Stalker 源码浅入浅出

1.struct _GumExecCtx{  volatile gint state;  gint64 destroy_pending_since;  GumStalker * stalker;  GumThreadId thread_id;  GumArm64Writer code_writer;  GumArm64Writer slow_writer;  GumArm64Relocator relocator;  GumStalkerTransformer * transformer;void (* transform_block_impl) (GumStalkerTransformer * self,      GumStalkerIterator * iterator, GumStalkerOutput * output);  GumEventSink * sink;  gboolean sink_started;  GumEventType sink_mask;void (* sink_process_impl) (GumEventSink * self, const GumEvent * event,      GumCpuContext * cpu_context);  GumStalkerObserver * observer;  gboolean unfollow_called_while_still_following;  GumExecBlock * current_block;  gpointer pending_return_location;  gsize pending_calls;  gpointer resume_at;  gpointer return_at;  gconstpointer activation_target;  gpointer thunks;  gpointer infect_thunk;  GumAddress infect_body;  GumSpinlock code_lock;  GumCodeSlab * code_slab;  GumSlowSlab * slow_slab;  GumDataSlab * data_slab;  GumCodeSlab * scratch_slab;  GumMetalHashTable * mappings;  gpointer last_prolog_minimal;  gpointer last_epilog_minimal;  gpointer last_prolog_full;  gpointer last_epilog_full;  gpointer last_invalidator;  /*   * GumExecBlocks are attached to a singly linked list when they are generated,   * this allows us to store other data in the data slab (rather than relying on   * them being found in there in sequential order).   */  GumExecBlock * block_list;  /*   * Stalker for AArch64 no longer makes use of a shadow stack for handling   * CALL/RET instructions, so we instead keep a count of the depth of the stack   * here when GUM_CALL or GUM_RET events are enabled.   */  gsize depth;#ifdef HAVE_LINUX  GumMetalHashTable * excluded_calls;#endif};

+----------------------+ <-- block->code_start| 插装后的代码          || (已转换/已重写的代码)  || (大小: block->code_size)|+----------------------+ <-- block->code_start + block->code_size| 原始代码快照          |     (这就是 gum_exec_block_get_snapshot_start 返回的位置)| (大小: block->real_size)|+----------------------+

struct _GumExecBlock{  /*   * GumExecBlock instances are held in a singly linked list to allow them to be   * disposed. This is necessary since other data may also be stored in the data   * slab (e.g. inline caches) and hence we cannot simply rely on them being   * contiguous.   */  GumExecBlock * next;  GumExecCtx * ctx;  GumCodeSlab * code_slab;  GumSlowSlab * slow_slab;  GumExecBlock * storage_block;  guint8 * real_start;  guint8 * code_start;  guint8 * slow_start;  guint real_size;  guint code_size;  guint slow_size;  guint capacity;  guint last_callout_offset;  GumExecBlockFlags flags;  gint recycle_count;  GumIcEntry * ic_entries;};struct _GumStalker{  GObject parent;  guint ic_entries;  gsize ctx_size;  gsize ctx_header_size;  goffset thunks_offset;  gsize thunks_size;  goffset code_slab_offset;  gsize code_slab_size_initial;  gsize code_slab_size_dynamic;  /*   * The instrumented code which Stalker generates is split into two parts.   * There is the part which is always run (the fast path) and the part which   * is run only when attempting to find the next block and call the backpatcher   * (the slow path). Backpatching is applied to the fast path so that   * subsequent executions no longer need to transit the slow path.   *   * By separating the code in this way, we can improve the locality of the code   * executing in the fast path. This has a performance benefit as well as   * making the backpatched code much easier to read when working in the   * debugger.   *   * The slow path makes use of its own slab and its own code writer.   */  goffset slow_slab_offset;  gsize slow_slab_size_initial;  gsize slow_slab_size_dynamic;  goffset data_slab_offset;  gsize data_slab_size_initial;  gsize data_slab_size_dynamic;  goffset scratch_slab_offset;  gsize scratch_slab_size;  gsize page_size;  GumCpuFeatures cpu_features;  gboolean is_rwx_supported;  GMutex mutex;  GSList * contexts;  GArray * exclusions;  gint trust_threshold;  volatile gboolean any_probes_attached;  volatile gint last_probe_id;  GumSpinlock probe_lock;  GHashTable * probe_target_by_id;  GHashTable * probe_array_by_address;  GumExceptor * exceptor;};

gint trust_threshold;

gint recycle_count;

