch offset could be dynamically setup.
Am I missing something? (I'm by no means an expert in assembler or
emulation, but I'm curious if this becomes an issue.)
-Kevin
--
------------------------------------------------------------------------
| Kevin O'Connor "BTW, IMHO we need a FAQ for |
| [EMAIL PROTECTED] 'IMHO', 'FAQ', 'BTW', etc. !" |
------------------------------------------------------------------------