_GumSlab

struct _GumSlab{  guint8 * data;      // 数据区起始位置  guint offset;       // 当前已使用的偏移量  guint size;         // 可用数据区大小  guint memory_size;  // 整个内存块大小（包括头部）  GumSlab * next;     // 链表指向下一个slab

struct _GumStalkerIterator{  GumExecCtx * exec_context;  GumExecBlock * exec_block;  GumGeneratorContext * generator_context;  GumInstruction instruction;  GumVirtualizationRequirements requirements;};

struct _GumGeneratorContext{  GumInstruction * instruction;  GumArm64Relocator * relocator;  GumArm64Writer * code_writer;  GumArm64Writer * slow_writer;  gpointer continuation_real_address;  GumPrologType opened_prolog;};

1.gum_stalker_follow (GumStalker* self,GumThreadId thread_id,GumStalkerTransformer* transformer,GumEventSink* sink)    gumInfectContext ctx;    ctx.stalker = self;    ctx.transformer = transformer;    ctx.sink = sink;gum_process_modify_thread (thread_id, gum_stalker_infect, &ctx,GUM_MODIFY_THREAD_FLAGS_NONE);2.gum_process_modify_thread (GumThreadId thread_id,GumModifyThreadFunc func,                           gpointer user_data,GumModifyThreadFlags flags)GumModifyThreadContext ctx;  ctx.func = func; //gum_stalker_infect  ctx.user_data = user_data; //gum_stalker_follow的ctx,gumInfectContext  return gum_linux_modify_thread (thread_id, GUM_REGS_GENERAL_PURPOSE,      gum_do_modify_thread, &ctx, NULL);3. gum_linux_modify_thread (GumThreadId thread_id,GumLinuxRegsType regs_type,GumLinuxModifyThreadFunc func,                         gpointer user_data,GError** error)  ctx.thread_id = thread_id;  ctx.regs_type = regs_type;  ctx.func = func; //gum_do_modify_thread  ctx.user_data = user_data;  //gum_process_modify_thread的ctx,GumModifyThreadContext     child = gum_libc_clone (      gum_linux_do_modify_thread,      stack + gum_query_page_size (),CLONE_VM|CLONE_SETTLS,&ctx,NULL,      desc,NULL);    prctl (PR_SET_PTRACER, child);      if (thread_id == gum_process_get_current_thread_id ())  {    success =GPOINTER_TO_UINT (g_thread_join (g_thread_new (            "gum-modify-thread-worker",            gum_linux_handle_modify_thread_comms,&ctx)));  }  else  {    success =GPOINTER_TO_UINT (gum_linux_handle_modify_thread_comms (&ctx));  }4.gum_linux_handle_modify_thread_comms (gpointer data)GumLinuxModifyThreadContext* ctx = data;//func是 gum_do_modify_threadctx->func (ctx->thread_id, &ctx->regs_data, ctx->user_data);5.gum_do_modify_thread (GumThreadId thread_id,GumRegs* regs,                      gpointer user_data)GumModifyThreadContext* ctx = user_data;// func 是 gum_stalker_infect// user_data是这三个的ctx//    gumInfectContext ctx;    //    ctx.stalker = self;    //    ctx.transformer = transformer;    //    ctx.sink = sink;ctx->func (thread_id, &cpu_context, ctx->user_data);6.gum_stalker_infect (GumThreadId thread_id,GumCpuContext* cpu_context,                    gpointer user_data)

1.gum_stalker_infect (GumThreadId thread_id,                    GumCpuContext * cpu_context,                    gpointer user_data)  GumInfectContext * infect_context = user_data;  GumStalker * self = infect_context->stalker;  GumExecCtx * ctx;  guint8 * pc;  gpointer code_address;  GumArm64Writer * cw;  const guint potential_svc_size = 4;  ctx = gum_stalker_create_exec_ctx (self, thread_id,      infect_context->transformer, infect_context->sink);  pc = GSIZE_TO_POINTER (gum_strip_code_address (cpu_context->pc));  ctx->current_block = gum_exec_ctx_obtain_block_for (ctx, pc, &code_address);2.gum_exec_ctx_obtain_block_for (GumExecCtx * ctx,                               gpointer real_address,                               gpointer * code_address)  GumExecBlock * block;  gum_spinlock_acquire (&ctx->code_lock);  block = gum_metal_hash_table_lookup (ctx->mappings, real_address);  if (block != NULL)  {    const gint trust_threshold = ctx->stalker->trust_threshold;    gboolean still_up_to_date;    still_up_to_date =        (trust_threshold >= 0 && block->recycle_count >= trust_threshold) ||        memcmp (block->real_start, gum_exec_block_get_snapshot_start (block),            block->real_size) == 0;    gum_spinlock_release (&ctx->code_lock);    if (still_up_to_date)    {      if (trust_threshold > 0)        block->recycle_count++;    }    else    {      gum_exec_ctx_recompile_block (ctx, block);    }  }  else  {    block = gum_exec_block_new (ctx);    block->real_start = real_address;    gum_exec_block_maybe_inherit_exclusive_access_state (block, block->next);    gum_exec_ctx_compile_block (ctx, block, real_address, block->code_start,        GUM_ADDRESS (block->code_start), &block->real_size, &block->code_size,        &block->slow_size);    gum_exec_block_commit (block);    gum_exec_block_propagate_exclusive_access_state (block);    gum_metal_hash_table_insert (ctx->mappings, real_address, block);    gum_spinlock_release (&ctx->code_lock);    gum_exec_ctx_maybe_emit_compile_event (ctx, block);  }  *code_address = block->code_start;  return block;3.gum_exec_ctx_compile_block (GumExecCtx * ctx,                            GumExecBlock * block,                            gconstpointer input_code,                            gpointer output_code,                            GumAddress output_pc,                            guint * input_size,                            guint * output_size,                            guint * slow_size)  GumArm64Writer * cw = &ctx->code_writer;  GumArm64Writer * cws = &ctx->slow_writer;  GumArm64Relocator * rl = &ctx->relocator;  GumGeneratorContext gc;  GumStalkerIterator iterator;  GumStalkerOutput output;  gboolean all_labels_resolved;  gboolean all_slow_labels_resolved;  gum_arm64_writer_reset (cw, output_code);  cw->pc = output_pc;  gum_arm64_writer_reset (cws, block->slow_start);  cws->pc = GUM_ADDRESS (block->slow_start);  gum_arm64_relocator_reset (rl, input_code, cw);  gum_ensure_code_readable (input_code, ctx->stalker->page_size);  gc.instruction = NULL;  gc.relocator = rl;  gc.code_writer = cw;  gc.slow_writer = cws;  gc.continuation_real_address = NULL;  gc.opened_prolog = GUM_PROLOG_NONE;  iterator.exec_context = ctx;  iterator.exec_block = block;  iterator.generator_context = &gc;  iterator.instruction.ci = NULL;  iterator.instruction.start = NULL;  iterator.instruction.end = NULL;  iterator.requirements = GUM_REQUIRE_NOTHING;  output.writer.arm64 = cw;  output.encoding = GUM_INSTRUCTION_DEFAULT;//我的猜测是保存这两个寄存器,是因为frida频繁用到,并且有自己的协议,而其他的寄存器,可能用的时候就已经保存了gum_arm64_writer_put_ldp_reg_reg_reg_offset (cw, ARM64_REG_X16, ARM64_REG_X17,      ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, GUM_INDEX_POST_ADJUST);  gum_exec_block_maybe_write_call_probe_code (block, &gc);  ctx->pending_calls++;  ctx->transform_block_impl (ctx->transformer, &iterator, &output);  ctx->pending_calls--;  if (gc.continuation_real_address != NULL)  {    GumBranchTarget continue_target = { 0, };    continue_target.absolute_address = gc.continuation_real_address;    continue_target.reg = ARM64_REG_INVALID;    gum_exec_block_write_jmp_transfer_code (block, &continue_target,      GUM_ENTRYGATE (jmp_continuation), &gc);  }

gbooleangum_stalker_iterator_next (GumStalkerIterator * self,                           const cs_insn ** insn)  GumGeneratorContext * gc = self->generator_context;  GumArm64Relocator * rl = gc->relocator;  GumInstruction * instruction;  gboolean is_first_instruction;  guint n_read;  instruction = self->generator_context->instruction;  is_first_instruction = instruction == NULL;//判断slob空间是否足够   if (gum_stalker_iterator_is_out_of_space (self))    {    // 使用 continuation_real_address 空间不足设置继续点当前指令的下一条指令为继续点      gc->continuation_real_address = instruction->end;      return FALSE;    }    // 判断最后一条,relocator把最后的设为eob     if (!skip_implicitly_requested && gum_arm64_relocator_eob (rl))      return FALSE;  instruction = &self->instruction;  n_read = gum_arm64_relocator_read_one (rl, &instruction->ci);  if (n_read == 0)    return FALSE;  instruction->start = GSIZE_TO_POINTER (instruction->ci->address);  instruction->end = instruction->start + instruction->ci->size;  把当前指令赋值到generator_context,这样下一轮的时候generator_context的instruction就是当前指令了,对应了前面的检测generator_context->instruction是否为空来检测而是不是第一条指令的逻辑了  self->generator_context->instruction = instruction;voidgum_stalker_iterator_keep (GumStalkerIterator * self){  // 写执行指令事件  if ((self->exec_context->sink_mask & GUM_EXEC) != 0 &&      (block->flags & GUM_EXEC_BLOCK_USES_EXCLUSIVE_ACCESS) == 0)  {    gum_exec_block_write_exec_event_code (block, gc, GUM_CODE_INTERRUPTIBLE);  }  switch (insn->id)  {    //对各种分割基本块的指令都会去虚拟化处理,以夺回控制权      requirements = gum_exec_block_virtualize_branch_insn (block, gc);      break;      requirements = gum_exec_block_virtualize_ret_insn (block, gc);   // 处理svc    case ARM64_INS_SVC:      requirements = gum_exec_block_virtualize_sysenter_insn (block, gc);      break;      requirements = GUM_REQUIRE_RELOCATION;  }  gum_exec_block_close_prolog (block, gc, gc->code_writer);  if ((requirements & GUM_REQUIRE_RELOCATION) != 0)  // 写指令    gum_arm64_relocator_write_one (rl);  self->requirements = requirements;}

continuation_real_address

voidgum_stalker_iterator_keep (GumStalkerIterator * self){  // 写执行指令事件  if ((self->exec_context->sink_mask & GUM_EXEC) != 0 &&      (block->flags & GUM_EXEC_BLOCK_USES_EXCLUSIVE_ACCESS) == 0)  {    gum_exec_block_write_exec_event_code (block, gc, GUM_CODE_INTERRUPTIBLE);  }  switch (insn->id)  {    //对各种分割基本块的指令都会去虚拟化处理,以夺回控制权      requirements = gum_exec_block_virtualize_branch_insn (block, gc);      break;      requirements = gum_exec_block_virtualize_ret_insn (block, gc);   // 处理svc    case ARM64_INS_SVC:      requirements = gum_exec_block_virtualize_sysenter_insn (block, gc);      break;      requirements = GUM_REQUIRE_RELOCATION;  }  gum_exec_block_close_prolog (block, gc, gc->code_writer);  if ((requirements & GUM_REQUIRE_RELOCATION) != 0)  // 写指令    gum_arm64_relocator_write_one (rl);  self->requirements = requirements;}

// 以无条件跳转为例static GumVirtualizationRequirementsgum_exec_block_virtualize_branch_insn (GumExecBlock* block,GumGeneratorContext* gc){...   else      {        if (target.reg !=ARM64_REG_INVALID)          regular_entry_func = GUM_ENTRYGATE (jmp_reg);        else          regular_entry_func = GUM_ENTRYGATE (jmp_imm);        cond_entry_func = NULL;      }      gum_exec_block_write_jmp_transfer_code (block, &target,          is_conditional ? cond_entry_func : regular_entry_func, gc);}

static voidgum_exec_block_write_jmp_transfer_code (GumExecBlock * block,                                        const GumBranchTarget * target,                                        GumExecCtxReplaceCurrentBlockFunc func,                                        GumGeneratorContext * gc)  这部分处理信任阈值有效但不能静态回填的情况（寄存器间接跳转）：  1. 关闭任何已打开的序言代码  2. 生成内联缓存查找代码，存储到快速路径  3. 将结果放入寄存器并使用无身份验证的分支指令跳转  内联缓存是一种重要的优化技术，它缓存之前跳转的目标及其对应的已插桩代码，加速后续相同目标的跳转。  if (trust_threshold >= 0 && !can_backpatch_statically)  {  arm64_reg result_reg;  gum_exec_block_close_prolog (block, gc, cw);  /* 内联缓存处理逻辑 */  result_reg = gum_exec_block_write_inline_cache_code (block, target->reg,      cw, cws);  gum_arm64_writer_put_br_reg_no_auth (cw, result_reg);  }  // 直接分支处理  else{  guint i;  /* 直接跳转到慢速路径 */  gum_exec_block_write_slab_transfer_code (cw, cws);  /* 添加NOP填充，为后续可能的回填留空间 */  for (i = 0; i != 10; i++)    gum_arm64_writer_put_nop (cw);}  // 慢路径实现  1. 打开最小序言以保存寄存器状态  2. 将跳转目标地址压栈后弹出到X0/X1寄存器  3. 调用传入的替换函数，传递当前块、目标地址和指令地址    - 这个函数会查找或编译目标块，然后切换到该块  gum_exec_block_open_prolog (block, GUM_PROLOG_MINIMAL, gc, cws);  gum_exec_ctx_write_push_branch_target_address (block->ctx, target, gc, cws);  gum_arm64_writer_put_pop_reg_reg (cws, ARM64_REG_X0, ARM64_REG_X1);  gum_arm64_writer_put_call_address_with_arguments (cws,    GUM_ADDRESS (func), 3,    GUM_ARG_ADDRESS, GUM_ADDRESS (block),    GUM_ARG_REGISTER, ARM64_REG_X1,    GUM_ARG_ADDRESS, GUM_ADDRESS (gc->instruction->start));

#define GUM_ENTRYGATE(name)     gum_exec_ctx_replace_current_block_from_##name#define GUM_DEFINE_ENTRYGATE(name) static gpointer     GUM_ENTRYGATE (name) (         GumExecBlock * block,         gpointer start_address,         gpointer from_insn)     {       GumExecCtx * ctx = block->ctx;       if (ctx->observer != NULL)         gum_stalker_observer_increment_##name (ctx->observer);       return gum_exec_ctx_switch_block (ctx, block, start_address, from_insn);     }GUM_DEFINE_ENTRYGATE (call_imm)GUM_DEFINE_ENTRYGATE (call_reg)GUM_DEFINE_ENTRYGATE (excluded_call_imm)GUM_DEFINE_ENTRYGATE (excluded_call_reg)GUM_DEFINE_ENTRYGATE (ret)GUM_DEFINE_ENTRYGATE (jmp_imm)GUM_DEFINE_ENTRYGATE (jmp_reg)GUM_DEFINE_ENTRYGATE (jmp_cond_cc)GUM_DEFINE_ENTRYGATE (jmp_cond_cbz)GUM_DEFINE_ENTRYGATE (jmp_cond_cbnz)GUM_DEFINE_ENTRYGATE (jmp_cond_tbz)GUM_DEFINE_ENTRYGATE (jmp_cond_tbnz)GUM_DEFINE_ENTRYGATE (jmp_continuation)核心是通过gum_exec_ctx_switch_block切换基本块,同时stalker始终拥有控制权这个函数是真正执行"查找或编译目标块，然后切换"的核心核心是通过gum_exec_ctx_switch_block切换基本块,同时stalker始终拥有控制权这个函数是真正执行"查找或编译目标块，然后切换"的核心

gum_exec_ctx_switch_block

static GumCodeSlab *gum_code_slab_new (GumExecCtx * ctx){  GumStalker * stalker = ctx->stalker;  gsize total_size;  GumCodeSlab * code_slab;  GumSlowSlab * slow_slab;  GumAddressSpec spec;  total_size = stalker->code_slab_size_dynamic +      stalker->slow_slab_size_dynamic;  gum_exec_ctx_compute_code_address_spec (ctx, total_size, &spec);  code_slab = gum_memory_allocate_near (&spec, total_size, stalker->page_size,      stalker->is_rwx_supported ? GUM_PAGE_RWX : GUM_PAGE_RW);  if (code_slab == NULL)  {    g_error ("Unable to allocate code slab near %p with max_distance=%zu",        spec.near_address, spec.max_distance);  }  gum_code_slab_init (code_slab, stalker->code_slab_size_dynamic, total_size,      stalker->page_size);  slow_slab = gum_slab_end (&code_slab->slab);  gum_slow_slab_init (slow_slab, stalker->slow_slab_size_dynamic, 0,      stalker->page_size);  return code_slab;}